chapter 5: routing and remote access control
You have configured the BranchVPN2 server as a remote access server to allow VPN connections. Members of the Sales team will connect to the remote access server to enter in daily orders and check on order status. Your task in this lab is to use the Network Policy Server console to configure a network policy on BranchVPN2 to allow members of the Sales team to connect. Complete the following tasks: Create a network access policy called Sales. Select Remote Access Server as the type of network access server. For a condition, add membership in the Sales user group. Grant access if the condition is met, regardless of the setting in the Active Directory user account. For authentication, accept only a smart card or other certificate. Be sure to disallow all other authentication methods. Make sure the policy is first in the list of policies.
Create a Network Policy 1. From Server Manager, select Tools > Network Policy Server. 2. Expand the Policies node. 3. Right-click Network Policies and select New. 4. Type the Policy name and select the Type of network access server. Click Next. 5. To add group membership as a condition: - Click Add.... - Select the group type, and then click Add.... - Click Add Groups.... - Type the name of the group, and then click OK. Click OK. 6. Click Next. 7. Select the access permission settings. Click Next. 8. Select the desired authentication settings. To configure EAP authentication: - Click Add.... - Select the EAP authentication type, and then click OK. 9. If necessary, deselect any undesired authentication methods, and then click Next. 10. Select additional constraints and configure the settings as required. Click Next. 11. Network policy settings are not simulated. Click Next. 12. Click Finish. Change the Order of a Network Policy 1. From Network Policy Server, expand the Policies node and select Network Policies. 2. Right-click the policy and select Move Up or Move Down. Repeat as necessary.
You work as the IT Administrator for a small corporate network. You previously configured the BranchVPN1 server as a remote access server to allow VPN connections. Members of the Development department will connect to the remote access server to transfer files as they work from home. Your task in this lab is to configure a network policy to allow members of the Development department to connect. Complete the following tasks: Create a network policy called Development. Select Remote Access Server as the type of network access server. For a condition, add membership in the Research-Dev Windows group. Configure permissions to use settings in the Active Directory user accounts (User Dial-in properties). User account settings will be configured by an Active Directory user account administrator. Deny access to any account that is not configured in Active Directory. For authentication, accept only MS-CHAP v2 for authentication. Allow users to change their password. As a constraint, allow access only from 7am to 8pm, Monday through Friday. Make sure the policy is first in the list of policies.
Create a Network Policy 1. From Server Manager, select Tools > Network Policy Server. 2. Expand the Policies node. 3. Right-click Network Policies and select New. 4. Type the Policy name and select the Type of network access server. Click Next. 5. To add group membership as a condition: - Click Add.... - Select the group type, and then click Add.... - Click Add Groups.... - Type the name of the group, and then click OK. Click OK. 6. Click Next. 7. Select the access permission settings. Click Next. 8. Select the desired authentication settings. To configure EAP authentication: - Click Add.... - Select the EAP authentication type, and then click OK. 9. If necessary, deselect any undesired authentication methods, and then click Next. 10. Select additional constraints and configure the settings as required. Click Next. 11. Network policy settings are not simulated. Click Next. 12. Click Finish. Change the Order of a Network Policy 1. From Network Policy Server, expand the Policies node and select Network Policies. 2. Right-click the policy and select Move Up or Move Down. Repeat as necessary.
You work as the IT Administrator for a small corporate network. As the network grows, the security of computers attaching to your network is becoming an issue. You would like to implement Network Access Protection using DHCP enforcement to control access to the network. Complete the following tasks: Create a Remediation Server Group called CorpNet Remediation. Add your new Windows Server Update Service (WSUS) servers, CorpWSUS1 (192.168.0.17) and CorpWSUS2 (192.168.10.17), to the remediation group. Create a Security Health Validator (SHV) policy named Security Updates. Configure the SHV as follows: Ensure that Automatic updating is enabled. Restrict access for clients that do not have critical security updates installed. Allow 48 hours since the client has checked for new security updates. Allow updates from both Windows Update and from your new WSUS servers. Do not include settings for Firewall, Antivirus, or Spyware Protection in this policy. Create the following Health Policies using settings from the SHV you just created: Policy name: Security Pass - Clients must pass all SHV checks Policy name: Security Fail - Clients fails one or more SHV checks Create the following Network Policies: Policy name: DHCP Compliant Network access server: DHCP Server As a condition, add the Security Pass health policy Allow access For Authentication, perform machine health check only For NAP Enforcement settings, allow full network access Policy name: DHCP Noncompliant Network Access Server: DHCP Server As a condition, add the Security Fail health policy Allow access For Authentication, perform machine health check only For NAP Enforcement settings, allow limited access only to the remediation server group you created Create a Connection Request Policy. Policy name: DHCP Connection Network access server: DHCP Server As a condition, add Day and Time Restrictions set for 24 hour access Authenticate requests on the local server Use the network policy for authentication In this lab, you will only configure the NPS settings for a NAP Health Policy. Configuration of the DHCP Server, Group Policy, and Client Settings would still need to be completed separately.
Create a Remediation Server Group From Server Manager, select Tools > Network Policy Server. Expand Network Access Protection and select Remediation Server Groups. Right-click Remediation Server Groups and select New. Enter a group name. To add servers to the remediation group: Click Add.... Enter a Friendly name (of your choice). Enter the IP address or DNS name of the server, and then click Resolve. Select the IP address of the server from the list, and then click OK. Repeat these steps as needed to add additional remediation servers. Click OK. Create a System Health Validator (SHV) In Network Policy Server, expand Network Access Protection > System Health Validators > Windows Security Health Validator and select Settings. Right-click Settings and select New. Enter a Friendly name and click OK. Configure SHV settings as required, and then click OK. Create a Health Policy In Network Policy Server, expand Policies and select Health Policies. Right-click Health Policies and select New. Enter a policy name, select client SHV checks, and the SHV to be used in the policy. Under Settings, select the SHV you created earlier, and then click OK. Repeat steps 2 through 4 as needed for additional health policies. Create a Network Policy In Network Policy Server, expand the Policies node and select Network Policies. Right-click Network Policies and select New. Type the Policy name and select the Type of network access server. Click Next. To add a health policy as a condition: Click Add.... Double-click Health Policies. Select the required health policy and then click OK. Click Next. Select the access permission settings. Click Next. Select the desired authentication settings. Deselect any unneeded authentication methods, and then click Next. Select additional constraints and configure the settings as required. Click Next. To configure NAP Enforcement settings, select NAP Enforcement: Select Allow full network access to allow unrestricted access for clients. Select Allow full network access for a limited time to allow unrestricted access to non-compliant clients for a specified time. Select Allow limited access to allow restricted access for non-compliant clients. Click Configure... to specify a Remediation Server Group. Select Auto remediation to automatically remediate non-compliant clients. Click Next. Click Finish. Repeat steps 2 through 11 as needed for additional Network Policies. Create a Connection Request Policy From Network Policy Server, expand Policies. Right-click Connection Request Policies and select New. Enter a Policy name and select the Type of network access server. Click Next. To add Day and Times Restrictions as a condition: Click Add.... Double-click Day and Time Restrictions. Select the desired hours and then click Permitted or Denied as applicable. Click OK. Click Next. To process authentication on the local server, make sure Authenticate requests on this server is selected and click Next. To accept the network policy settings for authentication, click Next. To accept the configuration settings, click Next. Click Finish.
Click the Exhibits button and use the graphic to complete the lab. The CorpRTR server is connected to the test networks as shown in the Exhibit. It is currently configured with static routes to the non-directly connected test networks. You realize that maintaining static routes will quickly become difficult as the test network grows. You would like to configure dynamic routing on the server. Your task in this lab is to: Enable the RIP routing protocol on the server. Enable RIP on the TestLAN interface. Configure the interface to use periodic updates. Configure the interface to use version 2 broadcasts for outgoing updates and only version 2 for incoming updates. Delete all static routes. In this lab, you will not be able to view the routing table to verify that the server has exchanged routing information with other routers on the network.
1. From Server Manager, select Tools > Routing and Remote Access. 2. Expand the server and appropriate IP protocol routing nodes. 3. Right-click General and select New Routing Protocol.... 4. Select RIP Version 2 for Internet Protocol and click OK. 5. To configure RIP interfaces: - Right-click the RIP node and select New Interface.... - Select the interface and click OK. - For LAN interfaces, select Periodic update mode as the operation mode. For demand-dial interfaces, select Auto-static update mode (these are the default settings). - Update the Outgoing packet protocol and the Incoming packet protocol settings. - Click OK. - Repeat the process to define additional interfaces.
Click the Exhibits button and use the graphic to complete this lab. The CorpRTR server is connected to the networks as shown in the Exhibit. Routing has been enabled on the server. Your test network now includes two additional subnets: 10.0.10.0/24 and 10.0.20.0/24. Your task in this lab is to configure static routes on CorpRTR to make the two additional networks accessible. Use the Routing and Remote Access console to configure the routes. Configure network 10.0.10.0 with a metric of 2. Configure network 10.0.20.0 with a metric of 3.
1. From Server Manager, select Tools > Routing and Remote Access. 2. Expand the server and appropriate IP protocol routing nodes. 3. Right-click Static Routes and select New Static Route..... 4. Select the interface that is used to reach the destination. 5. Type the destination address. 6. Type the network mask of the destination. 7. Type the gateway address. The gateway address must be on the same network as the interface. Note: If the interface is a demand-dial interface, this option will not be configurable. 8. Modify the metric. 9. If the interface is a demand-dial interface, the Use this route to initiate demand-dial connections option will be selected automatically. Deselect this option if the route should only be valid after the demand-dial connection has been established. 10. Click OK. 11. Repeat steps 3 through 10 to add additional routes.
You work as the IT Administrator for a small corporate network. You recently installed Windows Server 2012 on CorpRTR in order to use the server as a router between your test network and the production network. The system has two network adapters, one connected to each network. You have assigned static addresses to the network adapters as shown in the Exhibit. The router can communicate with hosts on either network, however, hosts on each network cannot communicate with hosts on the other network. To correct the problem, you need to enable routing on the server. Your task in this lab is to enable LAN routing on the server using the Configure and Enable Routing and Remote Access wizard. You do not need to configure static routes or a routing protocol on the server at this time.
1. From Server Manager, select Tools > Routing and Remote Access. 2. Right-click the server object and select Configure and Enable Routing and Remote Access. 3. Click Next. 4. Select the Secure connection between two private networks option. Click Next. 5. Select No to configure the router for LAN routing only.Click Next. 6. Click Finish. 7. Click OK.
You work as the IT Administrator for a small corporate network. You would like to create a separate subnet to use for testing. You would like the test subnet to have access to the rest of the network through a router, but not have any local access to production machines. You have installed Windows Server 2012 on CorpRTR, which you plan to use to isolate the test segment from the rest of the network. You will likely use traditional routing or NAT. Your task in this lab is to add the necessary role and role services to meet the stated requirements. Do not add unnecessary role services.
1.From Server Manager, click Manage > Add Roles and Features. 2. Click Next to begin the Add Roles and Features Wizard. 3. Select Role-based or feature-based installation and click Next. 4. Select the desired server from the Server Pool and click Next. 5. Select Remote Access, click Add Features to add management tools, and then click Next. 6. Click Next. 7. Click Next. 8. Select Routing and click Next. 9. Click Next. 10. Click Next. 11. Click Install to add the role. 12. Click Close. 13. From Server Manager, select Tools > Routing and Remote Access to verify that the role was installed.
Due to the success of your remote access solution, you now have several remote access servers on your network. To centralize administration of network policies, you would like to configure the CorpNPS server as a RADIUS server. Complete the following tasks: Add the necessary server role and role service(s) to allow CorpNPS to be a RADIUS server. This server will not respond to remote access client requests. Do not add any unnecessary role services. Identify the following servers in NPS as RADIUS clients: Server/Friendly name IP address CorpVPN1 192.168.0.20 BranchVPN1 192.168.20.20 Use RADIUS standard as the vendor and J51nj3T% for the shared secret for all servers. Configure a network policy to allow members of the Sales team to connect. Use the following settings: Create a network access policy called Sales. Select Remote Access Server as the type of network access server. For a condition, add membership in the Sales user group. Grant access if the condition is met, regardless of the setting in the Active Directory user account. For authentication, accept only a smart card or other certificate. Be sure to disallow all other authentication methods. Configure routing and remote access on BranchVPN1 and CorpVPN1 to use RADIUS authentication and accounting. Use the following configuration settings: RADIUS Server name: CorpNPS Secret: J51nj3T% Accept all other default settings.
Add Network Policy and Access Services Role From Server Manager, select Manage > Add Roles and Features. Click Next to begin the Add Roles and Features Wizard. Select Role-based or feature-based installation and click Next. Select the desired server from the Server Pool and click Next. Select the Network Policy and Access Services role. Click Add Features to include management tools, and then click Next. Click Next. Click Next. Select the role service(s) to install, and then click Next. Click Install. Click Close. Configure Clients on the RADIUS Server From Server Manager, select Tools > Network Policy Server. Expand RADIUS Clients and Servers. Right-click RADIUS Clients and select New. Enter the Friendly name, Address (IP or DNS), and the shared secret. On the Advanced tab, select Vendor name. Click OK. Create a Network Policy From Network Policy Server, expand the Policies node. Right-click Network Policies and select New. Type the Policy name and select the Type of network access server. Click Next. To add group membership as a condition: Click Add.... Select the group type, and then click Add.... Click Add Groups.... Type the name of the group, and then click OK. Click OK. Click Next. Select the access permission settings. Click Next. Select the desired authentication settings. To configure EAP authentication: Click Add.... Select the EAP authentication type, and then click OK. If necessary, deselect any undesired authentication methods, and then click Next. Select additional constraints and configure the settings as required. Click Next. Network policy settings are not simulated. Click Next. Click Finish. Configure a RADIUS Client Click Change Location and select the server to be configured as a RADIUS Client. From Server Manager, select Tools > Routing and Remote Access. Right-click the server and select Properties. Select the Security tab. In the Authentication provider: list, select RADIUS Authentication, and then click Configure.... Click Add.... Enter a name for the RADIUS server in Server name:. Click Change.... Enter a password in New secret: and Confirm new secret:. This password must be identical to the one that was entered on the NPS server. Click OK. Click OK to add the RADIUS server. Click OK to close the RADIUS Authentication dialog. In the Accounting provider: list, select RADIUS Accounting and then click Configure.... Click Add.... Enter a name for the RADIUS server in Server name:. Click Change.... Enter a password in New secret: and Confirm new secret:. This password must be identical to the one that was entered on the NPS server. Click OK. Click OK to add the RADIUS server. Click OK to close the RADIUS Accounting dialog. Click OK to close server properties.
You work as the IT Administrator for a small corporate network. You have a Windows Server 2012 router named CorpRTR that provides a measure of isolation for your test network. You want to install and configure the Network Address Translation (NAT) protocol on the router to provide additional isolation for the test network. You also need to provide secure access to an internal web server which resides on the test network. Your tasks in this lab are to: Install the Network Address Translation (NAT) IP routing protocol. Identify Network2 as the public interface. Configure it to be NAT enabled. Configure the Network2 interface to allow access to an internal secure web server on 10.0.10.10. Configure the NAT router to act as a DHCP server: Dynamically configure client computers using an IP address on the 10.0.10.0 subnet (subnet mask 255.255.255.0). Configure an Exclusion for the internal web server on 10.0.10.10. Configure the NAT router to act as a DNS proxy. Do not configure the router to connect automatically to the Internet when a DNS name needs to be resolved. Configure TestLAN as the private interface.
Add the Network Address Translation (NAT) IP Routing Protocol 1. From Server Manager, select Tools > Routing and Remote Access. 2. Expand the appropriate routing protocol node. 3. Right-click General and choose New Routing Protocol.... 4. Select NAT and click OK. Identify the Public and Private NAT Interfaces 1.From Routing and Remote Access, expand the appropriate protocol (i.e., IPv4 or IPv6) node. 2. Right-click NAT and select New Interface.... 3. Select the interface that is connected to the Internet. Click OK. 4. Select Public interface connected to the Internet and then Enable NAT on this interface. 5. On the Services and Ports tab: - Select the desired service (such as HTTPS). - Enter the Private address for the service. - Click OK. - Click OK to close the interface properties dialog. - Right-click the NAT container again and choose New Interface.... - Select the interface connected to the private network and click OK. - Select Private interface connected to private network and click OK. Configure the NAT Router 1. From Routing and Remote Access, right-click NAT and choose Properties. 2. On the Address Assignment tab, select Automatically assign IP addresses by using the DHCP allocator. 3. Type the subnet address and the subnet mask that the server will use for assigning IP addresses to hosts on the private network. 4. To configure an address exclusion: - Click Exclude.... - Click Add.... - Type the addresses to be excluded (any statically assigned addresses on the private network). -Click OK to add the address. 5. On the Name Resolution tab, select Clients using Domain Name System (DNS). 6. Click OK to save the changes.
You previously configured a RADIUS solution with CorpNPS as the RADIUS server and servers BranchVPN1 and CorpVPN1 as RADIUS clients. The Sales team uses a unique application that requires a dial-up connection. You have configured the BranchVPN2 server as a dial-up server. Because this is the only dial-up server on your network, you would like to process network policies for dial-up connections locally on the BranchVPN2 server, but forward all other remote access connection requests to the RADIUS server. Your task in this lab is to configure BranchVPN2 as a RADIUS proxy, processing dial-up connection requests locally, but forwarding all other requests to CorpNPS. You are currently on CorpNPS. Complete the following tasks: In Network Policy Server on CorpNPS, configure BranchVPN2 as a RADIUS Client. Friendly Name: BranchVPN2 IP Address: 192.168.30.20 Shared secret: J51nj3T% Vendor: RADIUS standard In Network Policy Server on BranchVPN2, create a remote RADIUS server group named Remote Connections. Add the CorpNPS server to this group using the IPv4 address. When verifying and resolving the server name, choose the address on the 192.168.0.0 network. Configure J51nj3T% for the shared secret. Create a connection request policy named Dial-up Connection Requests. For the type of network access server, select Remote Access Server (VPN-Dial up). As a condition, add NAS Port Type for Async (Modem) connections. Process authentication requests on the local server. Accept the network policy settings for authentication. Make sure the connection request policy is processed first. Edit the existing Microsoft Routing and Remote Access Service Policy connection request policy. In the Authentication settings, forward authentication requests to the Remote Connections remote RADIUS server group. Make sure this policy is second on the list. Create a network policy named Dial-up Network Policy. For the type of network access server, select Remote Access Server (VPN-Dial up). As a condition, add NAS Port Type for Async (Modem) connections. As a condition, add membership in the Dial-up Users group. Allow access, ignoring user account settings in Active Directory (Dial-in properties). For authentication, allow only smart card or other certificate. Make sure the policy is first on the list.
Configure a Client on the RADIUS Server From Server Manager on CorpNPS, select Tools > Network Policy Server. Expand RADIUS Clients and Servers. Right-click RADIUS Clients and select New. Enter the Friendly name, Address (IP or DNS), and the shared secret. On the Advanced tab, select Vendor name. Click OK. Create a Remote RADIUS Server Group Click Change Location and select BranchVPN2. From Server Manager on BranchVPN2, select Tools > Network Policy Server. Expand RADIUS Clients and Servers. Right-click Remote RADIUS Server Groups and select New. Enter a name for the group and click Add.... Enter the IP address or the name for the RADIUS server, and click Verify.... In the Verify Client dialog, click Resolve, and then select the appropriate IP address and click OK. To add a shared secret, select the Authentication/Accounting tab: Enter a password in the Shared secret: and Confirm shared secret: text boxes. Click OK. Click OK to add the RADIUS Server. Create a Connection Request Policy From Network Policy Server, expand Policies. Right-click Connection Request Policies and select New. Enter a Policy name and select the Type of network access server. Click Next. To add a gateway as a condition: Click Add.... Select the gateway type, and then click Add.... Select the access media types, and then click OK. Click Next. To process authentication on the local server, make sure Authenticate requests on this server is selected and click Next. To accept the network policy settings for authentication, click Next. To accept the configuration settings, click Next. Click Finish. To ensure that the policy is processed in the correct order: Right-click the policy and select Move Up or Move Down. Repeat as necessary until the policy is positioned in the processing order where you want it to be. Edit the Authentication Settings for a Connection Request Policy From Network Policy Server, expand Policies and select Connection Request Policies. Right-click the policy you wish to edit and select Properties. Select the Settings tab, and then select Authentication. To forward requests, select Forward requests to the following remote RADIUS server group for authentication:. Select the appropriate server group and click OK. Create a Network Policy From Server Manager, select Tools > Network Policy Server. Expand the Policies node. Right-click Network Policies and select New. Type the Policy name and select the Type of network access server. Click Next. To add conditions, click Add.... For group membership as a condition: Select the group type, and then click Add.... Click Add Groups.... Type the name of the group, and then press Enter. Click OK. To add a gateway as a condition: Select the gateway type, and then click Add..... Select the access media types, and then click OK. Click Next. To grant access regardless of Active Directory settings, select Access granted and click Next. To allow only smart card or other certificate for authentication: Click Add.... Select Microsoft: Smart Card or other certificate and click OK. Deselect any undesired authentication types. Click Next. To accept the configuration constraints, click Next. To accept the configuration settings, click Next. Click Finish. To ensure that the policy is processed in the correct order: Right-click the policy and select Move Up or Move Down. Repeat as necessary until the policy is positioned in the processing order where you want it to be.
Add the Network Address Translation (NAT) IP Routing Protocol From Server Manager, select Tools > Routing and Remote Access. Expand the appropriate routing protocol node. Right-click General and choose New Routing Protocol.... Select NAT and click OK. Identify the Public and Private NAT Interfaces From Routing and Remote Access, expand the appropriate protocol (i.e., IPv4 or IPv6) node. Right-click NAT and select New Interface.... Select the interface that is connected to the Internet. Click OK. Select Public interface connected to the Internet and then Enable NAT on this interface. On the Services and Ports tab: Select the desired service (such as HTTPS). Enter the Private address for the service. Click OK. Click OK to close the interface properties dialog. Right-click the NAT container again and choose New Interface.... Select the interface connected to the private network and click OK. Select Private interface connected to private network and click OK. Configure the NAT Router From Routing and Remote Access, right-click NAT and choose Properties. On the Address Assignment tab, select Automatically assign IP addresses by using the DHCP allocator. Type the subnet address and the subnet mask that the server will use for assigning IP addresses to hosts on the private network. To configure an address exclusion: Click Exclude.... Click Add.... Type the addresses to be excluded (any statically assigned addresses on the private network). Click OK to add the address. On the Name Resolution tab, select Clients using Domain Name System (DNS). Click OK to save the changes.
Configure a VPN Server 1. From Server Manager, select Tools > Routing and Remote Access. 2. Right-click the server and select Configure and Enable Routing and Remote Access. 3. Click Next to start the Routing and Remote Access Server Setup wizard. 4. Select Remote access (dial-up or VPN) and click Next. 5. Select VPN and click Next. 6. Select Public as the Internet connection. Click Next. 7. Select From a specified range of addresses and click Next to progress to the Address Range Assignment screen. 8. Click New... to enter the range of addresses. Type the starting and ending IP addresses for the range. Click OK, then Next. 9. Verify that RADIUS is not used and click Next. 10. Click Finish to complete the Routing and Remote Access Server Setup wizard. 11. Click OK to acknowledge the DHCP Relay Agent message. 12. Appropriate VPN ports will automatically be created and enabled to accept remote access connections. Configure VPN Ports 1. From Routing and Remote Access, expand the server node. 2. Right-click the Ports container and select Properties from the menu. 3. Select the port type you want to edit (such as PPTP or L2TP), and then click Configure.... 4. Select the option to configure how the port is used: - Select Remote access connections (inbound only) to allow the server to accept remote access connections for that port type. Selecting only this option restricts remote clients to accessing resources only on the remote access server. - Select both Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) to allow remote access clients to connect and access resources on the internal LAN. - Deselect both options to prevent the server from answering requests using that port type. 5. Modify the Maximum ports setting to configure the maximum number of active connections if necessary. Click OK. 6. If you reduced the number of Maximum ports, click Yes. 7. Click OK. 8. Repeat steps 3 through 7 to configure additional port types.
