IST 164 Chapter 10
To configure app-triggered VPN
Step 1. Find the Package Family Name for universal apps or find the path for desktop apps. Step 2. Enable the app to trigger the VPN. Step 3. Enable split tunneling for the VPN connection.
Move the client computer to the Internet virtual network
Step 1. Simulate moving a DirectAccess client out of the corporate network and to the Internet and then enabling the Internet network adapter. Step 2. Close the Network Connections window.
Network Connectivity Assistant
The Network Connectivity Assistant (NCA) is a service that is present on a DirectAccess client. It is installed by default since Windows 8 and can be installed optionally on Windows 7. This service verifies a DirectAccess IPv6 IPsec tunnel and allows monitoring through PowerShell cmdlets. If the NCA is not running, you cannot use PowerShell cmdlets to monitor Direct-Access connections.
Dashboard
The Remote Access Management Console offers a centralized view (dashboard) for monitoring the most important DirectAccess components. It contains the information on the operation and configuration status and the DirectAccess and VPN client status
First Layer of L2TP Encapsulation
The first layer is the L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with an L2TP header and a User Datagram Protocol (UDP) header.
Second layer of L2TP encapsulation
The second layer is the IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec ESP header and trailer, an IPsec authentication trailer that provides message integrity and authentication, and a final IP header. The IP header contains the source and destination IP address that corresponds to the VPN client and server. With L2TP, the message is encrypted with AES or 3DES by using encryption keys that the IKE negotiation process generates
What does VPN Reconnect feature enable?
This feature enables users to access organizational data by using a VPN connection, which reconnects automatically if connectivity disconnects. VPN Reconnect also enables roaming between different networks
PowerShell cmdlet Add-VpnConnectionTriggerApplication
To enable the app to trigger the VPN, use the PowerShell cmdlet Add-VpnConnectionTriggerApplication.
How does a user utilize L2TP/IPSec?
To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec.
WebProbe resource record
To verify connectivity to the internal network, DirectAccess creates a default web probe that DirectAccess client computers use.
Get-VPNConnection cmdlet
To verify the split tunneling state on a VPN profile
T or F: IKEv2 (Internet key exchange version 2) supports mobility choice for a mobile workforce.
True
T or F: It enables users to access organizational data by using a VPN connection which reconnects automatically if connectivity disconnects.
True
6to4:
Uses IP protocol 41 for transport and does not work when the client is behind a NAT (network address translation)
Multiple domain support:
Windows Server 2016 DirectAccess supports the deployment of DirectAccess through multiple domains.
Kerberos authentication
With Window Server 2008 and Windows Server 2008 R2, using IPsec certificates was essential for clients to authenticate for the IPsec tunnel to a DirectAccess server. Since Windows Server 2012 Direct-Access, you can use Kerberos authentication for DirectAccess connections from the Internet to corporate networks. Two components that make this possible are KDC Proxy and IP-HTTPS.
Add-VpnConnection PowerShell cmdlet
With the Add-VpnConnection PowerShell cmdlet, you can add a VPN connection to the Connection Manager phone book. The Add-VPNConnection cmdlet is available only on Windows 8 and newer operating system
What is the Connection Manager Administration Kit (CMAK) used for?
You can use the Connection Manager Administration Kit (CMAK) to customize users' remote connection options by creating predefined connections to remote servers and networks.
Network Location Server (NLS)
a web server that allows incoming SSL connections. The Windows Server 2016 web server and the Network Location Server are both automatically installed with the installation of the Windows Server 2016 Direct-Access role.
DNS64
describes a DNS server that, when asked for a domain's AAAA records and finding only A records, synthesizes the AAAA records from the A records
PowerShell cmdlet Get-VpnS2SinterfaceStatistics
detailed statistics information about your S2S VPN interfaces
Remote access technologies in Windows Server 2016 enable users to connect securely to data and resources in corporate networks. In Windows Server 2016, what are the four component technologies?
virtual private network (VPN), DirectAccess, routing, and Web Application Proxy— combined into a single, unified server role called Remote Access.
main prerequisites for a DirectAccess solution
1. At least one Active Directory domain. 2. Workgroups not supported. 3. DirectAccess clients required to be domain members. 4. DirectAccess server required to have minimum one network adapter. 5. At least one domain controller and DNS server. 6. PKI required to issue certificates. External certificates are not a requirement. 7. IPsec policies required to specify protection for network traffic. 8. A client running a minimum of Windows 7 (or Windows 8), for DirectAccess. 9. Tunneled IP traffic allowed to pass through the perimeter firewall`
KDC Proxy
1. The KDC Proxy service is installed by default. 2. KDC Proxy is a web-based service. 3. A TLS/SSL secure channel is used to connect to the KDC Proxy service. 4. KDC Proxy is not possible on a standalone server. 5. The KDC Proxy SSL certificate needs a revocation check.
Using remote VPNs in Windows Server 2016 involves four scenarios
1. VPN connections with PPTP 2. VPN connections with L2TP/IPsec 3. VPN connections with SSTP 4. VPN connections with IKEv2
A DirectAccess client can be any domain-joined client computer that is running what (Ultimate and Enterprise) editions?
1. Windows 7 2. Windows 8 3. Windows 8.1 4. Windows 10
To set up a Basic DirectAccess server, you must consider what?
1. Windows Firewall must be enabled on all profiles. 2. This option works only with Windows 10, Windows 8.1, and Windows 8. 3. A public key infrastructure is not required. 4. Domain credentials are required for authentication. 5. DirectAccess is automatically deployed to all mobile computers in the current domain. 6. Traffic to the Internet does not go over the DirectAccess tunnel. 7. The DirectAccess server is the Network Location Server. 8. Two-factor authentication is not supported. 9. Force tunnel configuration is not supported. 10. If you are using ISATAP, you should remove it and use native IPv6. 11. Network Access Protection (NAP) is not supported.
IPsec
A DirectAccess client uses Authenticated IP (AuthIP) and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server.
Network Location Server
A DirectAccess client uses the network location server (NLS) to determine its location. If the client computer can securely connect to the NLS by using HTTPS, then the client computer assumes that it is on the intranet and the DirectAccess policies are not enforced. If the network location server is not contactable, the client assumes that it is on the Internet. The NLS installs on the DirectAccess server with the web server role.
DirectAccess Server role
A DirectAccess server allows remote users to securely access internal resources without connecting to a VPN. The Direct-Access server establishes bidirectional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. IT administrators also can manage remote computers outside the office, even when the computers are not connected to the VPN (managed-out support).
VPN connections use?
A VPN connection can use different encapsulation, authentication, and data encryption technologies
Persistent VPN Connection
A persistent S2S VPN has a constant connection. Additionally, if the connection inadvertently closes or drops, it is reestablished immediately. To configure the connection as persistent, on the properties page of the Demand-dial interface, on the Options tab, select Persistent connection. You also can configure this on the answering router by clearing the Idle Timeout and Session Timeout boxes on the network policy's Constraints tab.
What does site-to-site (S2S) VPN connection allow you to do?
A site-to-site (S2S) VPN connection gives you the capability to connect two networks at different physical locations across the Internet.
S2S VPN connection (SSTP-based VPN tunnel from your on-premises network to an Azure virtual network)
A site-to-site VPN connects an on-premises TCP/IP network to a virtual network through a VPN tunnel. In the on-premises network, a VPN device routes traffic to the virtual network. You can use either a compatible third-party VPN device or use a server running Windows server with the Routing and Remote Access Service (RRAS) configured. Azure provides scripts that you can use to configure different VPN devices. Use a site-to-site connection when you have many client computers that are all connected to an on-premises network. Unlike point-to-site connections, clients can use site-to-site connections only when they have a direct connection to the on-premises network.
Traffic Selector
A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.
How many VPN tunnels can Azure support?
Azure supports a maximum of 30 VPN tunnels per VPN gateway.
How can CMAK be installed?
CMAK is part of Windows Server 2016 and can be installed through the Install-WindowsFeature -name CMAK command. It is also present on a Windows 10 client, and you can install it through Program and Features.
Clear-VpnS2SInterfaceStatistics
Clears statistics for an S2S interface.
When does computer-level authentication occur?
Computer-level authentication occurs only for L2TP/IPsec connections
DirectAccess client
Computers that are running the following operating systems are supported as DirectAccess clients: Windows 7 Enterprise/Ultimate, Windows 8/8.1 Enterprise, Windows 10 Enterprise, Windows Server 2008 R2, Windows 2012, Windows 2012 R2, and Windows 2016. Non-Microsoft clients are not allowed to be used with DirectAccess.
Connection Manager
Connection Manager is a client network connection tool that allows a user to connect to a remote network, such as an Internet service provider (ISP) or an organizational network that a VPN server protects.
Connect-VpnS2Sinterface
Connects an S2S interface that is currently not connected.
Add-VpnS2Sinterface
Creates an S2S interface with the specified parameters.
WMI (Windows management instrumentation) filter:
Defines that only mobile computers get the DirectAccess client Group Policy applied to them
NCA (network connection assistant):
Delivers status information about DirectAccess connections
DNS64:
Describes a DNS server that, when asked for a domain's AAAA (IPv6 address) records and finds only A (IPv4 address) records, synthesizes the AAAA records from the A records
Built-in NAT64 and DNS64:
DirectAccess can use NAT64 and DNS64 to allow IPv6 hosts to communicate with IPv4 servers. DNS64 makes it possible to resolve name requests for IPv6 addresses without having IPv6 addresses registered in DNS. The DNS server delivers a synthesized IPv6 address to the requestor.
DirectAccess server setup
DirectAccess server setup easily can be done through the Getting Started Wizard. This wizard offers easy step-by-step configuration for a DirectAccess server. The wizard runs background PowerShell scripts that execute the most necessary steps (such as creating GPOs). With the setup of the DirectAccess server, you also have configured Direct-Access client settings because the wizard also creates a DirectAccess client Group Policy.
Disconnect-VpnS2Sinterface
Disconnects an S2S interface that is currently connected.
When using additional firewalls, apply the following Internet-facing firewall exceptions for Remote Access traffic when the Remote Access server is on the IPv6 Internet
Exception 1: IP Protocol 50 Exception 2: UDP destination port 500 inbound, UDP source port 500 outbound
When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic
Exception 1: ISATAP Protocol 41 inbound and outbound Exception 2: TCP/UDP for all IPv4/IPv6 traffic
T or F: IKEv2 (Internet key exchange version 2) uses the IPsec tunnel mode protocol over UDP port 443.
False; It uses the IPsec (IP security) tunnel mode protocol over UDP (user datagram protocol) port 500.
T or F: The DirectAccess client computer must connect to the DirectAccess server by using IPv4 and IPsec.
False; The DirectAccess client computer must connect to the DirectAccess server by using IPv6 and IPsec.
What happens when you enable split tunneling for a VPN connection?
If you enable split tunneling for a VPN connection, all traffic that is not intended for the internal network is sent out through the local gateway.
What must you do if you have split-brain DNS?
If you have split-brain DNS, you must add exemption rules for the names of resources for which you want DirectAccess clients located on the Internet to access the Internet version instead of the intranet version
EAP
If you use EAP, an arbitrary authentication mechanism authenticates a Remote Access connection. The Remote Access client and the authenticator, which is either the Remote Access server or the Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact authentication scheme they will use. Routing and Remote Access includes support for EAP-TLS by default. You can plug in other EAP modules to the server that is running Routing and Remote Access to provide other EAP methods.
VPN Connections with IKEv2
Internet Key Exchange Protocol Version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. IKEv2 supports mobility, making it a good protocol choice for a mobile workforce. IKEv2-based VPNs enable users to move easily between wireless hotspots or between wireless and wired connections.
MS-CHAPv2
MS-CHAPv2 is a one-way , encrypted-password, mutual authentication process that works as follows: 1. The authenticator, which is the Remote Access server or computer that is running Network Policy Server (NPS), sends a challenge to the Remote Access client. The challenge consists of a session identifier and an arbitrary challenge string. 2. The Remote Access client sends a response that contains a one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password. 3. The authenticator checks the response from the client and sends back a response that contains an indication of the connection attempt's success or failure, along with an authenticated response based on the sent challenge string, the peer challenge string, the client's encrypted response, and the user password. 4. The Remote Access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the Remote Access client terminates the connection.
Manage-out support:
Manage-out support for Windows Server 2016 Direct-Access means that you can manage DirectAccess clients through the Direct-Access tunnel in the outbound direction.
PowerShell support:
Many PowerShell cmdlets can be used for Windows Server 2016 DirectAccess. For example, to get information about the DirectAccess server configuration, you use Get-DAServer.
Operation Status
Operation Status provides information about the health of each DirectAccess component: DNS, DNS64, domain controllers, IP-HTTPS, Kerberos authentication, NAT64, network adapters, Network Location Server, and network security and services. If the DirectAccess component is healthy, it shows a green check mark. If any issue arises with the Direct-Access component, it shows a blue question mark. Clicking the component gives you more detailed information about the related issue, the cause of the issue, and how to resolve it.
What does PPTP enable users to do?
PPTP enables you to encrypt and encapsulate multiprotocol traffic in an IP header that it then sends across an IP network or a public IP network, such as the Internet.
VPN Connections with PPTP
PPTP is a tunnel protocol that uses Microsoft Point-to-Point Encryption (MPPE). Windows Server 2016 VPN server still supports PPTP; it has 128 PPTP ports by default for VPN client connections.
PAP
Password Authentication Protocol (PAP) uses plain-text passwords and is the least secure authentication protocol. It typically is negotiated if the Remote Access client and Remote Access server cannot negotiate a more secure form of validation. Windows Server 2016 includes PAP to support older client operating systems that support no other authentication method.
Remote Access Client Status
Remote Access Client Status displays information about the DirectAccess client computers that connect to the Direct-Access server. The information displaying in this window includes the username, hostname, ISP address, protocol/tunnel, and duration. For each DirectAccess client connection, you can view more detailed information.
Remote Access Reporting
Remote Access Reporting provides the same information as Remote Access Client Status, but as a historical DirectAccess client usage report. You can choose the start date and end date for the report. In addition, Remote Access Reporting displays server load statistics, which is statistical connectivity information for the total DirectAccess sessions, the average sessions per day, the maximum concurrent sessions, and unique DirectAccess clients
Remove-VpnS2Sinterface
Removes a specified S2S interface.
Get-VpnS2SInterface
Retrieves configuration details for an S2S interface.
S2S VPN connections, or router-to-router VPN connections
S2S VPN connections, or router-to-router VPN connections, enable your organization to establish routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications.
What does SSTP provide?
SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods such as EAP-TLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
VPN Connections with SSTP
Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses HTTPS protocol over port 443 to pass traffic through firewalls and web proxies that otherwise might block PPTP and L2TP/IPsec traffic
Whenever DirectAccess client computers are not able to connect to the DirectAccess server, we recommend that you follow the methodology for problem diagnostics. Troubleshooting methodology includes what steps?
Step 1. Check whether DirectAccess supports the correct operating system version. Step 2. Check whether the DirectAccess client computer is a member of the domain. Step 3. Check whether the DirectAccess client computer received computer configuration Group Policy settings for DirectAccess. Step 4. Check whether the DirectAccess server computer received computer configuration Group Policy settings for DirectAccess. Step 5. Check whether the DirectAccess client computer has a global IPv6 address. Step 6. Check whether the DirectAccess client computer can connect to the IPv6 addresses of the DirectAccess server. Step 7. Ensure that the DirectAccess client computer is assigned the domain firewall profile. Step 8. Check whether the DirectAccess client computer has IPv6 reachability to its intranet DNS servers and whether the DirectAccess client computer can use intranet DNS servers to resolve and to reach intranet FQDNs. Step 9. Check whether the DirectAccess client computer can establish both IPsec infrastructure and intranet tunnels with the DirectAccess server. Step 10. Use the following command-line tools to perform the checks, per your troubleshooting methodology: netsh, ping, nslookup, ipconfig, certutil, and nltest. Step 11. Use the following graphical user interface (GUI) tools for performing the checks, per your troubleshooting methodology: Remote Access Server Management Console, Group Policy Management Console and Group Policy Management Editor, Windows Firewall Advanced Security, Event Viewer, and certificates.
You must configure the infrastructure required for a Basic DirectAccess deployment using a single DirectAccess server in a mixed IP4/IPv6 environment. For that, you need to ensure that what tasks are done?
Step 1. Configure the server network settings on the DirectAccess server. Step 2. Configure routing in the corporate network to make sure traffic is appropriately routed. Step 3. Configure additional firewalls, if required. Step 4. Configure DNS settings for the DirectAccess server. Step 5. Join client computers and the DirectAccess server to the Active Directory domain. Step 6. Configure GPOs for the deployment, if required. Step 7. Configure security groups that will contain DirectAccess client computers, as well as any other security groups required in the deployment.
You must manually configure a DNS entry for the NLS in your deployment. You do so with what steps?
Step 1. On the internal network DNS server, run dnsmgmt.msc and then press Enter. Step 2. In the left pane of the DNS Manager console, expand the forward lookup zone for your domain. Right-click the domain and click New Host (A or AAAA). Step 3. From the New Host dialog box, in the Name (Uses Parent Domain Name If Blank) box, enter the DNS name for the Network Location Server website (this is the name the DirectAccess clients use to connect to the Network Location Server). In the IP Address box, enter the IPv4 address of the Network Location Server and then click Add Host. In the DNS dialog box, click OK. Step 4. From the New Host dialog box, in the Name (Uses Parent Domain Name If Blank) box, enter the DNS name for the web probe (the name for the default web probe is directaccess-webprobehost). In the IP Address box, enter the IPv4 address of the web probe and then click Add Host. Repeat this process for directaccess-corpconnectivityhost and any manually created connectivity verifiers. In the DNS dialog box, click OK.
Verify connectivity to the DirectAccess server
Step 1. On your DirectAccess client, open a command prompt window, type ipconfig, and then press Enter. Step 2. Notice the IP address that starts with 2002. This is the IP-HTTPS address. Step 3. At the command prompt, type the following command and press Enter: Netsh name show effectivepolicy Step 4. Open Settings, select Network and Internet, and then click DirectAccess. Step 5. Verify that Your DirectAccess client is set up correctly for single-site DirectAccess (displayed under Location). Step 6. Click the Collect button under Troubleshooting info
Verify the DirectAccess Group Policy configuration settings for DirectAccess clients
Step 1. Switch to your DirectAccess client. Step 2. Restart the DirectAccess client, and then sign in. Step 3. Open a command prompt window and type the following commands: gpupdate /force, gpresult /R Step 4. Verify that DirectAccess Client Settings GPO displays in the list of the Applied Policy objects for the Computer Settings. Step 5. Close the command prompt window.
PPTP
TCP port 1723, provides data confidentiality but not data integrity or data authentication
SSTP
TCP port 443. Uses SSL to provide data confidentiality, data integrity, and authentication.
Teredo
Teredo is a built-in transition mechanism that gives a single system behind an IPv4 NAT access to IPv6.
What does CMAK create?
The CMAK Wizard creates an executable file that you can then distribute to your users or include during deployment activities as part of the operating system image.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge/response authentication protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors of network access servers and clients use CHAP. However, because CHAP requires that you use a reversibly encrypted password, you should consider using another authentication protocol, such as MS-CHAPv2.
What must a DirectAccess client have for the server authentication certificate?
The DirectAccess client must have a trusted root certificate for the DirectAccess server authentication certificate. If the client is a domain member, it can be delivered directly through GPO.
DirectAccess server
The DirectAccess server is also known as Unified Remote Access. It is a VPN-like technology that enables DirectAccess clients (only Windows) to establish an IPv6 tunnel to the corporate network through the Internet without user interaction. When the user has Internet connectivity, the DirectAccess tunnel automatically is established to the public IP address and name of the DirectAccess server.
KDC proxy
The Getting Started Wizard configures the DirectAccess server to act as a Kerberos proxy to perform IPsec authentication without requiring certificates. Client authentication requests are sent to a Kerberos proxy service running on the DA server. The KDC proxy sends Kerberos requests to DCs on behalf of the client. This configuration is applicable only for clients running the following operating systems: Windows 10, Windows 8.1, Windows 8 client operating system, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. If Windows 7 clients need to be supported for DirectAccess, you must deploy a PKI to issue computer certificates for backward compatibility.
T or F: A DirectAccess client can be any domain-joined computer that is running an Enterprise edition of Windows 7/8/8.1/10.
True
T or F: DirectAccess client computers can connect to DirectAccess servers located in different domains.
True
T or F: IKEv2 (Internet key exchange version 2) encapsulates datagrams by using IPsec ESP or an AH for transmission over the network.
True
T or F: IKEv2 (Internet key exchange version 2) is the default VPN tunneling protocol in Windows 10, Windows 7, and Windows 8.
True
T or F: The system requires Windows Server 2008 R2, Windows Server 2012, or Windows Server 2016 for using VPN reconnect feature.
True
T or F: A demand-dial interface must be created.
True; A demand-dial interface must be created.
T or F: A persistent or on-demand connection can be used.
True; A persistent or on-demand connection can be used.
T or F: The VPN client authenticates itself to the VPN server.
True; The VPN client authenticates itself to the VPN server.
With an S2S VPN connection, what takes place?
Two portions of a private network are connected. The VPN client authenticates itself to the VPN server. You must create a demand-dial interface. You can create three types of site-to-site VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Version 2 (IKEv2). A persistent or on-demand connection can be used.
L2TP/IPSec
UDP port 500, UDP port 1701, UDP port 4500, IP protocol ID 50. Uses either certificates or preshared keys for authentication. Certificate authentication is recommended.
IKEv2
UDP port 500. Supports the latest IPsec encryption to provide data confidentiality, data integrity, and authentication. IKEv2 is the default VPN tunneling protocol in Windows 10, Windows 7, and Windows 8.
Set-VpnS2Sinterface
Updates parameters for an S2S interface. This example modifies the initiator authentication method: Set-VpnS2SInterface -Name "Edge"-AuthenticationMethod EAP -EapMethod EAP-MSCHAPv2 -PassThru
ExpressRoute (uses a private connection to Azure datacenters provided by a network provider)
Using ExpressRoute, you increase security, reliability, and bandwidth. The ExpressRoute service can provide a private connection from your datacenter to an Azure virtual network through a connection service provider. This can improve security and achieve higher bandwidth, lower latency, and better reliability. Microsoft works with network service providers to build these connections.
What does a VPN enable users to do?
VPN connections enable offsite users to access a server on a private network by using the infrastructure that a public network provides
S2S VPN connections (on-demand)
When traffic is being forwarded to the remote location, a site-to-site VPN connection occurs. When the transfer completes, the connection closes shortly thereafter, contingent on the configuration for your remote access policy. You also can configure the calling router (VPN client) to close the connection after a specified idle timeout interval. You can configure this in the properties of the demand-dial interface.
On-demand VPN Connection
When traffic is being forwarded to the remote location, an S2S VPN connection occurs. After transfer has completed, the connection closes shortly thereafter, contingent on the configuration for your Remote Access policy. You also can configure the calling router (VPN client) to close the connection after a specified idle timeout interval. You can configure this in the properties of the demand-dial interface.
New-EapConfiguration PowerShell cmdlet
When you want to add a VPN connection that uses a custom EAP authentication method, you can use the New-EapConfiguration PowerShell cmdlet to create an XML file with the specified EAP configuration
Simplified security policy:
Windows Server 2016 DirectAccess automatically configures the needed Group Policies on the DC with the relevant security settings for DirectAccess clients and DirectAccess servers.
Server Core Support:
Windows Server 2016 DirectAccess can be installed and configured on the Server Core (but not on Windows Server 2016 Nano Server).
DirectAccess behind NAT
Windows Server 2016 DirectAccess connections can run through NAT devices.
Which version of Windows provides multiple-domain support?
Windows Server 2016 DirectAccess provides multiple-domain support, which allows client computers from different domains to access resources that might be located in different trusted domains.
Force tunneling support:
Windows Server 2016 DirectAccess supports force tunneling, which means that all traffic from the DirectAccess client to any internal resource must go through the DirectAccess IPsec tunnel. Traffic destined for the intranet goes over the IPsec tunnel; traffic to the Internet also has to go over the DirectAccess IPsec tunnel.
PowerShell cmdlet Add-VpnIPAddressRange
With the PowerShell cmdlet Add-VpnIPAddressRange, you can add a new IPv4 address range from which IPv4 addresses can be assigned to VPN clients
PowerShell cmdlet Disconnect-VpnUser
With the PowerShell cmdlet Disconnect-VpnUser, you can disconnect a VPN connection originated by a specific user or client
PowerShell cmdlet Get-RemoteAccessConnectionStatistics
With the PowerShell cmdlet Get-RemoteAccessConnectionStatistics, you can get information about the TotalConnections, TotalDAConnections, TotalVPNConnections, Total-UniqueUsers, MaxConcurrentConnections, TotalCumulativeConnections, TotalBytesIn, TotalBytesOut, and TotalBytesInOut.
PowerShell cmdlet New-VpnServerAddress
With the PowerShell cmdlet New-VpnServerAddress, you can create a VPN server address object.
PowerShell cmdlet New-VpnTrafficSelector
With the PowerShell cmdlet New-VpnTrafficSelector, you can create a VPN traffic selector object that configures the IKE traffic selector
PowerShell cmdlet Set-VpnServerIPsecConfiguration
With the PowerShell cmdlet Set-VpnServerIPsecConfiguration, you can configure IPsec properties on Windows Server 2016 Routing and Remote Access (RRAS) servers for incoming S2S VPN interfaces.
Set-VpnConnection PowerShell cmdlet
With the Set-VpnConnection PowerShell cmdlet, you can change configurations at existing VPN connections.
Multisite deployment
You can deploy DirectAccess into a multisite network environment. You can use an integrated wizard to configure S2S IKEv2 IPsec tunnels.
Integrated NLB
You can easily integrate the Network Load Balancing (NLB) features of the underlying operating system.
PowerShell cmdlet Get-AppXPackage
You can find the Package Family Name for universal Windows apps when you run the PowerShell cmdlet Get-AppXPackage and then search for the value PackageFamilyName.
Single-NIC support
You can set up a DirectAccess server with a single network card.
Accounting/reporting:
You can use RADIUS Accounting or Windows Internal Database (WID) Accounting.
OTP support
You can use one-time password authentication (OTP) with highly secure one-time passwords, ensuring that only properly authenticated users are authorized access to the company's critical applications and data
How does a user implement a DirectAccess solution?
You cannot implement a DirectAccess solution without using Active Directory. At a minimum, the domain must run the Windows Server 2003 domain functional level.
djoin utility
You cannot use third-party operating systems as DirectAccess clients. With off-premises provisioning, you can join the client computer to a domain without connecting the client computer to your internal premises. This is done with the djoin utility.
RAS Gateway
a software-based, multitenant, BGP-capable router. It is designed for cloud service providers and large organizations that host multiple tenant virtual networks using Hyper-V Network Virtualization (HNV)
A DirectAccess client can be any domain-joined computer that is running what version of Windows?
an Enterprise edition of Windows 10, Windows 8.1, Windows 8, or Windows 7
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS protocol, which uses what?
an SSL connection to the DirectAccess server
Network Connection Assistant (NCA)
an integrated part of Windows 8, Windows 8.1, and Windows 10. For Windows 7 SP1, it is an optional feature and must be deployed. The NCA delivers status information about DirectAccess connections. The NCA service can be seen in the services console (Service name: NcaSvc)
Computers that are members of a domain do not support ___________-_________ _____.
app-triggered VPNs
What two important issues arise with the transition mechanism, DNS64?
1. DNS64 works only when DNS is used to find the remote host address. If IPv4 literals are used, the DNS64 server is never involved. 2. Because the DNS64 server needs to return records not specified by the domain owner, DNSSEC validation against the root fails when the DNS server doing the translation is not the domain owner's server.
steps of configuring app-triggered VPN (virtual private network)
1. Find the package family name for universal apps or find the path for desktop apps. 2. Enable the app to trigger the VPN. 3. Enable split tunneling for the VPN connection.
An internal DNS server must deliver IP addresses behind hostnames to DirectAccess clients for which resources?
1. IP address of internal dedicated NLS 2. DirectAccess server internal interface IP address when DirectAccess Server is NLS 3. When using internal CA, the IP address of the internal CA 4. IP address of DC, which has to deliver DirectAccess GPO settings
6to4
6to4 is a transition mechanism in which a router with a public IPv4 address can be an IPv6 gateway or provider for a whole set of LANs.
If a native IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using what?
6to4 or Teredo
Which IP protocol does 6to4 use?
6to4 uses IP protocol 41 for transport and does not work when the client is behind a NAT. If outbound IP protocol 41 is blocked, the client should fall back to Teredo or IP-HTTPS. In fact, the protocol fallback fails with enough regularity that it is the primary reason to disable 6to4 by default and not to use it for DirectAccess.
S2S VPN connections (persistent)
A persistent site-to-site VPN has a constant connection. Additionally, if the connection inadvertently closes or drops, it is reestablished immediately. To configure the connection as persistent, on the properties page of the demand-dial interface, on the Options tab, select Persistent Connection. You also can configure this on the answering router by clearing the Idle Timeout and Session Timeout boxes on the network policy's Constraints tab.
P2S VPN connection (IPsec-encrypted VPN tunnel from a single on-premises client to an Azure virtual network)
A point-to-site VPN connects a single computer to a virtual network through a VPN tunnel. You must configure a certificate to secure this connection and then install a client configuration package on the client computer. Use point-to-site connections when you have a small number of client computers that you want to connect to an Azure virtual network. Remember that computers with a point-to-site VPN can use that connection from anywhere that they have Internet access. For example, they could connect to the virtual network from a cafe with Wi-Fi
How many connections can a single VPN gateway support?
A single VPN gateway can support up to 128 connections from client computers.
Is Connection Manager Administration Kit (CMAK) installed by default?
CMAK is an optional component and is not installed by default. You must install CMAK to create connection profiles that your users can install to access remote networks.
T or F: Only two types of site-to-site VPNs can be created: PPTP and L2TP.
False; Three types of site-to-site VPNs can be created: PPTP (point-to-point tunneling protocol), L2TP (layer 2 tunneling protocol), and IKEv2 (Internet key exchange version 2).
T or F: Three portions of a private network are connected.
False; Two portions of a private network are connected.
T or F: Users need to reconnect Internet connectivity manually or authenticate again to access internal network resources.
False; Users need not to reconnect Internet connectivity manually or authenticate again to access internal network resources.
PKI relinquishing
For Windows Server 2016 DirectAccess, an internal PKI is not mandatory. You can use certificates from public CAs for IPsec tunneling, but DirectAccess can work with self-signed certificates for IP-HTTPS DirectAccess connections and can use Kerberos authentication.
How does IKEv2 encapsulate data?
IKEv2 encapsulates datagrams by using IPsec ESP or an Authentication Header (AH) for transmission over the network; it encrypts the message with one of the following protocols by using encryption keys that it generates during the IKEv2 negotiation process: AES 256, AES 192, AES 128, and 3DES encryption algorithms.
What version of Windows supports IKEv2?
IKEv2 is supported only on computers that are running the Windows Server 2016, Windows 10, Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2 operating systems. IKEv2 is the default VPN tunneling protocol in Windows 10, Windows 7, and Windows 8.
_____________ is used by clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4, or Teredo.
IP-HTTPS
IP-HTTPS
IP-HTTPS enables DirectAccess clients to connect to the Direct-Access server over the IPv4 based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the DirectAccess server using Group Policy.
The DirectAccess client computer must connect to the DirectAccess server by using what?
IPv6 and IPsec.
ISATAP
ISATAP is an address assignment technology that you can use to provide unicast IPv6 connectivity between IPv6 and IPv4 hosts over an IPv4 intranet. IPv6 packets are tunneled in IPv4 packets for transmission over the network. Communication can occur directly between two ISATAP hosts on an IPv4 network, or communication can go through an ISATAP router if one network has only IPv6-only hosts. If no IPv6-only hosts exist, the ISATAP router advertises the IPv6 prefix that ISATAP clients use. The ISATAP interface on client computers is configured to use this prefix. When applications use the ISATAP interface to deliver data, the IPv6 packet is encapsulated in an IPv4 packet for delivery to the IPv4 address of the destination ISATAP host.
What does the user need to do if the DirectAccess server has two or more network adapters?
If the DirectAccess server has two or more network adapters (one classified in the domain profile and the other in a public/private profile), but you want to use a single NIC topology, then you must ensure that the second NIC, and any additional NICs, are also classified in the domain profile.
DirectAccess and RAS
In Windows Server 2016 VPN server, Direct-Access and Web Application Proxy are aggregated into one role, named Remote Access.
What version of Windows is VPN Reconnect feature available in?
It is available in Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 10, Windows 8, and Windows 7
VPN Connections with L2TP/IPsec
L2TP enables you to encrypt traffic that is sent over any medium that supports point-to-point datagram delivery, such as IP or ATM. L2TP is a combination of PPTP and L2F and represents the best features of both.
The basic DirectAccess deployment is divided into three phases
Phase 1. Configuring the Basic DirectAccess infrastructure Phase 2. Configuring Basic DirectAccess server Phase 3. Verifying the Basic DirectAccess deployment
KDC (Kerberos key distribution center) proxy:
Provides a way for Internet clients to use Kerberos authentication
System requirements for using the VPN Reconnect feature
Server: Windows Server 2008 R2, Windows Server 2012, or Windows Server 2016 Client: Windows 10, Windows 8, or Windows 7 PKI: A computer certificate from an internal or public CA
