Download presentation
Presentation is loading. Please wait.
Published byMaría Ángeles María Rosa Velázquez Río Modified over 6 years ago
1
Server-to-Client Remote Access and DirectAccess
2
Nội dung VPN in Windows Server 2008 R2
Authentication Options to RRAS System VPN Protocols DirectAccess in Windows Server 2008 Choosing Between Traditional VPN Technologies & DirectAccess Traditional VPN Scenario DirectAccess Scenario
3
Connect securely over Internet
4
VPN
5
RRAS Features & Services
Windows NT 4.0
6
Windows 2000
7
Windows 2k3
8
Win2k8
9
Components Needed to Create a Traditional VPN Connection
10
Windows Server 2008 R2 consist of
VPN client RRAS server NPS server Certificate server Active Directory server
11
RRAS server server with accepts VPN connections from VPN clients.
Network Policy and Access Services role Routing and Remote Access Service role accepts VPN connections from VPN clients.
12
NPS server provides authentication, authorization, auditing, accounting for VPN clients. Server with Network Policy and Access Services work with Network Access Protection System Health Agents (SHAs) are used to inspect and assess health of client according to policies
13
SHA
15
Certificate Server Certificate Authority (CA) that issues certificates for servers and clients to use in authentication and encryption of tunnels server with Certification Authority Certification Authority Web Enrollment
16
Authentication Options to an RRAS System
variety of PPP authentication protocols
17
Authentication for PPTP Connections
4 authentication protocols (MS-CHAP, MS-CHAP v2, EAP,PEAP) provide a mechanism to generate same encryption key on both VPN client &VPN server
18
EAP & PEAP Authentication Protocols
Extensible Authentication Protocol (EAP) &Protected Extensible Authentication Protocol (PEAP) used user certificates or smart cards.
19
Authentication for L2TP/IPSec Connections
any authentication protocol can be used with secure connection(IPSec).
20
Best Authentication Protocol
EAP or PEAP authentication protocol for PPTP, L2TP & SSTP connections PEAP with EAP-MS-CHAP v2 as a method of easing deployment burden. MS-CHAP v2 & enforce strong passwords using Group Policy if you must use a password-based authentication protocol.
21
VPN Protocols Windows Server 2008 R2 includes
Layer 2 tunneling protocols PPTP L2TP, SSTP tunneling protocols both tunnel client and tunnel server must be using same tunneling protocol IPSec tunnel mode is a Layer 3 tunneling protocol
22
Comparing VPN Protocols
23
Tunneling Within a 2008 R2 Networking env
24
Point-to-Point Tunneling Protocol
Layer 2 protocol that encapsulates PPPframes in IP datagrams for transmission over Internet. used for remote access and router-to-router VPN connections uses a TCP connection for tunnel maintenance
25
Structure of PPTP packet
26
Layer 2 Tunneling Protocol
combination of Point-to-Point Tunneling Protocol (PPTP) Layer 2 Forwarding (L2F) encapsulates PPP frames that are sent over IP, X.25, frame relay, ATMnetwork
27
Structure of L2TP packet
28
IP Security ensuring data security in IP-based communications
two important functions data encryption data integrity
29
Structure & architecture of the IPSec packet.
30
Secure Socket Tunneling Protocol
ses HTTP over SSL (HTTPS) protocol
31
DirectAccess new remote access protocol
Provides network node connectivity to remote systems without any user login requirements. address challenges of traditional VPN
32
DirectAccess uses IPv6, IPSec, certificates to establish secure connections traverse public IPv4 networks, DirectAccess uses IPv6 transition technologies such as ISATAP, Teredo, & 6to4.
33
DirectAccess requirements
35
DirectAccess and IPv6
36
IPv6 tunneling protocols
37
Two Tunnels
39
End-to-Edge DirectAccess Model
DirectAccess client establish IPSec tunnel to DirectAccess server forwards unprotected traffic to intranet resources.
41
End-to-End DirectAccess Model
DirectAccess client establish IPSec tunnel with each application server that they connect to. ensures that traffic is protected end-end by IPSec encryption, including while traversing intranet requires that each application server run on Windows Server 2008.
43
DirectAccess Components
DirectAccess server DirectAccess client PC with Windows 7 must be a domain member with a certificate. Corporate IPv6 network Certificate server Network Location Server (NLS) Active Directory and DNS server
45
DirectAccess Connection Process
47
choice between a traditional VPN technology new DirectAccess ?
50
Traditional VPN Scenario
52
steps to configure VPN architecture
53
Setting Up Certificate Server
used to issue certificates for VPN infrastructure. NPS1 server was chosen be the centralized policy server situated to provide certificate services.
54
Steps
56
Certificate Autoenrollment
configure root CA computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.
57
Steps
59
Setting Up Network Policy Server
60
Config Network Policy Server
61
health validators in the NPS
63
health policy
64
network policies for systems - pass health validation
66
network policies for systems - fail health validation
69
configure connection request policy
73
config RRAS server as a RADIUS client on NPS system
75
Finish for NPS
76
Setting Up RRAS Server VPN1 server
Has config with internal NIC external NIC member of companyabc.com Active Directory domain
77
Steps
80
Setting Up VPN Client
81
Security Center
82
Remote Access Quarantine Enforcement Client: enable
83
Network Access Protection Agent service auto
84
export certificate from Certificate Authority
85
import a certificate into client PC trusted CA store
87
setup &config VPN connection on VPN client
91
Testing VPN Connection
92
To test the connection, complete following steps
93
Controlling Unhealthy VPN Clients
turn off the Windows Firewall see what happens when the client connects to the VPN
94
SSTP Troubleshooting
96
DirectAccess Scenario
two major goals Allow workstation to move between internal, public, home networks while retaining access to application servers. Enable IPv6 in an IPv4 network using IPv6 transition technologies.
97
Scenario
98
System’s components
100
three networks in the scenario
101
Configuring Infrastructure
configure DNS service to remove ISATAP from default global block list DNS to service ISATAP requests
102
Create NLS record in DNS
103
create a security group for DirectAccess client PC
104
Using a GPO to Config Firewall Rules
create & enable firewall rules for ICMPv4 & ICMPv6 traffic. ICMP firewall rules will be deployed with GPO “DirectAccess Group Policy Object.”
105
Steps
111
Custom Certificate Template for IP-HTTPS
114
Certificate Autoenrollment
116
IP-HTTP Certificate
118
Installing DirectAccess Feature on DA1
119
Configuring DirectAccess Feature
125
Testing DirectAccess
127
Testing client connection to networks
128
connection to internal network
129
connection to public network
130
connection to home network
131
Monitoring DirectAccess Server
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.