13.03.

2015 Module 7: Configuring and Troubleshooting Remote Access

Module 7: Configuring and Troubleshooting Remote Access

Contents:

Module Overview

Lesson 1: Configuring Network Access

Lesson 2: Configuring VPN Access

Lesson 3: Overview of Network Policies

Lesson 4: Troubleshooting Routing and Remote Access

Lab A: Configuring Remote Access

Lesson 5: Configuring DirectAccess

Lab B: Configuring DirectAccess

Module Review and Takeaways

Module Overview

Most organizations have users that work remotely, perhaps from home or maybe from
customer sites. To facilitate and support these remote connections, you must implement
remote access technologies to support this distributed workforce. You must become familiar
with the technologies that enable remote users to connect to your organization’s network
infrastructure. These technologies include virtual private networks (VPNs), and DirectAccess,
a feature of the Windows® 7 and Windows 8 operating systems. It is important that you
understand how to configure and secure your remote access clients by using network policies.
This module explores these remote access technologies.

Objectives

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 1/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

After completing this module, you will be able to:

• Configure network access.

• Create and configure a VPN solution.

• Describe the role of network policies.

• Troubleshoot routing and remote access.

• Configure DirectAccess.

Lesson 1 : Configuring Network Access

Network Access in the Windows Server® 2012 operating system provides the required
services that enable remote users to connect to your network. To support the needs of both
your organization and your remote users, it is important that you are able to install and
configure these Windows Server 2012 network access components successfully.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe the components of a Network Access Services infrastructure.

• Describe the Network Policy and Access Services role.

• Describe Routing and Remote access.

• Explain network access authentication and authorization.

• Explain the types of authentication methods that are used for network access.

• Describe a public key infrastructure (PKI).

• Explain how Dynamic Host Configuration Protocol (DHCP) servers are used with the
Routing and Remote Access Service.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 2/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Components of a Network Access Services Infrastructure

The underlying infrastructure in a complete Network Access Services infrastructure in

Windows Server 2012 typically includes the following components:

• Virtual Private Network (VPN) Server. Provides remote access connectivity based on
various VPN tunneling protocols over a public network, such as the Internet.

• Active Directory® Domain Services (AD DS). Services authentication requests from
remote access client connection attempts.

• Active Directory Certificate Services (AD CS). You can use digital certificates to provide
for authentication in remote access scenarios. By deploying AD CS, you can create a PKI
in your organization to support the issue, management, and revocation of certificates.

• DHCP Server. Supplies accepted inbound remote access connections with an IP

configuration for network connectivity to the corporate local area network (LAN).

• Network Policy Server (NPS). Provides authentication services for other network access
components.

• Network Access Protection (NAP) components:

o NAP Health Policy Server. Evaluates system health against configured health policies
that describe health requirements and enforcement behaviors, such as requiring that
connecting clients must be compliant before they gain access to the network.

o Health Registration Authority (HRA). Obtains health certificates for clients that pass the
health policy verification.

o Remediation Servers. Provide remediation services to those clients that do not meet the
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 3/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

health requirements for the corporate network. Remediation Servers are special servers
on a limited network.

What Is the Network Policy and Access Services Role?

The Network Policy and Access Services role in Windows Server 2012 provides the
following network connectivity solutions:

• Enforces health policies. Establishes and enforces health policies automatically, which can
include software requirements, security update requirements, and required computer
configurations.

• Helps to secure wireless and wired access. When you deploy 802.1X wireless access
points, secure wireless access provides wireless users with a secure certificate or password­
based authentication method that is simple to deploy. When you deploy 802.1X
authenticating switches, they allow you to secure your wired network by ensuring that
intranet users are authenticated before they can connect to the network or obtain an IP
address using DHCP.

• Centralizes network policy management with Remote Authentication Dial­in User Service
(RADIUS) server and proxy. Rather than configuring network access policy at each
network access server (such as wireless access points, 802.1X authenticating switches,
VPN servers, and dial­up servers), you can create policies in a single location that specify
all aspects of network connection requests. These policies can include who is allowed to
connect, when they can connect, and the level of security that they must use to connect to
your network.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 4/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Note: The Remote Access components are a separate server role in Windows
Server 2012.

What Is the Remote Access Role?

The Remote Access role enables you to provide users with remote access to your
organization’s network using one of the following technologies:

• VPN Access. A VPN provides a point­to­point connection between components of a

private network through a public network, such as the Internet. Tunneling protocols enable
a VPN client to establish and maintain a connection to a VPN server’s listening virtual port.
You also can connect branch offices to your network with VPN solutions, deploy full­
featured software routers on your network, and share Internet connections across the
intranet.

• DirectAccess. DirectAccess enables seamless remote access to intranet resources without

the user first establishing a VPN connection. DirectAccess ensures seamless connectivity to
the application infrastructure for both internal users and remote users.

You can deploy the following technologies during the installation of the Remote Access role:

• DirectAccess and VPN Remote Access Service (RAS). Using DirectAccess and VPN RAS,
you can enable and configure:
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 5/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

o DirectAccess solutions for your organization.

o VPN connections to provide end users with remote access to your organization’s
network.

• Routing. This provides a full­featured software router and an open platform for routing and
Internet working. It offers routing services to businesses in LAN and wide area network
(WAN) environments.

When you choose routing, Network Address Translation (NAT) is also installed. When you
deploy NAT, the server that is running Remote Access is configured to share an Internet
connection with computers on a private network, and to translate traffic between its public
address and the private network. By using NAT, the computers on the private network gain
some measure of protection because the router on which you configure NAT does not
forward traffic from the Internet into the private network unless a private network client
requests it or traffic is explicitly allowed.

When you deploy VPN and NAT, you configure the server that is running Remote Access
to provide NAT for the private network, and to accept VPN connections. Computers on the
Internet will not be able to determine the IP addresses of computers on the private network.
However, VPN clients will be able to connect to computers on the private network as if
they were physically attached to the same network.

Network Authentication and Authorization

The distinction between authentication and authorization is important in understanding why

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 6/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

connection attempts are accepted or denied:

• Authentication is the verification of the connection attempt’s credentials. This process

consists of sending the credentials from the remote access client to the Remote Access
server in either plaintext or encrypted form by using an authentication protocol.

• Authorization is the verification that the connection attempt is allowed. Authorization

occurs after successful authentication.

For a connection attempt to be accepted, the connection attempt must be authenticated and
authorized. It is possible for the connection attempt to be authenticated by using valid
credentials, but not authorized; in this case, the connection attempt is denied.

If you configure a Remote Access server for Windows Authentication, the security features of
Windows Server 2012 verify the authentication credentials, while the user account’s dial­in
properties and locally stored remote access policies authorize the connection. If the
connection attempt is both authenticated and authorized, then the connection attempt is
accepted.

If you configure the Remote Access server for RADIUS authentication, the connection
attempt’s credentials are passed to the RADIUS server for authentication and authorization. If
the connection attempt is both authenticated and authorized, the RADIUS server sends an
accept message back to the Remote Access server and the connection attempt is accepted. If
the connection attempt is either not authenticated or not authorized, the RADIUS server sends
a reject message back to the Remote Access server and the connection attempt is rejected.

Authentication Methods

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 7/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

The authentication of access clients is an important security concern. Authentication methods

typically use an authentication protocol that is negotiated during the connection establishment
process. The following methods are supported by the Remote Access role.

PAP
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure
authentication protocol. It typically is negotiated if the remote access client and Remote
Access server cannot negotiate a more secure form of validation. PAP is included in Microsoft
Windows Server 2012 to support older client operating systems than support no other
authentication method.

CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge­response
authentication protocol that uses the industry­standard MD5 hashing scheme to encrypt the
response. Various vendors of network access servers and clients use CHAP. Because CHAP
requires the use of a reversibly encrypted password, you should consider using another
authentication protocol, such as Microsoft® Challenge Handshake Authentication Protocol
(MS­CHAP) version 2.

MS­CHAP V2
MS­CHAP v2 is a one­way, encrypted password, mutual­authentication process that works as
follows:

1. The authenticator (the Remote Access server or the computer that is running NPS) sends
a challenge to the remote access client. The challenge consists of a session identifier and
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 8/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

an arbitrary challenge string.

2. The remote access client sends a response that contains a one­way encryption of the
received challenge string, the peer challenge string, the session identifier, and the user
password.

3. The authenticator checks the response from the client and sends back a response
containing an indication of the success or failure of the connection attempt and an
authenticated response based on the sent challenge string, the peer challenge string, the
client’s encrypted response, and the user password.

4. The remote access client verifies the authentication response and, if correct, uses the
connection. If the authentication response is not correct, the remote access client
terminates the connection.

EAP
With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism
authenticates a remote access connection. The remote access client and the authenticator
(either the Remote Access server or the RADIUS server) negotiate the exact authentication
scheme to be used. Routing and Remote Access includes support for EAP­Transport Level
Security (EAP­TLS) by default. You can plug in other EAP modules to the server that is
running Routing and Remote Access to provide other EAP methods.

Other Options
In addition to the previously mentioned authentication methods, there are two other options
that you can enable when selecting an authentication method:

• Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather
the lack of one. Unauthenticated access allows remote systems to connect without
authentication. This option should never be enabled in a production environment, however,
as it leaves your network at risk. Nonetheless, this option can sometimes be useful for
troubleshooting authentication issues in a test environment.

• Machine Certificate for Internet Key Exchange version 2 (IKEv2). Select this option if you
wish to use VPN Reconnect.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSiz… 9/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

What Is a PKI?

A PKI consists of several components that help you secure corporate communications and
transactions, including those used in remote access scenarios. There are many components
that are required to work together to provide a complete PKI solution. The PKI components in
Windows Server 2012 are:

• Certification Authority (CA). CA issues and manages digital certificates for users, services,
and computers. By deploying CA, you establish the PKI in your organization.

• Digital certificates. Digital certificates are similar in function to an electronic passport. A

digital certificate is used to prove the identity of the user (or other entity). Digital
certificates contain the electronic credentials that are associated with a public key and a
private key, which are used to authenticate users and other devices such as Web servers and
mail servers. Digital certificates also ensure that software or code is run from a trusted
source. Digital certificates contain various fields, such as Subject, Issuer, and Common
Name. These fields are used to determine the specific use of the certificate. For example, a
Web server certificate might contain the Common Name field of web01.contoso.com,
which would make that certificate valid only for that web server. If an attempt were made
to use that certificate on a web server named web02.contoso.com, the user of that server
would receive a warning.

• Certificate templates. This component describes the content and purpose of a digital
certificate. When requesting a certificate from an AD CS enterprise CA, the certificate
requestor will, depending on his or her access rights, be able to select from a variety of

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 10/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

certificate types based on certificate templates, such as User and Code Signing. The
certificate template saves users from low­level, technical decisions about the type of
certificate they need. In addition, they allow administrators to distinguish who might
request which certificates.

• CRLs and Online Responders.

o Certificate revocation lists (CRLs) are complete, digitally signed lists of certificates that
have been revoked. These lists are published periodically and can be retrieved and
cached by clients, based on the configured lifetime of the CRL. The lists are used to
verify a certificate’s revocation status.

o Online Responders are part of the Online Certificate Status Protocol (OCSP) role service
in Windows Server 2008 and Windows Server 2012. An Online Responder can receive a
request to check for revocation of a certificate without requiring the client to download
the entire CRL. This speeds up certificate revocation checking, and reduces the network
bandwidth. It also increases scalability and fault tolerance by allowing for array
configuration of Online Responders.

• Public key–based applications and services. This relates to applications or services that
support public key encryption. In other words, the application or services must be able to
support public key implementations to gain the benefits from it.

• Certificate and CA management tools. Management tools provide command­line and GUI­
based tools to:

o Configure CAs.

o Recover archived private keys.

o Import and export keys and certificates.

o Publish CA certificates and CRLs.

o Manage issued certificates.

• Authority information access (AIA) and CRL distribution points (CDPs). AIA points
determine the location where CA certificates can be found and validated, and CDP
locations determine the points where certificate revocation lists can be found during
certificate validation process. Because CRLs can become large, (depending on the number

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 11/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

of certificates issued and revoked by a CA), you can also publish smaller, interim CRLs
called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular
CRL was published. This allows clients to retrieve the smaller delta CRLs and more
quickly build a complete list of revoked certificates. The use of delta CRLs also allows
revocation data to be published more frequently, because the size of a delta CRL means
that it usually does not require as much time to transfer as a full CRL.

• Hardware security module (HSM). A hardware security module is an optional secure

cryptographic hardware device that accelerates cryptographic processing for managing
digital keys. It is a high security, specialized storage that is connected to the CA for
managing the certificates. An HSM is typically attached to a computer physically. This is
an optional add­on in your PKI, and is most widely used in high security environments
where there would be a significant impact if a key were compromised.

Integrating DHCP with Routing and Remote Access

You can deploy the DHCP role with the Remote Access role, which provides remote access
clients with a dynamically assigned IP address during connection. When you use these
services together on the same server, the information that is provided during dynamic
configuration is provided in a way that is different from typical DHCP configuration for
LAN–based clients.

In LAN environments, DHCP clients negotiate and receive the following configuration
information, based entirely on settings that you configure in the DHCP console for the DHCP
server:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 12/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• A leased IP address that is provided from an available address pool of an active scope on
the DHCP server. The DHCP server directly manages and distributes the address to the
LAN­based DHCP client.

• Additional parameters and other configuration information that assigned DHCP options in
the address lease provided. The values and list of options correspond to option types that
you configure and assign on the DHCP server.

When a Remote Access server provides dynamic configuration for remote access clients, it
first performs the following steps:

1. When the server that is running Remote Access starts with the Use DHCP to assign
remote TCP/IP addresses option, it instructs the DHCP client to obtain 10 IP addresses
from a DHCP server.

2. The Remote Access server uses the first of these 10 IP addresses that are obtained from
the DHCP server for the Remote Access server interface.

3. The remaining nine addresses are allocated to TCP/IP­based clients as they dial in to
establish a session with the Remote Access server.

IP addresses that are freed when remote access clients disconnect are reused. When all 10 IP
addresses are used, the Remote Access server obtains 10 more from a DHCP server. When the
Routing and Remote Access service stops, all IP addresses that were obtained through DHCP
are released.

When the Remote Access server uses this type of proactive caching of DHCP address leases
for dial­up clients, it records the following information for each lease response that it obtains
from the DHCP server:

• The IP address of the DHCP server.

• The client­leased IP address (for later distribution to the Routing and Remote Access
client).
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 13/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• The time at which the lease was obtained.

• The time at which the lease expires.

• The lease duration.

All other DHCP option information that the DHCP server returns—such as server, scope, or
reservation options—is discarded. When the client dials in to the server and requests an IP
address (that is, when Server Assigned IP Address is selected), it uses a cached DHCP lease to
provide the dial­up client with dynamic IP address configuration.

When the IP address is provided to the dial­up client, the client is unaware that the IP address
has been obtained through this intermediate process between the DHCP server and the
Remote Access server. The Remote Access server maintains the lease on the client’s behalf.
Therefore, the only information that the client receives from the DHCP server is the IP
address.

In dial­up environments, DHCP clients negotiate and receive dynamic configuration using the
following modified behavior:

• A leased IP address from the Routing and Remote Access server cache of DHCP scope
addresses. The Routing and Remote Access server obtains and renews its cached address
pool with the DHCP server.

• If the DHCP server typically provides the additional parameters and other configuration
information that currently is provided through assigned DHCP options in the address lease,
this information is returned to the Remote Access client based on TCP/IP properties that
are configured on the Remote Access server.

Note: DHCP servers that are running Windows Server 2012 provide a predefined
user class—the Default Routing and Remote Access Class—for assigning options
that are provided only to Routing and Remote Access clients. To assign these
options, you must create a DHCP policy with a condition of the User Class Equals
Default Routing and Remote Access Class. Then, configure the required options.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 14/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Lesson 2: Configuring VPN Access

To properly implement and support a VPN environment within your organization, it is

important that you understand how to select a suitable tunneling protocol, how to configure
VPN authentication, and how to configure the Network Policy and Access Services server
role to support your chosen configuration.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe what a VPN connection is, and how it is used to connect remote network clients.

• Describe the tunneling protocols used for a VPN connection.

• Describe VPN Reconnect.

• Describe configuration requirements for a VPN connection.

• Explain how to configure VPN access.

• Describe additional tasks that you can be completed after configuring a VPN server.

• Describe the features in and benefits of the Connection Manager Administration Kit.

• Explain how to create a connection profile using the Connection Manager Administration
Kit.

What Is a VPN Connection?

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 15/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

To emulate a point­to­point link, data is encapsulated (or wrapped) and prefixed with a
header; this header provides routing information that enables the data to traverse the shared or
public network to reach its endpoint.

To emulate a private link, data is encrypted to ensure confidentiality. Packets that are
intercepted on the shared or public network are indecipherable without encryption keys. The
link in which the private data is encapsulated and encrypted is known as a VPN connection.

There are two types of VPN connections:

• Remote access

• Site­to­site

Remote Access VPN

Remote access VPN connections enable your users who are working offsite (for example, at
home, at a customer site, or from a public wireless access point) to access a server on your
organization’s private network using the infrastructure that a public network provides, such as
the Internet. From the user’s perspective, the VPN is a point­to­point connection between the
computer, the VPN client, and your organization’s server. The exact infrastructure of the
shared or public network is irrelevant because it appears logically as if the data is sent over a
dedicated private link.

Site­to­Site VPN
Site­to­site VPN connections, which are also known as router­to­router VPN connections,
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 16/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

enable your organization to have routed connections between separate offices (or with other
organizations) over a public network while helping to maintain secure communications. A
routed VPN connection across the Internet logically operates as a dedicated WAN link. When
networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data­link layer link.

A site­to­site VPN connection connects two portions of a private network. The VPN server
provides a routed connection to the network to which the VPN server is attached. The calling
router (the VPN client) authenticates itself to the answering router (the VPN server), and for
mutual authentication, the answering router authenticates itself to the calling router. In a site­
to site VPN connection, the packets sent from either router across the VPN connection
typically do not originate at the routers.

Properties of VPN Connections

VPN connections that use the Point­to­Point Tunneling Protocol (PPTP), Layer 2 Tunneling
Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol
(SSTP), have the following properties:

• Encapsulation. With VPN technology, private data is encapsulated with a header containing
routing information that allows the data to traverse the transit network.

• Authentication. Authentication for VPN connections takes the following three different
forms:

o User­level authentication by using Point­to­Point Protocol (PPP) authentication. To

establish the VPN connection, the VPN server authenticates the VPN client that is
attempting the connection by using a PPP user­level authentication method, and verifies
that the VPN client has the appropriate authorization. If you use mutual authentication,
the VPN client also authenticates the VPN server, which provides protection against
computers that are masquerading as VPN servers.

o Computer­level authentication by using Internet Key Exchange (IKE). To establish an

IPsec security association, the VPN client and the VPN server use the IKE protocol to
exchange either computer certificates or a pre­shared key. In either case, the VPN client
and server authenticate each other at the computer level. We recommend computer­
certificate authentication because it is a much stronger authentication method.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 17/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Computer­level authentication is only performed for L2TP/IPsec connections.

o Data origin authentication and data integrity. To verify that the data sent on the VPN
connection originated at the other end of the connection and was not modified in transit,
the data contains a cryptographic checksum based on an encryption key known only to
the sender and the receiver. Data origin authentication and data integrity are only
available for L2TP/IPsec connections.

• Data encryption. To ensure the confidentiality of data as it traverses the shared or public
transit network, the sender encrypts the data, and the receiver decrypts it. The encryption
and decryption processes depend on the sender and the receiver both using a common
encryption key.

Packets that are intercepted in the transit network are unintelligible to anyone who does not
have the common encryption key. The encryption key’s length is an important security
parameter. You can use computational techniques to determine the encryption key.
However, such techniques require more computing power and computational time as the
encryption keys get larger. Therefore, it is important to use the largest possible key size to
ensure data confidentiality.

Tunneling Protocols for VPN Connections

PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was
designed to send data across dial­up or dedicated point­to­point connections. For IP, PPP
encapsulates IP packets within PPP frames, and then transmits the encapsulated PPP packets
across a point­to­point link. PPP was defined originally as the protocol to use between a dial­
up client and a network access server.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 18/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

PPTP
PPTP enables you to encrypt and encapsulate in an IP header multi­protocol traffic that then is
sent across an IP network or a public IP network, such as the Internet. You can use PPTP for
remote access and site­to­site VPN connections. When using the Internet as the VPN public
network, the PPTP server is a PPTP—enabled VPN server with one interface on the Internet,
and a second interface on the intranet.

• Encapsulation. PPTP encapsulates PPP frames in IP datagrams for network transmission.

PPTP uses a Transmission Control Protocol (TCP) connection for tunnel management, and
a modified version of Generic Route Encapsulation (GRE) to encapsulate PPP frames for
tunneled data. Payloads of the encapsulated PPP frames can be encrypted, compressed, or
both.

• Encryption. The PPP frame is encrypted with Microsoft Point­to­Point Encryption (MPPE)
by using encryption keys that are generated from the MS­CHAPv2 or EAP­TLS
authentication process. VPN clients must use the MS­CHAPv2 or EAP­TLS authentication
protocol so that the payloads of PPP frames are encrypted. PPTP uses the underlying PPP
encryption and encapsulating a previously encrypted PPP frame.

L2TP
L2TP enables you to encrypt multi­protocol traffic to send over any medium that supports
point­to­point datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a
combination of PPTP and Layer 2 Forwarding (L2F). L2TP represents the best features of
PPTP and L2F.

Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP
datagrams. L2TP relies on IPsec in Transport Mode for encryption services. The combination
of L2TP and IPsec is known as L2TP/IPsec.

To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec. Client
support for L2TP is built in to the Windows XP, Windows Vista®, Windows 7, and Windows
8 remote access clients. VPN server support for L2TP is built in to members of the Windows

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 19/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Server 2012, Windows Server 2008, and Windows Server 2003 families.

• Encapsulation: Encapsulation for L2TP/IPsec packets consists of two layers, L2TP

encapsulation, and IPsec encapsulation. L2TP encapsulates and encrypts data in the
following way:

o First layer. The first layer is the L2TP encapsulation. A PPP frame (an IP datagram) is
wrapped with an L2TP header and a User Datagram Protocol (UDP) header.

o Second layer. The second layer is the IPsec encapsulation. The resulting L2TP message
is wrapped with an IPsec encapsulating security payload (ESP) header and trailer, an
IPsec Authentication trailer that provides message integrity and authentication, and a
final IP header. The IP header contains the source and destination IP address that
corresponds to the VPN client and server.

• Encryption: The L2TP message is encrypted with either Advanced Encryption Standard
(AES) or Triple Data Encryption Standard (3DES) by using encryption keys that the IKE
negotiation process generates.

SSTP
SSTP is a tunneling protocol that uses the HTTP/Secure (HTTPS) protocol over TCP port 443
to pass traffic through firewalls and web proxies, which otherwise might block PPTP and
L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure
Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for
strong authentication methods, such as EAP­TLS. SSL provides transport­level security with
enhanced key negotiation, encryption, and integrity checking.

When a client tries to establish a SSTP­based VPN connection, SSTP first establishes a
bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets
flow as the data payload using the following encapsulation and encryption methods:

• Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over the
network. SSTP uses a TCP connection (over port 443) for tunnel management and as PPP
data frames.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 20/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Encryption. The SSTP message is encrypted with the SSL channel of the HTTPS protocol.

IKEv2
IKEv2 uses the IPsec Tunnel Mode protocol over UDP port 500. IKEv2 supports mobility
making it a good protocol choice for a mobile workforce. IKEv2­based VPNs enable users to
move easily between wireless hotspots, or between wireless and wired connections.

The use of IKEv2 and IPsec enables support for strong authentication and encryption
methods.

• Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication

Header (AH) for transmission over the network.

• Encryption. The message is encrypted with one of the following protocols by using
encryption keys that are generated from the IKEv2 negotiation process: AES 256, AES
192, AES 128, and 3DES encryption algorithms.

IKEv2 is supported only on computers that are running Windows 7, Windows 8, Windows
Server 2008 R2, and Windows Server 2012. IKEv2 is the default VPN tunneling protocol in
Windows 7 and Windows 8.

What Is VPN Reconnect?

In dynamic business scenarios, users must be able to securely access data anytime, from
anywhere, and access it continuously, without interruption. For example, users might want to
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 21/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

securely access data that is on the company’s server, from a branch office or while on the
road.

To meet this requirement, you can configure the VPN Reconnect feature that is available in
Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7. With this
feature, users can access the company’s data by using a VPN connection, which will
reconnect automatically if connectivity is interrupted. VPN Reconnect also enables roaming
between different networks.

VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN
connectivity. Users who connect via a wireless mobile broadband will benefit most from this
capability. Consider a user with a laptop that is running Windows 8. When the user travels to
work in a train, he or she connects to the Internet with a wireless mobile broadband card, and
then establishes a VPN connection to the company’s network. When the train passes through a
tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless
mobile broadband card reconnects automatically to the Internet. With older versions of
Windows client and server operating systems, VPN did not reconnect automatically.
Therefore, the user would have to repeat the multistep process of connecting to the VPN
manually. This was time­consuming and frustrating for mobile users with intermittent
connectivity.

With VPN Reconnect, Windows Server 2012 and Windows 8 re­establish active VPN
connections automatically when Internet connectivity is re­established. Even though the
reconnection might take several seconds, users need not reinstate the connection manually, or
authenticate again to access internal network resources.

The system requirements for using the VPN Reconnect feature are as follows:

• Windows Server 2008 R2 or Windows Server 2012 as a VPN server.

• Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012 client.

• Public Key Infrastructure PKI, because a computer certificate is required for a remote
connection with VPN Reconnect. You can use certificates issued by either an internal or
public CA.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 22/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Configuration Requirements

Before deploying your organization’s VPN solution, consider the following configuration
requirements:

• Your VPN server requires two network interfaces. You must determine which network
interface will connect to the Internet, and which network interface will connect to your
private network. During configuration, you will be asked to choose which network
interface connects to the Internet. If you specify the incorrect interface, your remote access
VPN server will not operate correctly.

• Determine whether remote clients receive IP addresses from a DHCP server on your
private network or from the remote access VPN server that you are configuring. If you have
a DHCP server on your private network, the remote access VPN server can lease 10
addresses at a time from the DHCP server, and then assign those addresses to remote
clients. If you do not have a DHCP server on your private network, the remote access VPN
server can automatically generate and assign IP addresses to remote clients. If you want the
remote access VPN server to assign IP addresses from a range that you specify, you must
determine what that range should be.

• Determine whether you want connection requests from VPN clients to be authenticated by
a RADIUS server or by the remote access VPN server that you are configuring. Adding a
RADIUS server is useful if you plan to install multiple remote access VPN servers,
wireless access points, or other RADIUS clients to your private network.

Note: To enable a RADIUS infrastructure, install the Network Policy and Access
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 23/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Services server role. The NPS can act as either a RADIUS proxy or a RADIUS
server.

• Determine whether VPN clients can send DHCPINFORM messages to the DHCP server on
your private network. If a DHCP server is on the same subnet as your remote access VPN
server, DHCPINFORM messages from VPN clients will be able to reach the DHCP server
after the VPN connection is established. If a DHCP server is on a different subnet from
your remote access VPN server, make sure that the router between subnets can relay DHCP
messages between clients and the server. If your router is running Windows Server 2008
R2 or Windows Server 2012, you can configure the DHCP Relay Agent service on the
router to forward DHCPINFORM messages between subnets.

• Ensure that the person who is responsible for the deployment of your VPN solution has the
necessary administrative group memberships to install the server roles and configure the
necessary services; membership of the local Administrators group is required to perform
these tasks.

Demonstration: How to Configure VPN Access

This demonstration shows how to:

• Configure Remote Access as a VPN server.

• Configure a VPN client.

Demonstration Steps Configure Remote Access as a VPN server

1. Sign in to LON­RTR as Adatum\Administrator with the password Pa$$w0rd.

2. On LON­RTR, open Server Manager, and add the Network Policy and Access
Services role.

3. Close Server Manager.

4. Open the Network Policy Server console.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 24/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

5. Register the server in AD DS.

6. Leave the Network Policy Server window open.

7. Open Routing and Remote Access.

8. Disable the existing configuration.

9. Reconfigure LON­RTR as a VPN Server using the following settings:

o Local Area Connection 2 is the public interface.

o The VPN server allocates addresses from the pool: 172.16.0.100 ­ 172.16.0.111.

o The server is configured with the option No, use Routing and Remote Access to
authenticate connection requests.

10. Start the VPN service.

Configure a VPN Client

1. Switch to LON­CL2, and sign in as Adatum\Administrator with the password of

Pa$$w0rd.

2. Create a new VPN connection with the following properties:

o Internet address to connect to: 10.10.0.1

o Destination name: Adatum VPN

o Allow other people to use this connection: true

3. Once you have created the VPN, modify its settings by viewing the properties of the
connection, and then select the Security tab to reconfigure the VPN using the following
settings:

o Type of VPN: Point to Point Protocol (PPTP)

o Authentication: Allow these protocols =Microsoft CHAP Version 2 (MS­CHAP

v2)

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 25/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

4. Test the VPN connection using the following credentials:

o User name: Adatum\administrator

o Password: Pa$$w0rd

5. Wait for the VPN connection to be made. Your connection is unsuccessful. You receive
an error relating to authentication issues.

Completing Additional Configuration Tasks

After you complete the steps to deploy and initially configure your Remote Access solution,
your server is ready for use as a remote access VPN server. However, the following are the
additional tasks that you can also perform on your remote access/VPN server:

• Configure static packet filters. Add static packet filters to better protect your network.

• Configure services and ports. Choose which services on the private network you want to
make available for remote access users.

• Adjust logging levels. Configure the level of event details that you want to log. You can
decide which information you want to track in log files.

• Configure the number of VPN ports. Add or remove VPN ports.

• Create a Connection Manager profile for users. Manage the client connection experience
for users, and simplify configuration and troubleshooting of client connections.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 26/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Add (AD CS. Configure and manage a CA on a server for use in a PKI.

• Increase remote access security. Protect remote users and the private network by enforcing
use of secure authentication methods, requiring higher levels of data encryption, and more.

• Increase VPN security. Protect remote users and the private network by requiring use of
secure tunneling protocols, configuring account lockout, and more.

• Consider implementing VPN Reconnect. Consider adding VPN Reconnect to re­establish

VPN connections automatically for users who temporarily lose their Internet connections.

What Is the Connection Manager Administration Kit?

The Connection Manager Administration Kit (CMAK) allows you to customize users’ remote
connection options by creating predefined connections to remote servers and networks. The
CMAK wizard creates an executable file, which you can then distribute in many ways, or
include during deployment activities as part of the operating system image.

Connection Manager is a client network connection tool that allows a user to connect to a
remote network, such as an Internet Service Provider (ISP) or a corporate network protected
by a VPN server.

CMAK is a tool that you can use to customize the remote connection experience for users on
your network by creating predefined connections to remote servers and networks. You use the
CMAK wizard to create and customize a connection for your users.

CMAK is an optional component that is not installed by default. You must install CMAK to

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 27/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

create connection profiles that your users can install to access remote networks.

Distributing the Connection Profile

The CMAK wizard compiles the connection profile into a single executable file with an .exe
file name extension. You can deliver this file to users through any method that is available to
you. Some methods to consider are:

• Include the connection profile as part of the image that is included with new computers.

You can install your connection profile as part of the client computer images that are
installed on your organization’s new computers.

• Deliver the connection profile on removable media for the user to install manually.

You can deliver the connection profile installation program on a CD/DVD, USB flash
drive, or any other removable media that you permit your users to access. Some removable
media support autorun capabilities, which allow you to start the installation automatically,
when the user inserts the media into the client computer.

• Deliver the connection profile with automated software distribution tools.

Many organizations use a desktop management and software deployment tool such as
Microsoft System Center Configuration Manager (previously called Systems Management
Server). Configuration Manager provides the ability to package and deploy software that is
intended for your client computers. The installation can be invisible to your users, and you
can configure it to report back to the management console whether the installation was
successful or not.

Demonstration: How to Create a Connection Profile

This demonstration shows how to:

• Install CMAK.

• Create a connection profile.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 28/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Examine the profile.

Demonstration Steps Install CMAK

1. If necessary, on LON­CL2, sign in as Adatum\administrator with the password

Pa$$w0rd.

2. Open Control Panel, and turn on a new windows feature called RAS Connection
Manager Administration Kit (CMAK) feature.

Create a connection profile

1. In Administrative Tools, open the Connection Manager Administration Kit.

2. Complete the Connection Manager Administration Kit Wizard to create the connection
profile.

Examine the created profile

• Use Windows Explorer to examine the contents of the folder that you created with the
Connection Manager Administration Kit Wizard to create the connection profile. Normally,
you would now distribute this profile to your users.

Lesson 3: Overview of Network Policies

Network policies determine whether a connection attempt is successful. If the connection

attempt is successful, then the network policy also defines connection characteristics, such as
day and time restrictions, session idle­disconnect times, and other settings.

Understanding how to configure network policies is essential if you are to successfully

implement VPNs based on the Network Policy and Access Services server role within your

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 29/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

organization.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe what a network policy is.

• Describe network policy processing.

• Describe the process for creating a new network policy.

• Explain how to create a network policy for VPN connections.

What Is a Network Policy?

A network policy is a set of conditions, constraints, and settings that enable you to designate
who is authorized to connect to the network, and the circumstances under which they can or
cannot connect. Additionally, when you deploy NAP, health policy is added to the network
policy configuration so that NPS performs client health checks during the authorization
process.

You can view network policies as rules: each rule has a set of conditions and settings. NPS
compares the rule’s conditions to the properties of connection requests. If a match occurs
between the rule and the connection request, then the settings that you define in the rule are
applied to the connection.

When you configure multiple network policies in NPS, they are an ordered set of rules. NPS
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 30/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

checks each connection request against the list’s first rule, then the second, and so on, until a
match is found.

Note: Once a matching rule is determined, further rules are disregarded. Therefore, it
is important that you order your network policies appropriately, in order of
importance.

Each network policy has a Policy State setting that allows you to enable or disable the policy.
When you disable a network policy, NPS does not evaluate the policy when authorizing
connection requests.

Network Policy Properties

Each network policy has four categories of properties:

• Overview. Overview properties allow you to specify whether the policy is enabled, whether
the policy grants or denies access, and whether a specific network connection method or
type of network access server is required for connection requests. Overview properties also
enable you to specify whether to ignore the dial­in properties of user accounts in AD DS. If
you select this option, NPS uses only the network policy’s settings to determine whether to
authorize the connection.

• Conditions. These properties allow you to specify the conditions that the connection
request must have to match the network policy. If the conditions that are configured in the
policy match the connection request, NPS applies the network policy settings to the
connection. For example, if you specify the network access server IPv4 address (NAS IPv4
Address) as a condition of the network policy, and NPS receives a connection request from
a NAS that has the specified IP address, the condition in the policy matches the connection
request.

• Constraints. Constraints are additional parameters of the network policy that are required to
match the connection request. If the connection request does not match a constraint, NPS
rejects the request automatically. Unlike the NPS response to unmatched conditions in the
network policy, if a constraint is not matched, NPS does not evaluate additional network
policies, and the connection request is denied.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 31/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Settings. The Settings properties allow you to specify the settings that NPS applies to the
connection request, provided that all of the policy’s network policy conditions are matched
and the request is accepted.

When you add a new network policy using the NPS Microsoft Management Console (MMC)
snap­in, you must use the New Network Policy Wizard. After you have created a network
policy using the New Network Policy Wizard, you can customize the policy by double­
clicking it in NPS to obtain the policy properties.

Note: The default policies on the NPS block network access. After creating your own
policies, you should change the priority, disable, or remove these default policies.

Network Policy Processing

When NPS performs authorization of a connection request, it compares the request with each
network policy in the ordered list of policies, starting with the first policy and moving down
the list. If NPS finds a policy in which the conditions match the connection request, NPS uses
the matching policy and the dial­in properties of the user account to perform authorization. If
you configure the dial­in properties of the user account to grant or control access through
network policy, and the connection request is authorized, NPS applies the settings that you
configure in the network policy to the connection:

• If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial­in properties on the user account are set to grant access.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 32/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• If the dial­in properties of the user account are set to deny access, NPS rejects the
connection request.

Process for Creating and Configuring a Network Policy

NPS uses network policies and the dial­in properties of user accounts to determine whether to
authorize a connection request to your network. You can configure a new network policy in
either the NPS MMC snap­in, or the Routing and Remote Access Service MMC snap­in.

Creating Your Policy

When you use the New Network Policy Wizard to create a network policy, the value that you
specify as the network connection method is used automatically to configure the Policy Type
condition. If you keep the default value of Unspecified, NPS evaluates the network policy that
you create for all network connection types through any type of network access server. If you
specify a network connection method, NPS evaluates the network policy only if the
connection request originates from the type of network access server that you specify.

For example, if you specify Remote Desktop Gateway, NPS evaluates the network policy
only for connection requests that originate from Remote Desktop Gateway servers.

On the Specify Access Permission page, you must select Access granted if you want the
policy to allow users to connect to your network. If you want the policy to prevent users from
connecting to your network, select Access denied. If you want user account dial­in properties
in AD DS to determine access permission, you can select the Access is determined by User
Dial­in properties check box. This setting overrides the NPS policy.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 33/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Configuring Your Policy

Once you have created your network policy, you can use the network policy’s Properties
dialog box to view or modify its settings.

Network Policy Properties ­ Overview Tab

From the Overview tab of the network policy’s Properties dialog box, or while running the
New Network Policy Wizard, you can configure the following settings:

• Policy name. Type a friendly and meaningful name for the network policy.

• Policy State. Designate whether to enable the policy.

• Access Permission. Designate whether the policy grants or denies access. Also, specify
whether NPS should ignore the dial­in properties of user accounts in AD DS when using
the policy to perform the connection attempt’s authorization.

• The network connection method to use for the connection request:

o Unspecified. If you select Unspecified, NPS evaluates the network policy for all
connection requests that originate from any type of network access server, and for any
connection method.

o Remote Desktop Gateway. If you specify Remote Desktop Gateway, NPS evaluates
the network policy for connection requests that originate from servers that are running
Remote Desktop Gateway.

o Remote Access Server (VPN­Dial­up). If you specify Remote Access Server (VPN­
Dial­up), NPS evaluates the network policy for connection requests that originate from a
computer that is running Routing and Remote Access service configured as a dial­up or
VPN server. If another dial­up or VPN server is used, the server must support both the
RADIUS protocol and the authentication protocols that NPS provides for dial­up and
VPN connections.

o DHCP Server. If you specify DHCP Server, NPS evaluates the network policy for
connection requests that originate from servers that are running DHCP.

o Health Registration Authority. If you specify Health Registration Authority, NPS

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 34/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

evaluates the network policy for connection requests that originate from servers that are
running Health Registration Authority.

o HCAP server. If you specify HCAP server, NPS evaluates the network policy for
connection requests that originate from servers that are running HCAP.

Network Policy Properties ­ Conditions Tab

You must configure at least one condition for every network policy. You do this on the
network policy’s Properties dialog box Conditions tab. From this tab, NPS provides many
condition groups, which allow you to define clearly the properties that the connection request
must have to match the policy.

The available condition groups from which you can select are:

• Groups. These specify user or computer groups that you configure in AD DS and to which
you want the other rules of the network policy to apply, when group members attempt to
connect to the network.

• Host Credential Authorization Protocol (HCAP). These conditions are used only when you
want to integrate your NPS NAP solution with Cisco Network Admission Control. To use
these conditions, you must deploy Cisco Network Admission Control and NAP. You also
must deploy a HCAP server that is running Internet Information Services (IIS) and NPS.

• Day and Time Restrictions. The Day and Time Restrictions condition allows you to
specify, at a weekly interval, whether to allow connections on a specific set of days and
times.

• NAP. Settings include Identity Type, MS­Service Class, NAP­Capable Computers,

Operating System, and Policy Expiration.

• Connection Properties. Settings include Access Client IPv4 Address, Access Client IPv6
Address, Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and
Tunnel Type.

• RADIUS Client Properties. Settings include Calling Station ID, Client Friendly Name,
Client IPv4 Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 35/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Gateway. Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS
IPv6 Address, and NAS Port Type.

Network Policy Properties ­ Constraints Tab

Constraints are optional additional network policy parameters that differ from network policy
conditions in one substantial way: when a condition does not match a connection request,
NPS continues to evaluate other configured network policies to find a match for the
connection request. When a constraint does not match a connection request, NPS does not
evaluate additional network policies, but rejects the connection request and the user or
computer is denied network access.

The following list describes the constraints that you can configure on the network policy’s
Properties dialog box Constraints tab:

• Authentication Methods. Allows you to specify the authentication methods that are required
for the connection request to match the network policy.

• Idle Timeout. Allows you to specify the maximum time, in minutes, that the network access
server can remain idle before the connection disconnects.

• Session Timeout. Allows you to specify the maximum amount of time, in minutes, that a
user can be connected to the network.

• Called Station ID. Allows you to specify the telephone number of the dial­up server that
clients use to access the network.

• Day and time restrictions. Allows you to specify when users can connect to the network.

• NAS Port Type. Allows you to specify the access media types that are allowed for users to
connect to the network.

Network Policy Properties ­ Settings Tab

If all of the conditions and constraints that you configure in the policy match the connection
request’s properties, then NPS applies to the connection the settings that you configure on the

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 36/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

network policy’s Properties dialog box Settings tab. These settings include:

• RADIUS Attributes. This setting allows you to define additional RADIUS attributes to send
to the RADIUS server.

• NAP. This setting enables you to configure NAP–related settings, including whether
connecting clients are granted full network access, limited access, or are enabled for auto­
remediation.

• Routing and Remote Access. This setting allows you to configure multilink and bandwidth
allocation protocol settings, IP filters, encryption settings, and other IP settings for the
connections.

Demonstration: How to Create a Network Policy

This demonstration shows how to:

• Create a VPN policy based on Windows Group condition.

• Test the VPN.

Demonstration Steps Create a VPN policy based on Windows

Groups condition

1. On LON­RTR, switch to the Network Policy Server console.

2. Disable the two existing network policies. These would interfere with the processing of
the policy you are about to create.

3. Create a new Network Policy using the following properties:

o Policy name: Adatum VPN Policy

o Type of network access server: Remote Access Server(VPN­Dial up)

o Condition: Windows Groups = Domain Admins

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 37/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

o Permission: Access granted

o Authentication methods: default

o Constraints: default

o Settings: default

Test the VPN

1. Switch to LON­CL2.

2. Test the Adatum VPN connection. Use the following credentials:

o User name: Adatum\administrator

o Password: Pa$$w0rd

Lesson 4: Troubleshooting Routing and Remote

Access

Troubleshooting the Routing and Remote Access Service can be a time­consuming task. The
issues might be varied and not easily identifiable. Given that you might be using dial­up,
dedicated, leased, or public­based networks to satisfy your remote connectivity solution, you
must perform troubleshooting in a methodical, systematic process.

In some cases, you can identify and resolve the problem quickly, while other cases might test
your understanding of all the available tools to help you determine the issue’s source and
resolve it in a timely fashion.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe how to configure remote access logging.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 38/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Describe how to configure remote access tracing.

• Explain how to resolve general VPN connectivity problems.

• Explain how to troubleshoot other common remote access issues.

Configuring Remote Access Logging

To configure remote­access logging, open the Routing and Remote Access console, right­
click servername, and then click Properties. Click the Logging tab to view the available
options for, and the location of the tracing log.

Initially, it might be best to specify more logging options than you might necessarily need,
rather than specifying too few options. Once you determine the logging level that is most
useful for troubleshooting your infrastructure, you can change the options and/or level of
logging at your discretion.

Four logging levels are available on the Logging tab, as described in the following table.

Dialogue box option Description

Log Errors Only Specifies that only errors are logged in the system log in Event Viewer.

Log Errors and Warnings Specifies that errors and warnings are both logged in the system log in Event
Viewer.

Log all events Specifies that the maximum amount of information is logged in the system log
in Event Viewer.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 39/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Do not log any events Specifies that no events are logged in the system log in Event Viewer.

The Log additional Routing and Remote Access information (used for debugging) check
box enables you to specify whether the events in the PPP connection­establishment process
are written to the PPP.LOG file. This log file is stored in the systemroot\Tracing folder (the
default location).

Configuring Remote Access Tracing

The Remote Access service in Windows Server 2012 has an extensive tracing capability that
you can use to troubleshoot complex network problems. You can enable the components in
Windows Server 2012 to log tracing information to files using the Netsh command, or
through the registry.

Enabling Tracing with the Netsh Command

You can use the Netsh command to enable and disable tracing for specified components or for
all components. To enable and disable tracing for a specific component, use the following
syntax:

netsh ras set tracing component enabled|disabled

Where component is a component in the list of Routing and Remote Access service
components found in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing
for the RASAUTH component, the command is as follows:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 40/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

netsh ras set tracing rasauth enabled

To enable tracing for all components, use the following command:

netsh ras set tracing * enabled

Enabling Tracing through the Registry

You also can configure tracing by changing settings in the registry under the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

You can enable tracing for each Remote Access service component by setting the appropriate
registry values. You can enable and disable tracing for components while the Routing and
Remote Access service is running. Each component is capable of tracing, and appears as a
subkey under the preceding Registry key.

To enable tracing for each component, you can configure the following registry entries for
each protocol key:

EnableFileTracing REG_DWORD Flag

You can enable logging tracing information to a file by setting EnableFileTracing to 1. The
default value is 0.

You can change the default location of the tracing files by setting FileDirectory to the path
that you want. The log file’s file name is the component name for which tracing is enabled.
By default, log files are placed in the SystemRoot\Tracing folder.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 41/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

FileDirectory REG_EXPAND_SZ Path

FileTracingMask determines how much tracing information is logged to the file. The default
value is 0xFFFF0000.

FileTracingMask REG_DWORD LevelOfTracingInformationLogged

You can change the log file size by setting different values for MaxFileSize. The default value
is 0x10000 (64K).

MaxFileSize REG_DWORD SizeOfLogFile

Note: Tracing consumes system resources, and you should use it sparingly to help
identify network problems. After you capture the trace or identify the problem, you
should disable tracing immediately. Do not leave tracing enabled on multiprocessor
computers.

Tracing information can be complex and detailed. Therefore, typically only Microsoft support
professionals or network administrators who are experienced with the Routing and Remote
Access service find this information useful.

You can save tracing information as files, and send it to Microsoft support for analysis.

Resolving General VPN Problems

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 42/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

To resolve general problems with establishing a remote access VPN connection, perform the
following tasks:

• Use the ping command to verify that the host name is being resolved to its correct IP
address. The ping itself might not be successful due to packet filtering that is preventing the
delivery of Internet Control Message Protocol (ICMP) messages to and from the VPN
server.

• Verify that the credentials of the VPN client— which consist of user name, password, and
domain name—are correct and that the VPN server can validate them.

• Verify that the user account of the VPN client is not locked out, expired, disabled, or that
the time that the connection is being made does not correspond to the configured logon
hours. If the password on the account has expired, verify that the remote access VPN client
is using MS­CHAP v2. MS­CHAP v2 is the only authentication protocol that Windows
Server 2012 provides that allows you to change an expired password during the connection
process.

• Reset expired administrator­level account passwords by using another administrator­level

account.

• Verify that the user account has not been locked out due to remote access account lockout.

• Verify that the Routing and Remote Access service is running on the VPN server.

• Verify that the VPN server is enabled for remote access from the VPN server Properties
dialog box General tab.

• Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for
inbound remote access from the properties of the Ports object in the Routing and Remote
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 43/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Access snap­in.

• Verify that the VPN client, the VPN server, and the network policy that correspond to VPN
connections are configured to use at least one common authentication method.

• Verify that the VPN client and the network policy that correspond to VPN connections are
configured to use at least one common encryption strength.

• Verify that the connection’s parameters have permission through network policies.

Troubleshooting Other Issues

This topic lists other common issues that you might encounter when using Remote Access in
Windows Server 2012.

Error 800: VPN Server is Unreachable

• Cause: PPTP/L2TP/SSTP packets from the VPN client cannot reach the VPN server.

• Solution: Ensure that the appropriate ports are open on the firewall.

o PPTP. For PPTP traffic, configure the network firewall to open TCP port 1723, and to
forward IP protocol 47 for GRE traffic to the VPN server.

o L2TP. For L2TP traffic, configure the network firewall to open UDP port 1701, and to
allow IPsec ESP–formatted packets (IP protocol 50).

o SSTP. For SSTP, enable TCP port 443.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 44/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Error 721: Remote Computer is Not Responding

• Cause: This issue can occur if the network firewall does not permit GRE traffic (IP
protocol 47). PPTP uses GRE for tunneled data.

• Solution: Configure the network firewall between the VPN client and the server to permit
GRE. Additionally, make sure that the network firewall permits TCP traffic on port 1723.
Both of these conditions must be met to establish VPN connectivity by using PPTP.

Note: The firewall might be on or in front of the VPN client, or in front of the VPN
server.

Error 741/742: Encryption Mismatch Error

• Cause: These errors occur if the VPN client requests an invalid encryption level or if the
VPN server does not support an encryption type that the client requests.

• Solution: Check the properties on the Security tab of the VPN connection on the VPN
client. If Require data encryption (disconnect if none) is selected, clear the selection and
retry the connection. If you are using NPS, check the encryption level in the network policy
in the NPS console, or check the policies on other RADIUS servers. Ensure that the
encryption level that the VPN client requested is selected on the VPN server.

L2TP/IPsec Authentication Issues

The following list describes the most common reasons that L2TP/IPsec connections fail:

• No certificate. By default, L2TP/IPsec connections require that, for IPsec peer

authentication, an exchange of computer certificates occur between the Remote Access
server and Remote Access client. Check the Local Computer certificate stores of both the
Remote Access client and the Remote Access server that are using the Certificates snap­in
to ensure that a suitable certificate exists.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 45/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Incorrect certificate. The VPN client must have a valid computer certificate installed, that
was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA,
and that the VPN server trusts. Additionally, the VPN server must have a valid computer
certificate installed that was issued by a CA that follows a valid certificate chain from the
issuing CA to a root CA, and that the VPN client trusts.

• A NAT device exists between the remote access client and Remote Access server. If there
is a NAT between a Windows 2000 Server, Windows Server 2003, or Windows XP­based
L2TP/IPsec client and a Windows Server 2008 L2TP/IPsec server, you cannot establish an
L2TP/IPsec connection unless the client and server support IPsec NAT traversal (NAT­T).

• A firewall exists between the Remote Access client and the Remote Access server. If there
is a firewall between a Windows L2TP/IPsec client and a Windows Server 2012
L2TP/IPsec server, and if you cannot establish an L2TP/IPsec connection, verify that the
firewall allows forwarding of L2TP/IPsec traffic.

EAP­TLS Authentication Issues

When you use EAP­TLS for authentication, the VPN client submits a user certificate and the
authenticating server (the VPN server or the RADIUS server) submits a computer certificate.
To enable the authenticating server to validate the VPN client’s certificate, the following must
be true for each certificate in the certificate chain that the VPN client sends:

• The current date must be within the certificate’s validity dates. When certificates are
issued, they are issued with a range of valid dates, before which they cannot be used, and
after which they are considered expired.

• The certificate has not been revoked. Issued certificates can be revoked at any time. Each
issuing CA maintains a list of certificates that are not considered valid, and publishes an
up­to­date certificate revocation list CRL. By default, the authenticating server checks all
certificates in the VPN clients’ certificate chain (the series of certificates from the VPN
client certificate to the root CA) for revocation. If any of the chain’s certificates have been
revoked, certificate validation fails.

• The certificate has a valid digital signature. CAs digitally sign certificates that they issue.
The authenticating server verifies the digital signature of each certificate in the chain (with

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 46/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

the exception of the root CA certificate), by obtaining the public key from the certificates’
issuing CA and mathematically validating the digital signature.

For the VPN client to validate the authenticating server’s certificate for either EAP­TLS
authentication, the following must be true for each certificate in the certificate chain that
the authenticating server sends:

o The current date must be within the certificate’s validity dates.

o The certificate must have a valid digital signature.

Lab A: Configuring Remote Access

Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office
based in London, United Kingdom. An IT office and a data center are located in London to
support the London location and other locations. A. Datum has recently deployed a Windows
Server 2012 server and client infrastructure.

The management at A. Datum wants to implement a remote access solution for their
employees so that the users can connect to the corporate network while away from the office.
You decide to deploy a pilot project that will enable users in the IT department to connect
using a VPN to the corporate intranet.

Objectives
After completing this lab, you will be able to:

1. Configure a VPN server.

2. Configure VPN clients.

Lab Setup

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 47/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Virtual machines 20411B­LON­DC1

20411B­LON­RTR
20411B­LON­CL2

User Name Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab,
you must complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click
Hyper­V Manager.

2. In Hyper­V® Manager, click 20411B­LON­DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Sign in using the following credentials:

o User name: Adatum\Administrator

o Password: Pa$$w0rd

5. Perform steps 2 through 4 for 20411B­LON­RTR and 20411B­LON­CL2.

Exercise 1: Configuring a Virtual Private Network Server

Scenario

A. Datum Corporation wants to implement a Remote Access solution for its employees so
they can connect to the corporate network while away from the office. You are required to
enable and configure the necessary server services to facilitate this remote access. To support
the VPN solution, you need to configure a Network Policy that reflects corporate remote
connection policy. For the pilot, only the IT security group should be able to use VPN.
Required conditions include the need for a client certificate, and connection hours are only
allowed between Monday and Friday, at any time.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 48/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

The main tasks for this exercise are as follows:

1. Configure server and client certificates.

2. Configure the Remote Access role.

3. Create a network policy for virtual private network (VPN) clients.

Task 1: Configure server and client certificates

1. Switch to LON­DC1.

2. Sign in as Adatum\Administrator with the password Pa$$w0rd.

3. Open Certification Authority.

4. From the Certificate Templates console, open the properties of the Computer certificate
template.

5. On the Security tab, grant the Authenticated Users group the Allow Enroll permission.

6. Restart the Certification Authority.

7. Close Certification Authority.

8. Open the Group Policy Management Console.

9. Navigate to Forest: Adatum.com\Domains\Adatum.com.

10. Edit the Default Domain Policy.

11. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings

\Public Key Policies.

12. Create a new Automatic Certificate Request Settings for the Computer certificate
template.

13. Close the Group Policy Management Editor and the Group Policy Management Console.

14. Switch to the LON­RTR computer.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 49/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

15. Create a management console by running mmc.exe.

16. Add the Certificates snap­in with the focus on the local computer account.

17. Navigate to the Personal certificate store, and Request New Certificate.

18. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment
Policy, and then click Next.

19. Enroll the Computer certificate that is listed.

20. Close the console, and do not save the console settings.

21. Switch to the LON­CL2 computer, and sign in as Adatum\Administrator with the
password Pa$$w0rd.

22. Open a command prompt, and run the gpupdate /force command to refresh the group
policy settings.

23. Create a management console by running mmc.exe.

24. Add the Certificates snap­in with the focus on the local computer account.

25. Navigate to the Personal certificate store.

26. Verify that a certificate exists for LON­CL2 that has been issued by Adatum­LON­DC1­
CA.

27. Close the console, and do not save the console settings.

Task 2: Configure the Remote Access role

1. On LON­RTR, open Server Manager, and add the Network Policy and Access
Services role.

2. Close Server Manager.

3. Open the Network Policy Server console.

4. Register the server in AD DS.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 50/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

5. Leave the Network Policy Server window open.

6. Open Routing and Remote Access.

7. Disable the existing configuration.

8. Reconfigure LON­RTR as a VPN Server with the following settings:

a. Local Area Connection 2 is the public interface

b. The VPN server allocates addresses from the pool: 172.16.0.100 ­ 172.16.0.111

c. The server is configured with the option No, use Routing and Remote Access to
authenticate connection requests.

9. Start the VPN service.

Task 3: Create a network policy for virtual private network (VPN) clients

1. On LON­RTR, switch to the Network Policy Server console.

2. Disable the two existing network policies. These would interfere with the processing of
the policy you are about to create.

3. Create a new Network Policy using the following properties:

a. Policy name: IT Pilot VPN Policy

b. Type of network access server: Remote Access Server (VPN­Dial up)

c. Condition: Windows Groups = IT

d. Permission: Access granted

e. Authentication methods: Microsoft Encrypted Authentication version 2 (MS­

CHAP­v2)

f. Constraints: Day and time restrictions = All day Monday to Friday allowed.

g. Settings: default

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 51/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Results: After this exercise, you should have successfully deployed a VPN server, and
configured access for members of the IT global security group.

Exercise 2: Configuring VPN Clients

Scenario

You must now provide a simple client solution so that users can install a preconfigured L2TP­
based VPN connection, which enables them to connect to the corporate network.

The main tasks for this exercise are as follows:

1. Configure and distribute a Connection Manager Administration Kit profile.

2. Verify client access.

3. To prepare for the next lab.

Task 1: Configure and distribute a Connection Manager Administration Kit

profile

1. Switch to LON­CL2.

2. From Control Panel, install the RAS Connection Manager Administration Kit
(CMAK) feature.

3. From Administrative Tools, open the Connection Manager Administration Kit.

4. Complete the Connection Manager Administration Kit Wizard using defaults except
where stated below:

a. Select the Target Operating System page: Windows Vista or above

b. Create or Modify a Connection Manager profile page: New profile

c. Specify the Service Name and the File Name page:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 52/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

▪ Service name: Adatum Pilot VPN

▪ File name: Adatum

d. Specify a Realm Name page: Do not add a realm name to the user name

e. Add Support for VPN Connections page:

▪ Phone book from this profile: enabled

▪ VPN server name or IP address: 10.10.0.1

f. Create or Modify a VPN Entry page: Edit the listed VPN entry. On the Security
tab:

▪ VPN strategy: Only use Layer Two Tunneling Protocol (L2TP).

g. Add a Custom Phone Book page: Automatically download phone book updates
deselected.

5. Open Windows Explorer and navigate to C:\Program Files\CMAK\Profiles

\Windows Vista and above\Adatum.

6. Double­click Adatum.exe, and complete the Adatum Pilot VPN Wizard:

o Make this connection available for: All users

7. In the connection window, click Cancel.

Task 2: Verify client access

1. Sign out of LON­CL2.

2. Sign in as Adatum\April with the password of Pa$$w0rd.

3. Open Network Connections.

4. Test the Adatum Pilot VPN connection. Use the following credentials:

o User name: Adatum\April

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 53/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

o Password: Pa$$w0rd

To prepare for the next lab

• When you are finished the lab, revert all virtual machines back to their initial state.

Results: After this exercise, you should have successfully distributed a CMAK profile, and
tested VPN access.

Lesson 5: Configuring DirectAccess

Organizations often rely on VPN connections to provide remote users with secure access to
data and resources on the corporate network. VPN connections are easy to configure and are
supported by different clients. However, VPN connections must first be initiated by the user,
and could require additional configuration on the corporate firewall. In addition, VPN
connections usually enable remote access to the entire corporate network. Moreover,
organizations cannot effectively manage remote computers unless they are connected. To
overcome such limitations in VPN connections, organizations can implement DirectAccess to
provide a seamless connection between the internal network and the remote computer on the
Internet. With DirectAccess, organizations can manage remote computers more effectively,
because they are effectively considered part of the corporate network.

Lesson Objectives
After completing this lesson, you will be able to:

• Discuss complexities of typical VPN connections.

• Describe DirectAccess.

• Describe the components required to implement DirectAccess.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 54/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• Explain how to use the Name Resolution Policy Table.

• Explain how DirectAccess works for internally connected clients.

• Explain how DirectAccess works for externally connected clients.

• List the DirectAccess prerequisites.

• Explain how to configure DirectAccess.

Complexities of Managing VPNs

Many organizations rely on VPN connections to provide their users with secure remote access
to resources on the internal corporate network. These VPN connections must often be
configured manually, which can present interoperability issues in situations when the users are
using multiple different VPN clients. Additionally, VPN connections can pose the following
problems:

• Users must initiate the VPN connections.

• The connections may require multiple steps to initiate, and the connection process can take
several seconds or more.

• Firewalls can pose additional considerations. If not properly configured on the firewall,
VPN connections may fail, or worse, may inadvertently enable remote access to the entire
corporate network.

• Troubleshooting failed VPN connections can often be a significant portion of Help Desk
calls for many organizations.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 55/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

• VPN connected computers are not easily managed. VPN–based remote client computers
present a challenge to IT professionals, because these computers might not connect to the
internal network for weeks at a time, preventing them from downloading Group Policy
Objects (GPOs) and software updates.

Extending the Network to the Remotely­Connected Computers and

Users
To overcome these limitations in traditional VPN connections, organizations can implement
DirectAccess to provide a seamless connection between the internal network and the remote
computer on the Internet. With DirectAccess, organizations can more easily manage remote
computers, because they are always connected.

What Is DirectAccess?

The DirectAccess feature in Windows Server 2012 enables seamless remote access to intranet
resources without first establishing a user­initiated VPN connection. The DirectAccess feature
also ensures seamless connectivity to the application infrastructure for internal users and
remote users.

Unlike traditional VPNs that require user intervention to initiate a connection to an intranet,
DirectAccess enables any IPv6­capable application on the client computer to have complete
access to intranet resources. DirectAccess also enables you to specify resources and client­
side applications that are restricted for remote access.

Organizations can benefit from DirectAccess by providing a way in which IT staff can

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 56/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

manage remote computers as they would manage local computers. Using the same
management and update servers, you can ensure that remote computers are always up­to­date
and in compliance with your security and system health policies. You can also define more
detailed access control policies for remote access when compared with defining access control
policies in VPN solutions.

DirectAccess offers the following features:

• Connects automatically to the corporate intranet when connected to the Internet.

• Uses various protocols, including HTTPS, to establish IPv6 connectivity—HTTPS is

typically allowed through firewalls and proxy servers.

• Supports selected server access and end­to­end IPsec authentication with intranet network
servers.

• Supports end­to­end authentication and encryption with intranet network servers.

• Supports management of remote client computers.

• Allows remote users to connect directly to intranet servers.

DirectAccess also provides the following benefits:

• Always­on connectivity. Whenever the user connects the client computer to the Internet,
the client computer is also connected to the intranet. This connectivity enables remote
client computers to access and update applications more easily. It also makes intranet
resources always available, and enables users to connect to the corporate intranet from
anywhere and anytime, thereby improving their productivity and performance.

• Seamless connectivity. DirectAccess provides a consistent connectivity experience,

regardless of whether the client computer is local or remote. This allows users to focus
more on productivity and less on connectivity options and process. This consistency can
reduce training costs for users, with fewer support incidents.

• Bidirectional access. You can configure DirectAccess in a way that the DirectAccess

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 57/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

clients have access to intranet resources and you can also have access from the intranet to
those DirectAccess clients. Therefore, DirectAccess can be bidirectional. This ensures that
the client computers are always updated with recent security updates, the domain Group
Policy is enforced, and there is no difference whether the users are on the corporate intranet
or on the public network. This bidirectional access also results in:

o Decreased update time

o Increased security

o Decreased update miss rate

o Improved compliance monitoring

• Manage­out Support. The Manage­out Support feature is new in Windows Server 2012,
and it provides the ability to enable only remote management functionality in the
DirectAccess client. This new sub­option of the DirectAccess client configuration wizard
automates the deployment of policies that are used for managing the client computer.
Manage­out support does not implement any policy options that allow users to connect to
the network for file or application access. Manage­out support is unidirectional, and
provides incoming­only access for administration purposes only.

• Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access
control to network resources. This tighter control allows security architects to precisely
control remote users who access specified resources. You can use a granular policy to
specifically define which user can use DirectAccess, and the location from which the user
can access it. IPsec encryption is used for protecting DirectAccess traffic so that users can
ensure that their communication is safe.

• Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and
NAP solutions, resulting in the seamless integration of security, access, and health
requirement policies between the intranet and remote computers.

Components of DirectAccess

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 58/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

To deploy and configure DirectAccess, your organization must support the following
infrastructure components:

• DirectAccess server

• DirectAccess clients

• Network location server

• Internal resources

• AD DS domain

• Group Policy

• PKI (Optional for the internal network)

• Domain Name System (DNS) server

• NAP server

DirectAccess Server
The DirectAccess server can be any Windows Server 2012 server that you join to a domain,
and which accepts connections from DirectAccess clients and establishes communication with
intranet resources. This server provides authentication services for DirectAccess clients, and
acts as an IPsec tunnel mode endpoint for external traffic. The new Remote Access server role
allows centralized administration, configuration, and monitoring for both DirectAccess and
VPN connectivity.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 59/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Compared with previous implementation in Windows Server 2008 R2, the new DirectAccess
Wizard­based setup simplifies DirectAccess management for small and medium
organizations. The wizard does this by removing the need for full PKI deployment and
removing the requirement for two consecutive public IPv4 addresses for the physical adapter
that is connected to the Internet. In Windows Server 2012, the DirectAccess setup wizard
detects the actual implementation state of the DirectAccess server, and selects the best
deployment automatically. This hides the complexity of manually configuring IPv6 transition
technologies from the administrator.

DirectAccess Clients
DirectAccess clients can be any domain­joined computer that is running Windows 8
Enterprise, Windows 7 Enterprise, or Windows 7 Ultimate.

Note: With off­premise provisioning, you can join a Windows 8 Enterprise client
computer in a domain without connecting the client computer in your internal
premises.

The DirectAccess client computer connects to the DirectAccess server by using IPv6 and
IPsec. If a native IPv6 network is not available, then the client establishes an IPv6­over­IPv4
tunnel by using 6to4 or Teredo. Note that the user does not have to be logged on to the
computer for this step to complete.

If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from
connecting to the DirectAccess server, the client computer automatically attempts to connect
by using the IP­HTTPS protocol, which uses a SSL connection to ensure connectivity. The
client has access to the Name Resolution Policy Table (NRPT) rules and Connection Security
tunnel rules.

Network Location Server

DirectAccess clients use the network location server (NLS) to determine their location. If the
client computer can connect with HTTPS, then the client computer assumes it is on the
intranet and disables DirectAccess components. If the NLS is not contactable, the client
assumes it is on the Internet. The NLS server is installed with the web server role.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 60/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Note: The URL for the NLS is distributed by using GPO.

Internal Resources
You can configure any IPv6–capable application that is running on internal servers or client
computers to be available for DirectAccess clients. For older applications and servers,
including those that are not based on Windows operating systems and have no IPv6 support,
Windows Server 2012 now includes native support for protocol translation (NAT64) and
name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client
to IPv4 for the internal servers.

Note: As in the past, this functionality can also be achieved with Microsoft
Forefront® Unified Access Gateway. Likewise, as in past versions, these translation
services do not support sessions initiated by internal devices, only requests originating
from IPv6 DirectAccess clients.

Active Directory Domain

You must deploy at least one Active Directory domain, running at a minimum Windows
Server 2003 domain functional level. Windows Server 2012 DirectAccess provides integrated
multiple domain support, which allows client computers from different domains to access
resources that may be located in different trusted domains.

Group Policy
Group Policy is required for the centralized administration and deployment of DirectAccess
settings. The DirectAccess Setup Wizard creates a set of GPOs, and settings for DirectAccess
clients, the DirectAccess server, and selected servers.

PKI
PKI deployment is optional for simplified configuration and management. DirectAccess in
Windows Server 2012 enables client authentication requests to be sent over a HTTPS–based
Kerberos proxy service that is running on the DirectAccess server. This eliminates the need
for establishing a second IPsec tunnel between clients and domain controllers. The Kerberos

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 61/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

proxy will send Kerberos requests to domain controllers on behalf of the client.

However, for a full DirectAccess configuration that allows NAP integration, two­factor
authentication, and force tunneling, you still need to implement certificates for authentication
for every client that will participate in DirectAccess communication.

DNS Server
When using ISATAP, you must use at least Windows Server 2008 R2, Windows Server 2008
Service Pack 2 (SP2) or newer, or a non­Microsoft DNS server that supports DNS message
exchanges over ISATAP.

NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide
compliance checking and enforce security policy for DirectAccess clients over the Internet.
DirectAccess in Windows Server 2012 provides the ability to configure NAP health check
directly from the setup user interface, instead of manually editing the GPO as is required with
DirectAccess in Windows Server 2008 R2.

What Is the Name Resolution Policy Table?

To separate Internet traffic from intranet traffic in DirectAccess, both Windows Server 2012
and Windows 8 include the NRPT. NRPT is a feature that allows DNS servers to be defined
per DNS namespace, rather than per interface.

The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration
settings that describe the DNS client’s behavior for that namespace.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 62/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

When a DirectAccess client is on the Internet, each name query request is compared against
the namespace rules stored in the NRPT.

• If a match is found, the request is processed according to the settings in the NRPT rule.

• If a name query request does not match a namespace listed in the NRPT, the request is sent
to the DNS servers that are configured in the TCP/IP settings for the specified network
interface.

DNS settings are configured depending on the client location:

• For a remote client computer, the DNS servers are typically the Internet DNS servers that
are configured through the ISP.

• For a DirectAccess client on the intranet, the DNS servers are typically the intranet DNS
servers that are configured through DHCP.

Single­label names, for example, http://internal, typically have configured DNS search
suffixes appended to the name before they are checked against the NRPT.

If no DNS search suffixes are configured, and if the single­label name does not match any
other single­label name entry in the NRPT, the request is sent to the DNS servers that are
specified in the client’s TCP/IP settings.

Namespaces—for example, internal.adatum.com—are entered into the NRPT, followed by the

DNS servers to which requests matching that namespace should be directed. If an IP address
is entered for the DNS server, all DNS requests are sent directly to the DNS server over the
DirectAccess connection; you need not specify any additional security for such
configurations. However, if a name is specified for the DNS server (such as dns.adatum.com)
in the NRPT, the name must be publicly resolvable when the client queries the DNS servers
specified in its TCP/IP settings.

The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of
internal resources, and Internet DNS for name resolution of other resources. Dedicated DNS
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 63/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

servers are not required for name resolution. DirectAccess is designed to prevent the exposure
of your intranet namespace to the Internet.

Some names need to be treated differently with regards to name resolution; these names
should not be resolved by using intranet DNS servers. To ensure that these names are resolved
with the DNS servers specified in the client’s TCP/IP settings, you must add them as NRPT
exemptions.

NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the
name resolution mechanism uses the following in order:

• The local name cache

• The hosts file

• NRPT

Then the name resolution mechanism finally sends the query to the DNS servers that are
specified in the TCP/IP settings.

How DirectAccess Works for Internal Clients

An NLS is an internal network server that hosts an HTTPS­based URL. DirectAccess clients
try to access a NLS URL to determine if they are located on the intranet or on a public
network. The DirectAccess server can also be the NLS. In some organizations where
DirectAccess is a business­critical service, the NLS should be highly available. Generally, the
web server on the NLS does not have to be dedicated to just supporting DirectAccess clients.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 64/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

It is critical that the NLS be available from each company location, because the behavior of
the DirectAccess client depends on the response from the NLS. Branch locations may require
a separate NLS at each branch location to ensure that the NLS remains accessible even when
there is a link failure between branches.

How DirectAccess Works for Internal Clients

The DirectAccess connection process happens automatically, without requiring user
intervention. DirectAccess clients use the following process to connect to intranet resources:

1. The DirectAccess client tries to resolve the Fully Qualified Domain Name (FQDN) of
the NLS URL. Because the FQDN of the NLS URL corresponds to an exemption rule in
the NRPT, the DirectAccess client instead sends the DNS query to a locally configured
(intranet­based) DNS server. The intranet­based DNS server resolves the name.

2. The DirectAccess client accesses the HTTPS­based URL of the NLS, during which
process it obtains the certificate of the NLS.

3. Based on the CRL distribution points field of the NLS certificate, the DirectAccess
client checks the CRL revocation files in the CRL distribution point to determine if the
NLS certificate has been revoked.

4. Based on an HTTP response code 200 in the response DirectAccess client determines
the success of the NLS URL (successful access and certificate authentication and
revocation check). The DirectAccess client switches to domain firewall profile and
ignores the DirectAccess policies and assumes it is in internal network until next
network change happens.

5. The DirectAccess client computer attempts to locate and sign in to the AD DS domain
by using its computer account.

Because the client no longer references any DirectAccess rules in the NRPT for the rest
of the connected session, all DNS queries are sent through interface­configured
(intranet­based) DNS servers. With the combination of network location detection and
computer domain logon, the DirectAccess client configures itself for normal intranet
access.

6. Based on the computer’s successful logon to the domain, the DirectAccess client assigns
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 65/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

the domain (firewall network) profile to the attached network.

By design, the DirectAccess Connection Security tunnel rules are scoped for the public and
private firewall profiles, and they are disabled from the list of active connection security rules.

The DirectAccess client has successfully determined that it is connected to its intranet, and
does not use DirectAccess settings (NRPT rules or Connection Security tunnel rules). The
DirectAccess client can now access intranet resources normally. It can also access Internet
resources through normal means, such as a proxy server.

How DirectAccess Works for External Clients

When a DirectAccess client starts, the DirectAccess client tries to reach the URL address
specified for NLS, and assumes that it is not connected to the intranet because it cannot
communicate with NLS. Instead, the DirectAccess client starts to use NRPT and connection
security rules. The NRPT has DirectAccess–based rules for name resolution, and connection
security rules define DirectAccess IPsec tunnels for communication with intranet resources.
Internet­connected DirectAccess clients use the following high­level steps to connect to
intranet resources:

• The DirectAccess client first attempts to access the NLS.

• Then, the client attempts to locate a domain controller.

• Finally, the client attempts to access intranet resources, and then Internet resources.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 66/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

DirectAccess Client Attempts to Access the Network Location

Server
The DirectAccess client attempts to access the NLS as follows:

1. The client tries to resolve the FQDN of the NLS URL. Because the FQDN of the NLS
URL corresponds to an exemption rule in the NRPT, the DirectAccess client does not
send the DNS query to a locally configured (Internet­based) DNS server. An external
Internet­based DNS server would not be able to resolve the name.

2. The DirectAccess client processes the name resolution request as defined in the
DirectAccess exemption rules in the NRPT.

3. Because the NLS is not found on the same network on which the DirectAccess client is
currently located, the DirectAccess client applies a public or private firewall network
profile to the attached network.

4. The Connection Security tunnel rules for DirectAccess, scoped for the public and private
profiles, provide the public or private firewall network profile.

The DirectAccess client uses a combination of NRPT rules and connection security rules to
locate and access intranet resources across the Internet through the DirectAccess server.

DirectAccess Client Attempts to Locate a Domain Controller

After determining its network location, the DirectAccess client attempts to locate and sign in
to a domain controller. This process creates an IPsec tunnel or infrastructure tunnel by using
the IPsec tunnel mode and ESP to the DirectAccess server. The process is as follows:

1. The DNS name for the domain controller matches the intranet namespace rule in the
NRPT, which specifies the IPv6 address of the intranet DNS server. The DNS client
service constructs the DNS name query that is addressed to the IPv6 address of the
intranet DNS server, and then forwards it to the DirectAccess client’s TCP/IP stack for
sending.

2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows
Firewall outgoing rules or connection security rules for the packet.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 67/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

3. Because the destination IPv6 address in the DNS name query matches a connection
security rule that corresponds with the infrastructure tunnel, the DirectAccess client uses
Authenticated IP (AuthIP) and IPsec to negotiate and authenticate an encrypted IPsec
tunnel to the DirectAccess server. The DirectAccess client (both the computer and the
user) authenticates itself with its installed computer certificate and its Microsoft
Windows NT® LAN Manager (NTLM) credentials, respectively.

Note: AuthIP enhances authentication in IPsec by adding support for user­based

authentication with Kerberos v5 or SSL certificates. AuthIP also supports
efficient protocol negotiation and usage of multiple sets of credentials for
authentication.

4. The DirectAccess client sends the DNS name query through the IPsec infrastructure
tunnel to the DirectAccess server.

5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The
DNS name query response is sent back to the DirectAccess server, and then back
through the IPsec infrastructure tunnel to the DirectAccess client.

Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user
on the DirectAccess client logs on, the domain logon traffic goes through the IPsec
infrastructure tunnel.

DirectAccess Client Attempts to Access Intranet Resources

The first time that the DirectAccess client sends traffic to an intranet location that is not on the
list of destinations for the infrastructure tunnel (such as an internal website), the following
process occurs:

1. The application or process that attempts to communicate constructs a message or

payload, and then hands it off to the TCP/IP stack for sending.

2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows
Firewall outgoing rules or connection security rules for the packet.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 68/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

3. Because the destination IPv6 address matches the connection security rule that
corresponds with the intranet tunnel (which specifies the IPv6 address space of the entire
intranet), the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an
additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates
itself with its installed computer certificate and the user account’s Kerberos credentials.

4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess
server.

5. The DirectAccess server forwards the packet to the intranet resources. The response is
sent back to the DirectAccess server and back through the intranet tunnel to the
DirectAccess client.

Any subsequent intranet access traffic that does not match an intranet destination in the
infrastructure tunnel connection security rule goes through the intranet tunnel.

DirectAccess Client Attempts To Access Internet Resources

When the user or a process on the DirectAccess client attempts to access an Internet resource
(such as an Internet web server), the following process occurs:

1. The DNS client service passes the DNS name for the Internet resource through the
NRPT. There are no matches. The DNS client service constructs the DNS name query
that is addressed to the IP address of an interface­configured Internet DNS server, and
hands it off to the TCP/IP stack for sending.

2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows
Firewall outgoing rules or connection security rules for the packet.

3. Because the destination IP address in the DNS name query does not match the
connection security rules for the tunnels to the DirectAccess server, the DirectAccess
client sends the DNS name query normally.

4. The Internet DNS server responds with the IP address of the Internet resource.

5. The user application or process constructs the first packet to send to the Internet

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 69/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

resource. Before sending the packet, the TCP/IP stack checks to determine if there are
Windows Firewall outgoing rules or connection security rules for the packet.

6. Because the destination IP address in the DNS name query does not match the
connection security rules for the tunnels to the DirectAccess server, the DirectAccess
client sends the packet normally.

Any subsequent Internet resource traffic that does not match a destination in either the
infrastructure Internet tunnel or connection security rules is sent and received normally.

Like the connection process, accessing the domain controller and intranet resources is also a
very similar process, because both of these processes are using NRPT tables to locate
appropriate DNS server to resolve the name queries. The difference is the IPsec tunnel that is
established between the client and DirectAccess server. When accessing the domain
controller, all the DNS queries are sent through the IPsec infrastructure tunnel, and when
accessing intranet resources, a second IPsec (intranet) tunnel is established.

Prerequisites for Implementing DirectAccess

Requirements for DirectAccess Server

To deploy DirectAccess, you need to ensure that your server meets the following hardware
and network requirements:

• The server must be joined to an AD DS domain.

• The server must have Windows Server 2012 or Windows Server 2008 R2 operating system

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 70/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

installed.

• The Windows Server 2012 that will be installed as the DirectAccess server can have a
single network adapter installed, which is connected to the intranet and published over
Microsoft Forefront Threat Management Gateway (TMG) 2010 or Microsoft Forefront
Unified Access Gateway (UAG) 2010 for Internet connection. In the deployment scenario
where DirectAccess is installed on an Edge server, it needs to have two network adapters:
one that is connected to the internal network, and one that is connected to the external
network. An edge server is any server that resides on the edge between two or more
networks, typically a private network and Internet.

• Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter.

• You can circumnavigate the need for an additional public address by deploying Windows
Server 2012 DirectAccess behind a NAT device, with support for a single or multiple
interfaces. In this configuration, only IP over HTTPS (IP­HTTPS) is deployed, which
allows a secure IP tunnel to be established using a secure HTTP connection.

• On the DirectAccess server, you can install the Remote Access role to configure
DirectAccess settings for the DirectAccess server and clients, and to monitor the status of
the DirectAccess server. The Remote Access Wizard provides you with the option to
configure only DirectAccess, only VPN, or both scenarios on the same server that is
running Windows Server 2012. This was not possible in Windows Server 2008 R2
deployment of DirectAccess.

• For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8
nodes) to achieve high availability and scalability for both DirectAccess and RAS.

Requirements for DirectAccess Client

To deploy DirectAccess, you also need to ensure that the client computer meets certain
requirements:

• The client computer should be joined to an Active Directory domain.

• With the new 2012 DirectAccess scenario you can offline provision Windows 8 client
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 71/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

computers for domain membership without requiring the computer to be on premises.

• The client computer can be loaded with Windows 8 Enterprise, Windows 7 Enterprise,
Windows 7 Ultimate, Windows Server 2012, or Windows Server 2008 R2. You cannot
deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or other
older versions of the Windows operating systems.

Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:

• AD DS. You must deploy at least one Active Directory domain. Workgroups are not
supported.

• Group Policy. You need Group Policy for centralized administration and deployment of
DirectAccess client settings. The DirectAccess Setup Wizard creates a set of GPOs and
settings for DirectAccess clients, DirectAccess servers, and management servers.

• DNS and domain controller. You must have at least one domain controller and at least one
DNS server running Windows Server 2012, Windows Server 2008 SP2, or Windows
Server 2008 R2.

• PKI. If you have only Windows 8 client computers, you do not need a PKI. Windows 7
client computers require a more complex setup and therefore require a PKI.

• IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as
part of Windows Firewall with Advanced Security.

• ICMPv6 Echo Request traffic. You must create separate inbound and outbound rules that
allow ICMPv6 Echo Request messages. The inbound rule is required to allow ICMPv6
Echo Request messages, and must be scoped to all profiles. The outbound rule to allow
ICMPv6 Echo Request messages must be scoped to all profiles, and is only required if the
Outbound block is turned on. DirectAccess clients that use Teredo for IPv6 connectivity to
the intranet use the ICMPv6 message when establishing communication.

• IPv6 and transition technologies. IPv6 and the transition technologies must be available for
use on the DirectAccess server. For each DNS server that is running Windows Server 2008

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 72/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

or Windows Server 2008 R2, you need to remove the ISATAP name from the global query
block list.

Configuring DirectAccess

To configure DirectAccess, perform the following steps:

1. Configure AD DS and DNS requirements:

o Create a security group in AD DS, and add all client computer accounts that will be
accessing the intranet through DirectAccess.

o Configure both internal and external DNS servers with appropriate host names and
IP addresses.

2. Configure the PKI environment:

o Add and configure the Certificate Authority server role, create the certificate
template and CRL distribution point, publish the CRL list, and distribute the
computer certificates. This is not needed if you launch the setup from the Getting
Started Wizard.

3. Configure the DirectAccess server:

o Install Windows Server 2012 on a server computer with one or two physical
network adapters (depending on the DirectAccess design scenario).

o Join the DirectAccess server to an Active Directory domain.

o Install the Remote Access role, and configure the DirectAccess server so that it is
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 73/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

one of the following:

▪ The DirectAccess server is on the perimeter network with one network

adapter that is connected to the perimeter network, and at least one other
network adapter that is connected to the intranet. In this deployment scenario,
the DirectAccess server is placed between a front­end firewall and back­end
firewall.

▪ The DirectAccess server is published by using TMG, UAG, or other third­

party firewalls. In this deployment scenario, DirectAccess is placed behind a
front­end firewall and it has one network adapter connected to internal
network.

▪ The DirectAccess server is installed on an edge server (typically front end

firewall) with one network adapter that is connected to the Internet, and at
least one other network adapter that is connected to the intranet.

An alternative design is that the DirectAccess server has only one network interface, not
two. For this design, perform the following steps:

o Verify that the ports and protocols that are needed for DirectAccess and ICMP
Echo Request are enabled in the firewall exceptions and opened on the perimeter
and Internet­facing firewalls.

o The DirectAccess server in simplified implementation can use a single public IP

address in combination with Kerberos Proxy services for client authentication
against domain controllers. For two­factor authentication and integration with
NAP, you need to configure at least two consecutive public, static IPv4 addresses
that are externally resolvable through DNS. Ensure that you have an IPv4 address
available, and that you have the ability to publish that address in your externally­
facing DNS server.

o If you have disabled IPv6 on clients and servers, you must re­enable IPv6, because
it is required for DirectAccess.

o Install a web server on the DirectAccess server to enable DirectAccess clients to

determine if they are inside or outside the intranet. You can install this web server
on a separate internal server for determining the network location.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 74/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

o Based on the deployment scenario, you need to designate one of the server network
adapters as the Internet­facing interface (in deployment with two network
adapters), or publish the DirectAccess server that is deployed behind NAT, for
Internet access.

o On the DirectAccess server, ensure that the Internet­facing interface is configured

to be either a Public or a Private interface, depending on your network design.
Configure the intranet interfaces as domain interfaces. If you have more than two
interfaces, ensure that no more than two classification types are selected.

4. Configure the DirectAccess clients, and test intranet and Internet access:

o Verify that DirectAccess group policy has been applied, and certificates have been
distributed to client computers.

o Test whether you can connect to the DirectAccess server from an intranet.

o Test whether you can connect to the DirectAccess server from the Internet.

Lab B: Configuring DirectAccess

Scenario
Because A. Datum Corporation has expanded, many of the employees are now frequently out
of the office, either working from home or traveling. A. Datum wants to implement a remote
access solution for its employees so they can connect to the corporate network while they are
away from the office. Although the VPN solution that you implemented provides a high level
of security, business management is concerned about the complexity of the environment for
end users. In addition, IT management is concerned that they are not able to manage the
remote clients effectively. To address these issues, A. Datum has decided to implement
DirectAccess on client computers that are running Windows 8.

As a senior network administrator, you are required to deploy and validate the DirectAccess
deployment. You will configure the DirectAccess environment, and validate that the client
computers can connect to the internal network when operating remotely.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 75/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Objectives
After completing this lab, you will be able to:

• Configure the server infrastructure to deploy DirectAccess.

• Configure the DirectAccess clients.

• Validate the DirectAccess implementation.

Lab Setup

Virtual machines 20411B­LON­DC1

20411B­LON­SVR1
20411B­LON­RTR
20411B­LON­CL1

User Name Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab,
you must complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click
Hyper­V Manager.

2. In Hyper­V® Manager, click 20411B­LON­DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Sign in using the following credentials:

o User name: Adatum\Administrator

o Password: Pa$$w0rd

5. Perform steps 2 through 4 for 20411B­LON­SVR1 and 20411B­LON­RTR.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 76/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

6. Do not start 20411B­LON­CL1 until directed to do so.

Exercise 1: Configuring the DirectAccess Infrastructure

Scenario

You decided to implement DirectAccess as a solution for remote client computers that are not
able to connect through VPN. In addition, you want to address management problems, such as
GPO application for remote client computers. For this purpose, you will configure the
prerequisite components of DirectAccess, and configure the DirectAccess server.

The main tasks for this exercise are as follows:

1. Configure Active Directory Domain Services (AD DS) and Domain Name System
(DNS).

2. Configure certificates.

3. Configure internal resources.

4. Configure the DirectAccess server.

Task 1: Configure Active Directory Domain Services (AD DS) and Domain Name
System (DNS)

1. Create a security group for DirectAccess client computers by performing the following
steps:

a. Switch to LON­DC1.

b. Open the Active Directory Users and Computers console, and create an
Organizational Unit (OU) named DA_Clients OU.

c. Within that OU, create a Global Security group named DA_Clients.

d. Modify the membership of the DA_Clients group to include LON­CL1.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 77/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

e. Close Active Directory Users and Computers.

2. Configure firewall rules for ICMPv6 traffic by performing the following steps:

a. Open the Group Policy Management Console, and then open Default Domain
Policy.

b. In the Group Policy Management Editor, navigate to Computer Configuration

\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security \Windows Firewall with Advanced Security.

c. Create a new inbound rule with the following settings:

▪ Rule Type: Custom

▪ Protocol type: ICMPv6

▪ Specific ICMP types: Echo Request

▪ Name: Inbound ICMPv6 Echo Requests

d. Create a new outbound rule with the following settings:

▪ Rule Type: Custom

▪ Protocol type: ICMPv6

▪ Specific ICMP types: Echo Request

▪ Action: Allow the connection

▪ Name: Outbound ICMPv6 Echo Requests

e. Close both the Group Policy Management Editor and the Group Policy
Management Console.

3. Create required DNS records by performing the following steps:

a. Open the DNS Manager console, and then create new host records with the
following settings:

▪ Name: nls

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 78/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

▪ IP Address: 172.16.0.21

▪ Name: crl

▪ IP Address: 172.16.0.1

b. Close the DNS Manager console.

4. Remove ISATAP from the DNS global query block list by performing the following
steps:

a. Open a command prompt window, type the following command, and then press
Enter:

dnscmd /config /globalqueryblocklist wpad

b. Ensure that the Command completed successfully message displays.

c. Close the command prompt window.

5. Switch to LON­RTR and configure the DNS suffix by performing the following steps:

a. In the Local Area Connection Properties dialog box, in the Internet Protocol
Version 4 (TCP/IPv4) dialog box, add the Adatum.com DNS suffix.

b. Close the Local Area Connection Properties dialog box.

6. Configure the Local Area Connection 2 properties as follows:

a. Change the Local Area Connection 2\ Internet Protocol Version 4 (TCP/IPv4)

configuration using the following configuration settings:

▪ IP address: 131.107.0.2

▪ Subnet mask: 255.255.0.0

Task 2: Configure certificates

1. Configure the CRL distribution settings by performing the following steps:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 79/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

a. Switch to LON­DC1, and open the Certification Authority console.

b. Configure Adatum­LON­DC1­CA certification authority with the following

extension settings:

▪ Add Location: http://crl.adatum.com/crld/

▪ Variable: CAName, CRLNameSuffix, DeltaCRLAllowed

▪ Location: .crl

▪ Select the following:

▪ Include in CRLs. Clients use this to find Delta CRL locations

▪ Include in the CDP extension of issued certificates

▪ Do not restart Certificate Services.

▪ Add Location: \\LON­RTR\crldist$\

▪ Variable: CaName, CRLNameSuffix, DeltaCRLAllowed

▪ Location: .crl

▪ Select the following:

▪ Include in CRLs. Clients use this to find Delta CRL locations

▪ Include in the CDP extension of issued certificates

c. Restart Certificate Services.

d. Close the Certificate Authority console.

2. To duplicate the web certificate template and configure appropriate permission by

performing the following steps:

a. In the Certificate Templates console, in the contents pane, duplicate the Web
Server template by using the following options:

▪ Template display name: Adatum Web Server Certificate

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 80/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

▪ Request Handling: Allow private key to be exported

▪ Authenticated Users permissions: under Allow, click Enroll

b. Close the Certificate Templates console.

c. In the Certification Authority console, choose to issue a New Certificate Template

and select the Adatum Web Server Certificate template.

d. Restart the Certification Authority.

e. Close the Certification Authority console.

3. Configure computer certificate auto­enrollment by performing the following steps:

a. On LON­DC1, open the Group Policy Management Console.

b. In the Group Policy Management Console, navigate to Forest: Adatum.com

\Domains\Adatum.com.

c. Edit the Default Domain Policy.

d. In the Group Policy Management Editor, navigate to Computer Configuration

\Policies\Windows Settings\Security Settings\Public Key Policies.

e. Under Automatic Certificate Request Settings, configure Automatic Certificate

Request to issue the Computer certificate.

f. Close both the Group Policy Management Editor and the Group Policy
Management Console.

Task 3: Configure internal resources

1. Request a certificate for LON­SVR1 by performing the following steps:

a. On LON­SVR1, open a command prompt, type the following command, and then
press Enter:

gpupdate /force
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 81/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

b. At the command prompt, type the following command, and then press Enter:

mmc

2. Add the Certificates snap­in for Local computer.

3. In the console tree of the Certificates snap­in, navigate to Certificates (Local

Computer) \Personal\Certificates, and request a new certificate.

4. Under Request Certificates, select Adatum Web Server Certificate with the
following setting:

o Subject name: Under Common name, type nls.adatum.com

5. In the details pane of the Certificates snap­in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.

6. Close the console window. When you are prompted to save settings, click No.

7. To change the HTTPS bindings, perform the following steps:

a. Open Internet Information Services (IIS) Manager.

b. In the Internet Information Services (IIS) Manager console, navigate to and click
Default Web site.

c. Configure Site Bindings by selecting nls.adatum.com for SSL Certificate.

d. Close the Internet Information Services (IIS) Manager console.

Task 4: Configure the DirectAccess server

1. Obtain required certificates for LON­RTR by performing the following steps:

a. Switch to LON­RTR.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 82/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

b. Open a command prompt, and refresh group policy by typing the following
command:

gpupdate /force

c. Open the Microsoft Management Console by typing mmc at a command prompt.

d. Add the Certificates snap­in for Local computer.

e. In the Certificates snap­in, in the Microsoft Management Console , request a new

certificate with the following settings:

▪ Certificate template: Adatum Web Server Certificate

▪ Common name: 131.107.0.2

▪ Friendly name: IP­HTTPS Certificate

f. Close the Microsoft Management Console.

2. Create CRL distribution point on LON­RTR by performing the following steps:

a. Switch to Server Manager.

b. In Internet Information Services (IIS) Manager, create new virtual directory named
CRLD, and assign c:\crldist as a home directory.

c. Enable directory browsing and the allow double escaping feature.

3. Share and secure the CRL distribution point by performing the following step:

Note: You perform this step to assign permissions to the CRL distribution point.

o In the details pane of Windows Explorer, right­click the CRLDist folder, click
Properties, and then grant Full Control Share and NTFS permissions.

4. Publish the CRL to LON­RTR by performing the following steps:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 83/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Note: This step makes the CRL available on the edge server for Internet­based
DirectAccess clients.

a. Switch to LON­DC1.

b. Start the Certification Authority console.

c. In the console tree, open Adatum­LON­DC1­CA, right­click Revoked Certificates,

point to All Tasks, and then click Publish.

5. Complete the DirectAccess Setup Wizard on LON­RTR by performing the following

steps:

a. On LON­RTR, open Server Manager.

b. In Server Manager, in Tools, select Routing and Remote Access.

c. In Routing and Remote Access, disable the existing configuration, and close the
console.

d. In Server Manager console, start the Remote Management console, click

Configuration, and start the Enable DirectAccess Wizard.

Note: If you get an error at this point, restart LON­RTR, sign in as

Adatum\administrator,

and then restart from c).

e. Complete the wizard with following settings:

▪ Network Topology: Edge is selected

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 84/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

▪ 131.107.0.2 is used by clients to connect to the Remote Access server.

f. In the Remote Access Management console, under Step 1, click Edit.

g. Add the DA_Clients group.

h. Clear the Enable DirectAccess for mobile computers only check box.

i. Remove the Domain Computers group.

j. In the Remote Access Management console details pane, under Step 2, click Edit.

k. On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.

l. On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to

authenticate IP­HTTPS connection.

m. On the Authentication page, click Use computer certificates, click Browse, and then
click Adatum Lon­Dc1 CA.

n. On the VPN Configuration page, click Finish.

o In details pane of the Remote Access Management console, under Step 3, click Edit.

p. On the Network Location Server page, click The network location server is deployed
on a remote web server (recommended), and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.

q. Ensure that URL is validated.

r. On the DNS page, examine the values, and then click Next.

s. In the DNS Suffix Search List, click Next.

t. On the Management page, click Finish.

u. In the Remote Access Management console details pane, review the setting for Step 4.

v. In Remote Access Review, click Apply.

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 85/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

w. Under Applying Remote Access Setup Wizard Settings, click Close.

6. Update Group Policy settings on LON­RTR by performing the following step:

o Open the command prompt, and type the following commands, pressing Enter after
each line:

gpupdate /force
Ipconfig

Note: Verify that LON­RTR has an IPv6 address for Tunnel adapter
IPHTTPSInterface

starting with 2002.

Results: After completing this exercise, you will have configured the DirectAccess
infrastructure.

Exercise 2: Configuring the DirectAccess Clients

Scenario

After you configured the DirectAccess server and the required infrastructure, you must
configure DirectAccess clients. You decide to use Group Policy to apply DirectAccess
settings to the clients and for certificate distribution.

The main tasks for this exercise are as follows:

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 86/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

1. Configure DirectAccess Group Policy settings.

2. Verify client computer certificate distribution.

3. Verify internal connectivity to resources.

Task 1: Configure DirectAccess Group Policy settings

1. Start LON­CL1, and then sign in as Adatum\Administrator with the password of

Pa$$w0rd. Open a command prompt window, and then type the following commands,
pressing Enter at the end of each line:

gpupdate /force
gpresult /R

2. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied
Policy objects for the Computer Settings.

Task 2: Verify client computer certificate distribution

1. On LON­CL1, open the Certificates MMC.

2. Verify that a certificate with the name LON­CL1.adatum.com displays with Intended
Purposes of Client Authentication and Server Authentication.

3. Close the console window without saving it.

Task 3: Verify internal connectivity to resources

1. On LON­CL1, open Windows Internet Explorer® from the Desktop, and in the
address bar, type http://lon­svr1.adatum.com/. The default IIS 8 web page for LON­
SVR1 displays.
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 87/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

2. In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for

LON­SVR1 displays.

3. Open a Windows Explorer window, in the address bar, type \\Lon­SVR1\Files, and
then press Enter. A window with the contents of the Files shared folder will display.

4. Close all open windows.

Results: After completing this exercise, you will have configured the DirectAccess clients.

Exercise 3: Verifying the DirectAccess Configuration

Scenario

When client configuration is completed, it is important to verify that DirectAccess works. You
do this by moving the DirectAccess client to the Internet, and trying to access internal
resources.

The main tasks for this exercise are as follows:

1. Move the client computer to the Internet virtual network.

2. Verify connectivity to the DirectAccess server.

3. Verify connectivity to the internal network resources.

4. To prepare for the next module.

Task 1: Move the client computer to the Internet virtual network

1. Switch to LON­CL1.

2. Change the network adapter configuration to the following settings:

o IP address: 131.107.0.10
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 88/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

o Subnet mask: 255.255.0.0

o Default gateway: 131.107.0.2

3. Disable and then re­enable the Local Area Network network adapter.

4. Close the Network Connections window.

5. On your host, in Hyper­V Manager, right­click 20411B­LON­CL1, and then click

Settings. Change the Legacy Network Adapter to be on the Private Network 2 network,
and then click OK.

Task 2: Verify connectivity to the DirectAccess server

1. On LON­CL1, open a command prompt, and type the following command:

ipconfig

2. Notice that the returned IP address starts with 2002. This is IP­HTTPS address.

3. At the command prompt, type the following command, and then press Enter:

Netsh name show effectivepolicy

4. At the command prompt, type the following command, and then press Enter:

powershell

5. At the Windows PowerShell® command­line interface, type the following command,

and then press Enter:

Get-DAClientExperienceConfiguration
https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 89/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Note: Notice the DirectAccess client settings.

Task 3: Verify connectivity to the internal network resources

1. Switch to Internet Explorer, and go to http://lon­svr1.adatum.com/. You should see

the default IIS 8 web page for LON­SVR1.

2. Open Windows Explorer, in the address bar, type \\LON­SVR1\Files, and then press
Enter.

3. A folder window with the contents of the Files shared folder should display.

4. At a command prompt, type the following command, and then press Enter:

ping lon-dc1.adatum.com

5. Verify that you are receiving replies from lon­dc1.adatum.com.

6. At the command prompt, type the following command, and then press Enter:

gpupdate /force

7. Close all open windows.

8. Switch to LON­RTR.

9. Start the Remote Access Management console, and review the information on Remote
Client Status.

Note: Notice that LON­CL1 is connected via IP­HTTPS. In the Connection

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 90/91
13.03.2015 Module 7: Configuring and Troubleshooting Remote Access

Details pane, in the bottom­right of the screen, note the use of Kerberos for the
Machine and the User.

10. Close all open windows.

To prepare for the next module

• When you finish the lab, revert the virtual machines to their initial state.

Results: After completing this exercise, you will have verified the DirectAccess
configuration.

Module Review and Takeaways

Tools

Tool Use for Where to find it

Services.msc Managing Windows services Administrative Tools

Launch from Run

Gpedit.msc Editing the local Group Policy Launch from Run

Mmc.exe Creating and managing the Microsoft Management Launch from Run
Console

Gpupdate.exe Managing Group Policy application Run from a command­line

https://skillpipe.courseware­marketplace.com/reader/en­GB/Book/BookPrintView/aa70e352­319b­4b27­8083­aea52017fecd?ChapterNumber=9&FontSi… 91/91