70-741: Networking with Windows Server 2016

Chapter 5 – Implementing Remote Access

Slide 1

 Remote Access Overview

 Implementing the Web Application Proxy
 Planning and Implementing VPNs
 Overview of DirectAccess
 Implementing DirectAccess

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

 Remote Access Overview

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3

 In today’s organizations there is constantly the need to

provide remote access to corporate networks and the systems
they contain
 Remote access is simply the concept of connecting to a
corporate network, its applications and services, and its
machine from a remote location
 Two major types of remote access exist
o Remote node
o Remote control

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4

 The Remote Access server role in Windows Server 2016

provides four separate options for remote access
o DirectAccess
o Virtual Private Networks (VPN)
o Routing
o Web Application Proxy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5

 These options are enabled and configured by first installing

the Remote Access server role using
o Server Manager
o Windows PowerShell

 Once installed, management of the various roles can occur

using
o Remote Access Management Console
o Routing and Remote Access
o Windows PowerShell cmdlets

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6

 The management console provides easy management for

DirectAccess, VPNs, and the Web Application Proxy, beginning
with a wizard-based setup to configure initial settings
 Console options
o Configuration
o Dashboard
o Operations status
o Remote Client Status
o Reporting

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7

 Another important server role for Remote Access is the

Network Policy Server in Windows Server 2016
 NPS provides centrally managed authentication and
authorization for remote access environments
o RADIUS Server
• Provides centralized connection authentication, authorization, and
accounting
• Used for wired, wireless, dial-up, and VPN connections
• Remote access endpoints are configured as RADIUS clients
• Can use AD DS credentials for authentication or certificates
o RADIUS proxy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8

 There are two types of policies in the NPS role in Windows Server
2016 that are designed to manage and control connection attempts
o Connection request policies
• Determine whether the local NPS server will process requests or forward them
to another RADIUS server
• Configured based on conditions
• Default policy is created, which processes requests locally
o Network policies
• A set of conditions and constraints that provides advanced authorization of
incoming connection attempts
• Conditions determine whether a policy matches an incoming connection
attempt
• Constraints and settings are additional parameters that are applied to the
connection

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9

 A Public Key Infrastructure (PKI) is a set of tools and

technologies that provide the use of digital certificates within
the organization for advanced authentication capabilities
 If you plan to use a PKI for remote access, consider:
o Will PKI be used for the encryption of data and traffic only?
o Will the PKI also be used for authenticating users and/or computers?
o What type of Certificate Authority will be used?

 CA Types
o Public
o Private

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10

 While uncommon, the RRAS service in Windows Server 2016 does

support the ability to function as a software-based router
 This is useful in certain scenarios
o Development environments
o Creation of internal screened subnets
o Labs

 Routing in Windows Server 2016 supports

o LAN-to-LAN, LAN-to-WAN, and NAT traffic
o Supports various routing types
• Static
• RIP
• NAT

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

 While most organizations may not use the routing capabilities

of Windows Server 2016, all will use NAT in some capacity
 Network Address Translation provides the ability to use
private IP addresses internally
o Enhances security
o Increases flexibility
o Requires that clients submit Internet-destined packets through the
NAT server

 The NAT server has two NICs configured with a public and
private IP address and uses translation to communicate over
the Internet on behalf of a client

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

 Implementing the Web Application Proxy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13

 The Web Application Proxy was introduced in Windows Server

2012 R2 and provides reverse proxy functionality
o Users located on the Internet are able to access internal corporate
web applications or Remote Desktop Gateway servers
o Uses AD FS technologies to pre authenticate Internet users
o Acts as an AD FS proxy for publishing claims-aware applications

 Requirements
o Active Directory Federated Services (AD FS)
o Proxy is located on the perimeter network

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14

 Two types of authentication are supported by the Web Application

proxy in Windows Server 2016
o AD FS pre-authentication
• WAP pre-authenticates the user in the AD FS server
• If successful, the WAP establishes a connection to the web server in the
corporate network hosting the application
o Pass-through pre-authentication
• Does not use AD FS or the WAP to pre-authenticate
• Any authentication that is performed happens at the web application

 Benefits to AD FS pre-authentication
o Workplace Join
o SSO
o Multifactor authentication and access control

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15

 Once the Remote Access role and the WAP functionality is

installed, it is configured using the WAP Configuration wizard
in the Remote Access management console
 Initial configuration process
o Name of the AD FS server
o AD FS administrator credentials
o AD FS Proxy certificate
 The console is then used to publish an application providing
o Type of pre-authentication
o The application to be published with its external URL
o A certificate for the external URL
o The URL of the backend server

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16

 Planning and Implementing VPNs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17

 The Virtual Private Network (VPN) has been the traditional

approach to remote access for many years
 VPNs use tunneling protocols and encapsulation to allow
private TCP/IP packets to be transmitted from a remote client
to the corporate network over the Internet
 VPN Scenarios
o Remote access
o Site-to-site

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18

 Most types of VPN connections used for remote access will

have the following properties
o Encapsulation
o Authentication
• User-level
• Computer-level
• Data-origin authentication and data integrity
o Data encryption

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19

 Point-to-Point Tunneling  Secure Sockets Tunneling

Protocol (PPTP)
o Encapsulation using GRE
o Encryption using MPPE
o TCP port 1723
 Layer 2 Tunneling Protocol
(L2TP/IPSec)
o Supports multiprotocol traffic
o Encapsulation is multilayered
o Encryption provided by AES
or 3DES
o UDP port 500, 1701, 4500 and
protocol ID 50
Protocol (SSTP)
o Encapsulation in IP datagrams
o Uses SSL for encryption
o TCP port 443
 Internet Key Exchange (IKE)
v2
o Encapsulations using IPSec
ESP or AH
o Encryption using AES or 3DES
o UDP port 500
o Only supported on Windows
7 and later

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

 Authenticating remote clients is important for corporate

security but the user credentials must also be kept secure
 Protocol options
o PAP
o CHAP
o MS-CHAPv2
o EAP
 Other options
o Allow unauthenticated access
o Allow machine certificate authentication

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

 A feature in Windows Server 2016 that maintains connectivity

across network outages providing numerous benefits
o Provides seamless and consistent VPN connectivity
o Uses the IKEv2 technology for increased security
o Automatically re-establishes VPN connections when connectivity is
available
o Maintains the connection if users move between different networks
o Provides transparent connection status to users

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22

 An App-triggered VPN enables a VPN profile to connect

automatically when a specified app or set of apps starts
 This extends the automatic connection behavior and is
supported in Windows 8.1 and later operating systems
o Known in Windows 8.1 as the “On-Demand VPN”
 Configuring the app triggered VPNs requires the use of the
Add-VpnConnectionTriggerApplication PowerShell cmdlet
o Not supported on domain members
o Requires that you enable split tunneling for the VPN profile

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23

 The Getting Started Wizard in the Remote Access

Management console can be used to configure a VPN server if
you are also configuring DirectAccess
 Requirements for the VPN server
o Two network adapters
o IP address allocation
• Static pool
• DHCP
o Authentication provider
• Local
• NPS
o DHCP relay agent considerations

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24

 Once installed, the VPN servers will support numerous

options, which may be used to increase security and control
o Static packet filters
o Configuring services and ports
o Adjusting logging levels
o Configure the number of virtual VPN ports
o Create Connection Manager profiles
o Add Active Directory Certificate Services
o Modify security settings to increase client and server security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25

 Overview of DirectAccess

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26

 DirectAccess is a VPN alternative supported in Windows

Server 2008 R2 and later and Windows 7 and later
 DA enables remote users to securely access corporate
resources without requiring the connection to a VPN
o Increases productivity
o Offers the same connectivity experience both inside and outside the
office
o Provides simplified deployment
o Provides improved performance and scalability

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27

 DA server
 DA clients
 Network Location Server (NLS)
 AD DS domain
 Group Policy
 PKI (optional)
 Name Resolution Policy Table (NRPT)
 DNS
 Internal Resources

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28

 DirectAccess supports both simple and advanced

deployments
 Simple deployments will use the Getting Started Wizard
 Complex deployments will use advanced configuration
options
o Deploying multiple endpoints
o Multi-domain support
o Deploying the DA server behind a NAT device
o Support for OTP and virtual smart cards
o Support for NIC teaming
o Off-premise provisioning

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29

 The DirectAccess server must meet certain prerequisites

o Domain member
o At least one network adapter depending on topology
o Topologies
• Edge
• Behind the firewall with two network adapters
• Behind the firewall with one network adapter
o Windows Firewall enabled for all profiles
o Must not be a domain controller

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30

 DirectAccess uses IPv6 and IPSec to connect clients to internal

resources but since most organizations don’t have IPv6
implemented internally, tunneling technologies are used
o ISATAP
• Clients use ISATAP to connect to DA server
• Requires ISATAP host record, removal from global query block list, and
configuration of IPv6 on network hosts
o 6to4
• Used when clients have a public address
• Provides connection to the DA server over the IPv4 Internet
o Teredo
• Used when clients are located behind IPv4 NAT device
o IP-HTTPS

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31

 Process for Internal clients

o Client attempts to resolve FQDN of the network location server
o Client accesses NLS
o Client validates the certificate for NLS
o If successful, client has determined that it is on the internal network
o Client attempts to locate and sign in to AD domain
o Based on successful sign in, the domain profile is activated in the
firewall and the client communicates normally with internal resources

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32

 The process for external clients

o Client tries to resolve the FQDN of the NLS URL
o Client processes the name resolution request as defined in the
DirectAccess exemption rules
o NLS is not found on the same network so the public or private firewall
profile is applied
o The connection security rules scoped for the public and private profile
are used to connect to the DA server using IPv6 and IPSec
o Client attempts to locate a domain controller
o Client attempts to access intranet resources
o Client attempts to access internet resources

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33

 Implementing DirectAccess

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34

 Installing the Remote Access role and using the Getting

Started wizard provides simple DirectAccess deployment
scenarios
 Simple deployments will not be sufficient for some
organizations

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35

 The getting started wizard makes multiple changes to the

infrastructure so that clients can connect to the intranet
o GPO settings
• DirectAccess Server Settings
• Global settings
• Inbound rules
• Connection Security settings
• DirectAccess Client Settings
• Public Key Policies
• Global settings
• Outbound rules
• Connection Security settings
o DNS Server settings
o Remote clients
o Remote access server

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36

 The Getting Started Wizard is not suitable for larger

organizations due to inherent limitations
o Creates self-signed certificates to enable SSL connections
• Cannot be used in multisite deployments
• Cannot be used with two-factor authentication
• Needs you to ensure the CRL distribution point is available externally
o Network location server design
• Deploys the NLS on the same server as DirectAccess
• Does not provide high availability options
o Client operating system support
• Only applicable for Windows 8 and later
• Windows 7 clients require a client certificate for IPSec authentication

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37

 The Remote Access Setup wizard provides access to advanced

options which are used for larger, more complex
environments
o Scalable and customized PKI infrastructure
o Customized network configuration options
o Scalable and highly available server deployment
o Customized monitoring and troubleshooting

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38

 High availability is important for the DirectAccess

infrastructure and options exist for DA and NLS servers
o Network Load Balancing built in to Windows Server 2016
o Third-party hardware load balancers

 Requirements
o If DA server is running in a virtual machine, MAC spoofing is required
o All DA servers must have the same configuration when using NLB
o NLS servers should be made highly available as well

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39

 In some organizations, it is beneficial to place DA servers in

multiple physical locations, providing certain benefits
o DA clients connect to the closest and fastest DA server
o If a single site goes offline, clients can connect to another site

 Requirements
o PKI
o Single DA server with advanced settings already deployed
o Internal network must be IPv6 enabled
o Windows 7 client must be manually assigned to a site

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40

 Certificates provide increased security along with additional

complexity
 Configuration process with DirectAccess
o Add and configure the CA server role
o Create a certificate template
o Create a CRL distribution point
o Publish the CRL list
o Distribute the computer certificates

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41

 Certificates are optional unless using Windows 7 as a client

operating system
 Windows 7 requires a computer certificate for IPSec
authentication
 Deploying certificates is easiest through Group Policy
o Create a GPO and link it to the OU containing DA clients
o Configure automatic certificate requests for computer accounts
o Apply the GPO
o Verify the issuance of certificates
 Consider the use of OTP
o Typically requires 3rd party software or hardware to supply the
password

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42

 DA Server location
 IP Address assignment
 Firewall configuration
 AD DS
 Client deployment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43

 DirectAccess requires DNS for resolving

o Network Location Server
o IP-HTTPS
o CRL Distribution Point
o ISATAP
o Connectivity verifiers

 The Name Resolution Policy Table (NRPT) is configured using

Group Policy
o DNS suffixes
o CRL distribution point
o Split-brain DNS

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44

 The Remote Access Management Console provides

monitoring capabilities
o Centralized dashboard
o Operations status
o Remote access client status
o Remote access reporting

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45

 Remote Access Overview

 Implementing the Web Application Proxy
 Planning and Implementing VPNs
 Overview of DirectAccess
 Implementing DirectAccess

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. You are planning to implement a server configuration that provides the ability to
use private addresses internally while still allowing access to Internet resources
from internal clients. You are configuring a Windows Server 2016 system and
using the Remote Access installation wizard. Which of the following do you need
to configure?
A. Dial up
B. VPN
C. NAT
D. Basic Firewall

2. You are configuring Windows 7 client machines to utilize a VPN connection in

order to connect to the corporate network. You need to ensure that when users
move from one coverage area to another their VPN connection is automatically
reconnected. Which of the following VPN types should you configure?
A. PPTP
B. L2TP/IPSec
C. SSTP
D. IKEv2

3. You have users accessing your system remotely from Windows Vista and
Windows 7 machines as well as a few new Windows 10 laptops. You need to
ensure that users will always be able to make a VPN connection without issue
regardless of their physical location provided that there is an Internet connection.
Which of the following VPN types should you implement?
A. PPTP
B. L2TP/IPSec
C. SSTP
D. IKEv2

4. You are attempting to troubleshoot the application of network policies on your

VPN server. Users are not receiving the appropriate access based on your
policies. Which of the following statements is NOT true in regards to network
policy processing in Windows Server 2016?
A. Policy permissions override User Dial in permissions
B. Policies containing more conditions should have a higher priority
C. One policy must exist to grant access
D. The first policy containing matching conditions is the only policy that is
processed
5. You need to ensure that users in the marketing department are able to connect
via VPN connection during off-hours only. You are going to utilize network
policies to complete this configuration. You already have a Marketing users
global group. What should you do? (Choose the answer with the least amount of
administrative effort)
A. Create a single policy
Add the user group condition for the Marketing Users group
Add a day/time restriction for off hours
Configure Policy permission to allow
B. Create two policies
On the first policy add a user group condition for the marketing Users
group
Add a day/time restriction for off hours
Configure the policy permission to allow
On the second policy add a user group condition for the market users
group
Add a day/time restriction for business hours
Configure the policy permission to deny
C. Create two policies
On the first policy add a day/time restriction for business hours
Configure the policy permission to Deny
On the second policy add a day/time restriction for off hours
Configure the policy permission to Allow
Ensure the first policy has the highest priority
D. Modify the default policy by adding a user group condition for the
marketing users group and configuring the permission to allow

6. You are trying to configure authentication for mobile users who are connecting
via the VPN. You want to implement multi-factor security using smart cards and
certificate based authentication. Which of the following protocols should you
configure?
A. CHAP
B. MS-CHAPv2
C. PEAP-MS-CHAP
D. EAP-TLS
7. You would like to implement a technology in Windows Server 2012 that replaces
a traditional remote connectivity which requires users to manually initiate
connections. Which of the following should you implement?
A. DFS
B. BranchCache
C. DirectAccess
D. IKEv2 with VPN Reconnect

8. You are examining the requirements for DirectAccess in order to implement it in

your environment. Which of the following components serves as the mechanism
for a client to determine whether or not it is on the local network and should
communicate directly with resources or external in which case it should utilize the
DA server?
A. NRPT
B. NLS
C. AD DS Domain Controller
D. DNS Server

9. Which of the following DirectAccess components is used to resolve names to IP

addresses by namespace rather than by network connection and is used to
ensure that Internet traffic is not routed through the DA server?
A. NRPT
B. NLS
C. Connection Security Rules
D. Group Policy

10. Which of the following components in a DirectAccess infrastructure is used to

control IPSec settings for security between clients and internal resources?
A. NRPT
B. NLS
C. Group Policy
D. Connection Security Rules

11. You are planning to implement DirectAccess using the Getting Started wizard but
are concerned about the limitations of this deployment method. Which of the
following is a distinct limitation for this deployment method?
A. Deploys the NLS on the same server as the DirectAccess server
B. Requires the use of public certifications
C. Ensures the CRL is available externally
D. Deploys NLS on a different server than the DirectAccess server
12. You have Windows 10 running on many of the laptops used by your mobile sales
force. You would like to utilize DirectAccess. Which of the following will you
require in this situation that would be unique in comparison to a scenario
containing only Windows 7 client systems?
A. Publically accessible CRL
B. Internal PKI
C. NRPT entries for the internal namespace
D. DA server

13. You are configuring RADIUS clients and servers and are looking to configure the
firewalls separating these servers appropriately. Which of the following ports
does RADIUS use by default for client to server communication?
A. 1723
B. 1812
C. 1433
D. 1701

14. You are looking to implement certificate based authentication methods using the
Network Policy server role installed on a Windows Server 2012 machine. Which
of the following options should you use in order to require server and client
authentication via certificates but user authentication via passwords?
A. EAP-TLS
B. PEAP-TLS
C. PEAP-MS-CHAP
D. MS-CHAPv2

15. You are looking to support the use of multiple clients in your network access
infrastructure. You are aware of some users that will be connecting from
Macintosh computers and possibly even Linux distributions used by some
support personnel. Which of the following authentication protocols should you
use in light of this information?
A. EAP-TLS
B. CHAP
C. PAP
D. MS-CHAP
16. You are looking at implementing NPS on Windows Server 2012 to function as a
RADIUS server. You are evaluating the possible clients in this scenario. Which of
the following would be the most likely client of a RADIUS server?
A. Router
B. Firewall
C. DHCP server
D. Wireless Access Point

17. You are evaluating the functionality of the RADIUS proxy and trying to determine
if it’s a good fit in your environment. Which of the following scenarios does not fit
the use of the RADIUS proxy?
A. Load balancing connection requests in a high volume environment with
multiple RADIUS servers
B. Providing authentication and authorization for a single domain with users
stored in AD DS
C. Offering out-sourced dial up and VPN services using a service provider
D. Performing authentication and authorization against a non-Windows
database
Answer Key:
1. C
Network Address Translation will provide the ability to utilize one or more public
IP addresses on behalf of clients using private addresses. The addresses are
translated into the public address for use on the Internet.

2. D
You must use the IKEv2 (Internet Key Exchange) VPN type which is supported in
Windows 7 and 8 in order to use the VPN reconnect option. This option is
automatic when choosing this type of VPN.

3. C
SSTP uses HTTPS for transfer, which utilizes TCP port 443. The other protocols
can sometimes have issues in relation to firewalls blocking outgoing traffic from a
network location. Only SSTP can provide the flexibility and security required in
this situation as this port will ALWAYS be open for outgoing traffic.

4. A
This is not a correct statement by default. You may choose to override the User
Dial in permissions via a network policy, however, by default if the User is set to
allow and there is a policy containing conditions that match the user’s connection
attempt, access will be granted.

5. A
Technically both A and B will work but creating a single policy follows the “least
administrative effort” requirement in the scenario. The default policy already
denies access 24/7 and is the lowest priority. You create an additional policy that
essentially states that if a user is in the Marketing departmental group and its off-
hours they will be allowed access. The default policy takes care of the rest.

6. D
EAP with Transport Layer Security is the authentication method that provides for
the use of certificate authentication for both client computers and server
machines and the authentication of user accounts via smart cards.

7. C
DirectAccess is a VPN alternative available for Windows 7 and beyond that will
provide seamless, transparent connections to a corporate network over the
Internet.
8. B
The NLS (network location server) is the server role that is used by clients to
determine their location as being internal or external and will result in
DirectAccess being enabled or disabled.

9. A
NRPT is the Name Resolution Policy Table. It identifies DNS servers by
namespace rather than connection.

10. D
Connection security rules are ultimately the way in which IPSec protection is
applied to the connections.

11. A
This is a design limitation with the Getting Started wizard. Some organizations
will want to separate these roles so that the NLS server can be on a highly
available web server.

12. B
You only require internal PKI if you are using Windows 7 as they require the
ability to authenticate via client certificates.

13. B
Port 1812 is used from RADIUS client to server by default and must be open if
firewalls are separating client and server or routers are performing packet
filtering.

14. C
With Protected EAP the initial communication session is encrypted. There is a
mutual authentication between client and server using certificates, however, the
MD5 hashing algorithm is then used for password based authentication of user
accounts.

15. B
CHAP is an industry standard authentication protocol that supports the secure
transfer of authentication credentials for a wide variety of operating systems.
16. D
Almost all WAPs will support 802.1x which will allow them to function as RADIUS
clients. While firewalls may have VPN capabilities and could then potentially
function as a RADIUS this cannot be assumed about every firewall.

17. B
You do not need to use a RADIUS server when all user accounts are in a single
AD DS domain.