Lesson 2: Remote Connections CHAPTER 10 533 VPN Authentication Protocols Windows 7 supports different authentication protocols for both dial-up and VPN connections. There are two broad categories of authentication protocol: password-based authentication protocols and certificate-based authentication protocols. Certificate-based authentication protocols require the deployment of a PKI solution such as Active Directory Certificate Services. When you use a certificate-based authentication protocol, it is necessary to deploy certificates tied to user accounts, computer accounts, or both types of account. The properties of these protocols are as follows: n PAP (Password Authentication Protocol) This protocol uses unencrypted passwords for authentication. This protocol is not enabled by default for Windows 7 VPN connections and is not supported by remote access servers running Windows Server 2008. You would enable this protocol only to connect to an older third-party VPN server that does not support other more secure protocols. n CHAP (Challenge Authentication Protocol) This is a password-based authentication protocol. Although remote access servers running Windows Server 2008 do not support this protocol, it is enabled by default for Windows 7 VPN connections and it allows you to connect to third-party VPN servers that do not support other more secure protocols. n MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) MS-CHAPv2 is a password-based authentication protocol. You can configure a VPN connection that uses this protocol to use the credentials of the currently logged on user for authentication. n PEAP/PEAP-TLS (Protected Extensible Authentication Protocol with Transport Layer Security) This is a certificate-based authentication protocol where users authenticate using certificates. Requires the installation of a computer certificate on the VPN server. n EAP-MS-CHAPv2/PEAP-MS-CHAPv2 The most secure password-based authentication protocols available to VPN clients running Windows 7; requires the installation of a computer certificate on the VPN server. Does not require a client certificate. n Smart Card or Other Certificate Use this protocol when users are authenticating VPN connections using a smart card or a certificate installed on this computer. The properties for this authentication protocol are shown in Figure 10-13. You can configure which VPN authentication protocols are supported for a connection by editing a VPN connection’s properties in the Network Connections control panel, as shown in Figure 10-14. Windows first tries to use the most secure authentication protocol that is enabled and then falls back to less secure protocols if they are available. 5 3 4 CHAPTER 10 DirectAccess and VPN Connections FIGURE 10-13 Smart Card or other Certificate options FIGURE 10-14 VPN Authentication protocols Lesson 2: Remote Connections CHAPTER 10 535 VPN Reconnect VPN Reconnect is a feature new to Windows 7. When you connect to a VPN server using the PPTP, L2TP/IPsec, or SSTP protocol and you suffer some sort of network disruption, you can lose your VPN connection and need to restart it. If you were transferring a file, downloading e-mail, or sending a print job, you need to start over from the beginning. VPN Reconnect allows clients running Windows 7 to reconnect automatically to a disrupted VPN session even if the disruption has lasted for 8 hours. VPN Reconnect also works if connecting to a new Internet access point causes the disruption. For example, a user might be using a VPN connection to his corporate network while connected to a wireless network at an airport coffee shop. As the time of his flight’s departure approaches, he moves from the coffee shop to the airport lounge, which has its own Wi-Fi network. With VPN Reconnect, the user’s VPN connection is reestablished automatically when he achieves Internet connectivity with the new network. With a traditional VPN solution, this user would have to reconnect manually once he connected to the new wireless network in the airport lounge, and any existing operations occurring across the VPN would be lost. Unlike DirectAccess, which only some editions of Windows 7 support, all editions of Windows 7 support VPN Reconnect. VPN Reconnect uses the IKEv2 tunneling protocol with the MOBIKE extension. The MOBIKE extension allows VPN clients to change their Internet addresses without having to renegotiate authentication with the VPN server. Only VPN servers running Windows Server 2008 R2 support IKEv2. You cannot use IKEv2 if your organization has a routing and remote access server running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008. You can configure VPN Reconnect with a maximum timeout of 8 hours, as shown in Figure 10-15. After the period specified in the Network Outage Time setting has expired, it is necessary for the user to reconnect manually. You will create and configure an IKEv2-based VPN connection in the practice exercise at the end of this lesson. FIGURE 10-15 IKEv2 Advanced Properties 5 3 6 CHAPTER 10 DirectAccess and VPN Connections Quick Check n Which VPN protocol supports automatic reconnection? Quick Check Answer n IKEv2 supports automatic reconnection. NAP Remediation NAP is a technology in Windows Server 2008 that restricts network access based on an assessment of a client computer’s health. A compliant client that meets the health benchmark is able to access the network. If the computer does not meet the health benchmark, it is noncompliant. NAP blocks noncompliant clients from accessing the network. NAP can be used for clients on the LAN, but also can be used for VPN, RD Gateway, and DirectAccess clients. Administrators can configure NAP to restrict network access based on the following criteria: n Does a client have antivirus software installed and up to date? n Does a client have anti-spyware software installed and up to date? n Does a client have Windows Firewall enabled? n Are automatic update enabled? n Have all software updates been installed on the client computer? Administrators specify these criteria through Security Health Validators (SHVs). Administrators configure SHVs to specify the components of the system health benchmark. Figure 10-16 shows the Windows 7 SHV that is included with Windows Server 2008 R2. FIGURE 10-16 Windows Security Health Validator Lesson 2: Remote Connections CHAPTER 10 537 Administrators can configure NAP to perform a process of remediation on client computers that do not meet the specified health benchmarks. When NAP applies to VPN connections, this often means providing access to a remediation network. A remediation network is a special network that hosts the services that would allow the client to come back into compliance. Noncompliant clients can communicate with hosts on the remediation network but not other hosts on the internal corporate network. A remediation network could include a Windows Server Update Services (WSUS) server so that the client can get the most recent software updates and an antivirus update server so that the client can reach a compliant state and be granted access to the network. It is possible for a client running Windows 7 to perform some steps automatically towards remediation when the Security Center service is enabled. This service interacts with the Windows 7 Action Center. If this service is enabled and the appropriate NAP policies are configured within the remote access infrastructure, clients might automatically bring themselves into compliance by switching on items like the Windows Firewall, running Windows Update, and initiating the process of updating antivirus and anti-spyware software. In environments without remediation networks, it is necessary for users to bring the computer into compliance manually before they will be able to establish a successful remote access connection. If your organization uses NAP with its remote access infrastructure, you should ensure that users know what steps they need to take to get their clients running Windows 7 compliant so they will be able to access the internal network. More Info NAP To find out more about NAP, consult the Network Access Protection TechCenter at the following address: http://technet.microsoft.com/en-us/network/bb545879.aspx. Remote Desktop and Application Publishing Windows Server 2008 R2 Remote Desktop Services, known as Terminal Services on Windows Server 2008 and Windows Server 2003, allows people to connect using the Remote Desktop Connection client to a server on which they can run applications. You learned about making Remote Desktop connections to clients running Windows 7 in Chapter 7, “Firewall and Remote Management.” RD (Remote Desktop) Gateway, formerly known as Terminal Services Gateway, allows users on the Internet to make Remote Desktop connections to servers on internal networks without the user having to initiate a VPN connection. Connections can only be made to specially configured Remote Desktop hosts on the internal network. Users are unable to access all resources on network, as is the case with a traditional VPN or DirectAccess. More Info RD GATEWAY To learn more about RD Gateway, consult the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/dd560672.aspx. 5 3 8 CHAPTER 10 DirectAccess and VPN Connections To connect using an RD Gateway server, navigate to the Advanced tab of the Remote Desktop Connection Properties dialog box and click Settings under Connect From Anywhere. This opens the RD Gateway Server Settings dialog box. This dialog box allows you to specify RD Gateway settings, including whether or not you want the RD Gateway to be detected automatically, whether to use a specific RD Gateway server, as shown in Figure 10-17, or you can specify Do Not Use an RD Gateway Server, which is the default setting. FIGURE 10-17 RD Gateway server settings You can also apply RD Gateway configuration through Group Policy rather than configuring it manually. The relevant policies are located in the User Configuration\Administrative Templates\ Windows Components\Remote Desktop Services\RD Gateway node, as shown in Figure 10-18. FIGURE 10-18 RD Gateway policies Lesson 2: Remote Connections CHAPTER 10 539 These policies work as follows: n Set RD Gateway authentication method When the policy is set to Not Configured or Disabled, the authentication method specified by the user is used. When enabled, the administrator can choose to allow the user to change the setting, or the administrator can select among the following options: • Ask for credentials, use NTLM protocol • Ask for credentials, use Basic protocol • Use the locally logged on credentials • Use a smart card n Enable Connection through RD Gateway When this policy is enabled, Remote Desktop Client automatically tries to connect through the configured RD Gateway if it is unable to connect automatically to the target Remote Desktop Services server. This policy can be enforced only if the Set RD Gateway server address policy is configured. A policy option allows users to override this setting. n Set RD Gateway server address When the policy is set to Not Configured or Disabled, clients automatically detect whether RD Gateway is required. If required, the RD Gateway specified by the user is used. When this policy is set to Enabled, the address of the RD Gateway server specified in the policy is used. The address of the RD Gateway server must match the name of the SSL certificate installed on the RD Gateway server. RemoteApp allows applications that reside on Remote Desktop Services servers to have their display output shown in Remote Desktop clients. This differs from a standard Remote Desktop Connection window where the user sees the entire remote desktop in a window. For example, if you publish the Microsoft Office Excel 2007 application through Remote Desktop Services RemoteApp and the user runs it, the user sees an Excel 2007 application window just as she would if the application were running locally. Remote Desktop Services RemoteApp applications appear in the Start menu just like other locally installed applications. The difference with RemoteApp is that the application runs on the Remote Desktop Services server, with only the application display appearing on the client. You can use RemoteApp applications over the Internet if the RemoteApp program shortcuts or publications include the address of an RD Gateway server. You configure the RD Gateway server address prior to publishing applications by using the RemoteApp Deployment Settings dialog box, shown in Figure 10-19. This dialog box is available through the RemoteApp manager on a computer running Windows Server 2008 R2. If you publish a RemoteApp application through Group Policy or by distributing a remote desktop shortcut (.rdp) file prior to configuring an RD Gateway, you have to republish the application and redistribute the file. 5 4 0 CHAPTER 10 DirectAccess and VPN Connections FIGURE 10-19 RD Gateway settings for RemoteApp More Info REMOTEAPP To learn more about Remote Desktop Services RemoteApp, consult the following Microsoft TechNet Web page: http://technet.microsoft.com/en-us/library/cc755055.aspx. Dialup Connections A large number of people still access the Internet using dial-up connections to their ISPs. Windows 7 supports dial-up connections to ISPs so long as a compatible modem is available. Modems can include land-line and cellular devices, and they can be included as a part of their portable computer’s hardware or as universal serial bus (USB) attachments. To set up a dial-up connection, perform the following steps: 1. In Network And Sharing Center click Set Up A New Connection Or Network. On the Choose A Connection Option page, shown in Figure 10-20, select Set Up A Dial-Up Connection and then click Next. 2. In the Create A Dial-up Connection dialog box, shown in Figure 10-21, enter the phone number of the ISP, the ISP user name and password, a connection name, and whether you want other users of the computer to be able to use this connection. 3. If you need to configure dialing rules, such as country code, carrier code, a specific number to access an outside line, or switch between pulse and tone dialing, you can click the Dialing Rules item to specify these settings. Lesson 2: Remote Connections CHAPTER 10 541 FIGURE 10-20 Set Up Dial-up Connection FIGURE 10-21 Specifying connection information Configuring Windows 7 to Accept Incoming Connections You can configure Windows 7 to accept incoming VPN and dial-up connections. When you configure Windows 7 to accept incoming VPN and dial-up connections, the client running Windows 7 is able to function as a VPN and dial-up server. Windows 7 supports incoming 5 4 2 CHAPTER 10 DirectAccess and VPN Connections VPNs that use the PPTP protocol and allows only one incoming connection at a time. To configure Windows 7 to support incoming connections, perform the following steps: 1. Open the Network Connections page, which is accessible through the Network And Sharing Center. Press Alt to bring up the menu bar. Click File and then click New Incoming Connection. 2. Select which users can access the computer remotely using VPN or dial-up, as shown in Figure 10-22, and then click Next. FIGURE 10-22 Selecting remote users 3. On the How Will People Connect? page, shown in Figure 10-23, select the types of connections that you wish to support. Your options include Through The Internet and Through A Dial-Up Modem. FIGURE 10-23 Configuring the incoming connection type . 1 0-2 0 Set Up Dial-up Connection FIGURE 1 0-2 1 Specifying connection information Configuring Windows 7 to Accept Incoming Connections You can configure Windows 7 to accept incoming VPN and dial-up. connections. When you configure Windows 7 to accept incoming VPN and dial-up connections, the client running Windows 7 is able to function as a VPN and dial-up server. Windows 7 supports incoming 5. certificate on the VPN server. n EAP-MS-CHAPv2/PEAP-MS-CHAPv2 The most secure password-based authentication protocols available to VPN clients running Windows 7; requires the installation of a