Lesson 2: Remote Connections CHAPTER 10 543 4. On the Networking Software Allows This Computer To Accept Connections From Other Kinds Of Computers page, select which networking components will be enabled for the incoming connections. The default settings have IPv4 and File And Printer Sharing enabled. IPv6 is disabled by default. 5. By clicking the Properties for each network component type, you can decide whether a remote user can have access to the LAN that the computer running Windows 7 is connected to. As Figure 10-24 shows, you can also specify how the client gets its address, either through Dynamic Host Configuration Protocol (DHCP), through an IP address pool, or by allowing the incoming client to specify its own IP address. FIGURE 10-24 Incoming IP address properties 6. Click Allow to allow the connections. The Network Connections control panel contains a new item called Incoming Connections, as shown in Figure 10-25. You can modify the properties of incoming connections and specify which users you will permit to initiate incoming connections by right-clicking the Incoming Connections item and selecting Properties. FIGURE 10-25 Incoming connection configured 5 4 4 CHAPTER 10 DirectAccess and VPN Connections Auditing Remote Connections If you configure Windows 7 to support incoming VPN or dial-up connections, you may want to audit those connections. Auditing incoming connections provides you with a record of which users have connected to the client running Windows 7 remotely. If you are using basic auditing, you should enable the Computer Configuration\Windows Settings\Security Settings\ Local Policies\Audit Policy\Audit Logon Events policy. This policy records all attempts to log on and off the computer to which the policy applies. If you enable the Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Audit: Force Audit Policy Subcategory Settings policy, you can use the more detailed auditing policies that are available in the Computer Configuration\Windows Settings\ Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon\Logoff node. This node contains the Audit Logon and Audit Logoff policies. Auditing these specific policies reduces the amount of account logon and logoff activity that is audited when compared to the more general account auditing setting mentioned earlier. You can view audited account logon and logoff events in the Security log in Event Viewer, as shown in Figure 10-26. FIGURE 10-26 Audit account logon event eXaM tIP Remember what protocol is required for VPN Reconnect. Lesson 2: Remote Connections CHAPTER 10 545 Practice Configure Remote Connections When you are configuring VPN connections, you always need to know three things: the address of the VPN server, the user name you connect with, and the password associated with that account. Windows 7 tries all VPN protocols, starting with IKEv2 and working through SSTP, L2TP/IPsec, and finally PPTP, so it is not necessary to specify which protocol a VPN connection uses, though you can do this later by editing the VPN connection’s properties. The following practice relates to the configuration of VPN connections. exercise 1 Configure a VPN Connection In this exercise, you configure a VPN connection. Perform the following steps: 1. Log on to computer Canberra with the Kim_Akers user account. 2. Right-click the Network Status icon and then choose Open Network And Sharing Center. This opens the Network And Sharing Center. 3. Click Set Up A New Connection Or Network. In the Set Up A Connection Or Network wizard, shown in Figure 10-27, click Connect To A Workplace and then click Next. FIGURE 10-27 Creating a VPN connection 4. On the How Do You Want To Connect? page, click Use My Internet Connection (VPN). 5. On the Type The Internet Address To Connect To page, enter the name remote-access .contoso.com. Select the Allow Other People To Use This Connection check box and the Don’t Connect Now; Just Set It Up So I Can Connect Later check box, as shown in Figure 10-28. Click Next. 5 4 6 CHAPTER 10 DirectAccess and VPN Connections FIGURE 10-28 VPN connection address 6. On the Type Your User Name And Password page, enter the user name and password that will be used to authenticate with the Routing and Remote Access server. You can also enter the user account’s domain, as shown in Figure 10-29. Click Create and then click Close. FIGURE 10-29 VPN credentials Lesson 2: Remote Connections CHAPTER 10 547 exercise 2 Modify VPN Connection Properties In this exercise, you modify the properties of the VPN connection that you configured to the Contoso VPN server earlier. Perform the following steps: 1. If you have not already done so, log on to computer Canberra with the Kim_Akers user account. 2. Right-click the Network Status icon and then click Open Network And Sharing Center. This opens the Network And Sharing Center. 3. In the Network And Sharing Center control panel, click Change Adapter Settings. 4. In the Network Connections control panel, right-click VPN Connection and then choose Properties. This brings up the VPN Connection Properties dialog box. 5. Click the Security tab. Using the Type Of VPN drop-down menu, select IKEv2, as shown in Figure 10-30. Note that the Authentication options change when you select this VPN type. FIGURE 10-30 VPN connection security 6. Click Advanced Settings. On the Advanced Properties page, change the Network Outage Time to 8 hours and then click OK. 7. Close the VPN Connection Properties dialog box. Lesson Summary n Clients running Windows 7 support the PPTP, L2TP/IPsec, SSTP, and IKEv2 VPN protocols. n The IKEv2 VPN protocol is required if you want to use the VPN Reconnect feature. VPN Reconnect also requires a VPN server running Windows Server 2008 R2. 5 4 8 CHAPTER 10 DirectAccess and VPN Connections n The SSTP protocol allows users to access VPNs from behind most firewalls because it uses the same port as HTTPS traffic. n RD Gateways allow Remote Desktop Connection access to Remote Desktop hosts on an organization’s internal network without requiring that the external client use a VPN connection. RD Gateway also allows RemoteApp applications to be published to clients on the Internet. n EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2. n You can create a VPN or dial-up connection using the Create New Connection Wizard, which is available from the Network And Sharing Center. n Windows 7 can function as a dial-up and VPN server if you configure incoming connections. n NAP can be used to block remote access connections made by clients running Windows 7 that do not meet designated health benchmarks. These clients can be redirected to remediation networks that contain resources that allow them to become compliant. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Remote Connections.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Which of the following VPN types support the VPN Reconnect feature of Windows 7? a. PPTP B. L2TP/IPsec c. SSTP D. IKEv2 2. You work as a consultant for a small business that has a Windows Server 2008 network infrastructure. Each person that works at this business has a laptop computer running Windows 7 Professional. Several of the employees regularly stay at small motels around the country, and some have complained that they are unable to establish VPN connections to the office even though they are able to browse the Web using the motel Internet connection. Which of the following VPN protocols should you configure to resolve this problem? a. SSTP B. IKEv2 Lesson 2: Remote Connections CHAPTER 10 549 c. PPTP D. L2TP/IPsec 3. Your organization’s Routing and Remote Access server has Windows Server 2003 R2 installed. Which of the following protocols can you use to connect to the VPN server? a. SSTP B. IKEv2 c. PPTP D. L2TP/IPsec 4. Which of the following authentication protocols can you use to connect to an IKEv2 VPN? (Choose all that apply.) a. PEAP B. EAP-MSCHAP v2 c. Microsoft Smart Card or Other Certificate D. CHAP 5. You have connected to a free Wi-Fi access point at the local library with your computer running Windows 7 Professional. You want to connect to the server remote-desktop. contoso.internal so that you can run some special line-of-business applications. Your organization has a remote desktop gateway server at the address rdgateway.contoso. com. There are currently no VPN connections configured on your computer. How can you connect to remote-desktop.contoso.internal? a. Configure a DirectAccess connection and then connect to remote-desktop .contoso.internal using Remote Desktop Connection. B. Configure Remote Desktop Connection to use the Remote Desktop Gateway at remote-desktop.contoso.internal and then connect to rdgateway.contoso.com. c. Configure Remote Desktop Connection to use the Remote Desktop Gateway at rdgateway.contoso.com and then connect to remote-desktop.contoso.internal. D. Configure a DirectAccess connection and then connect to rdgateway.contoso.com using Remote Desktop Connection. 5 5 0 CHAPTER 10 DirectAccess and VPN Connections Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n DirectAccess allows clients to connect to an internal corporate network whenever they have an active Internet connection. n DirectAccess requires clients running Windows 7 Enterprise or Ultimate, as well as a DirectAccess server running Windows Server 2008 R2. n DirectAccess can use native IPv6 connections or the Teredo, 6to4, and IP-HTTPS IPv6 to IPv4 transition technologies. n Windows 7 supports PPTP, L2TP/IPsec, SSTP, and IKEv2 VPNs. IKEv2 VPNs support the VPN Reconnect feature. n RD Gateway servers allow Remote Desktop Clients to connect to internal Remote Desktop Services servers without the need for a VPN or DirectAccess connection. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. n DirectAccess n RemoteApp Case Scenarios In the following case scenarios, you apply what you’ve learned about subjects of this chapter. You can find answers to these questions in the “Answers” section at the end of this book. Suggested Practices CHAPTER 10 551 Case Scenario 1: Wingtip Toys DirectAccess Wingtip Toys currently has 40 laptop computers running Windows Vista Business. Wingtip Toys wants to deploy DirectAccess because many of the users of these computers would prefer an automatic connection to the company network when they are in remote locations, rather than relying on a manual VPN connection. Wingtip Toys wants to replace their existing server running Windows Server 2003 R2 x64 Routing and Remote Access with a DirectAccess server. This server has two network cards and is assigned two consecutive public IPv4 addresses on the Internet interface. This server is a member of the Wingtiptoys.internal domain. The server has already been assigned the appropriate computer certificates. With these facts in mind, answer the following questions: 1. What steps should Wingtip Toys take to create the DirectAccess server? 2. What type of group should you create to support DirectAccess? 3. What steps should you take to prepare client computers to use DirectAccess? Case Scenario 2: Remote Access at Tailspin Toys Tailspin Toys is deploying Windows 7 Professional to 300 laptop computers. You want to ensure that future VPN users will be able to stay connected to their VPN sessions if they switch from using a public Wi-Fi connection to using the cellular modem cards provided to them by the company. Users should be able to authenticate with their user names and passwords. Your existing VPN infrastructure uses NAP. The current Routing and Remote Access server is running the Windows Server 2008 x64 operating system. This system blocks VPN access to clients running Windows Vista Professional that do not have the most recent software updates or antivirus definitions installed. Presently, NAP blocks noncompliant clients from accessing the network. These clients cannot access the VPN until they connect to the corporate network directly and are able to download antivirus and software updates. You want to upgrade your quarantine network so that noncompliant clients can undergo remediation while connected remotely. Tailspin Toys has an Active Directory Certificate Services deployment. With these facts in mind, answer the following questions: 1. What steps do you need to take to support VPN Reconnect at Tailspin Toys? 2. What additions should you make to the quarantine network so that clients can become compliant? 3. Which authentication protocol should you use for Tailspin Toys? Suggested Practices To help you master the exam objectives presented in this chapter, complete the following tasks. 552 CHAPTER 10 DirectAccess and VPN Connections Configure DirectAccess If you have access to two servers or virtual machines running Windows Server 2008 R2, perform the following practices: n Practice 1 Configure the first server running Windows Server 2008 R2 as a domain controller, a DNS server, and an Active Directory Certificate Services server. n Practice 2 Configure the second server running Windows Server 2008 R2 as a DirectAccess server. To do so, review the requirements for a DirectAccess server listed in Lesson 1. Configure Remote Connections If you have access to two servers or virtual machines running Windows Server 2008 R2, perform the following practices: n Practice 1 Configure the first server running Windows Server 2008 R2 as a domain controller and install Remote Desktop services. Configure the second server running Windows Server 2008 R2 as an RD Gateway server. Connect using a client running Windows 7 to Remote Desktop services on the domain controller using the RD Gateway server. n Practice 2 Configure the first server running Windows Server 2008 R2 as a domain controller and install Remote Desktop services. Configure the second server running Windows Server 2008 R2 as a Routing and Remote Access server. Connect to the Routing and Remote Access server using a client running Windows 7 that is configured to use only an IKEv2 VPN connection. Take a Practice Test The practice tests on this book’s companion DVD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-680 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. More Info PRACTICE TESTS For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book. . EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2. n You can create a VPN or dial-up. Center. n Windows 7 can function as a dial-up and VPN server if you configure incoming connections. n NAP can be used to block remote access connections made by clients running Windows 7 that. the Set Up A Connection Or Network wizard, shown in Figure 1 0- 27, click Connect To A Workplace and then click Next. FIGURE 1 0- 27 Creating a VPN connection 4. On the How Do You Want To Connect?