5 2 0 CHAPTER 10 DirectAccess and VPN Connections FIGURE 10-3 The Internet and Corporate Access message As you learned earlier, DirectAccess clients use digital certificates to authenticate with the DirectAccess server. If a computer does not have a valid computer certificate issued by a certificate authority (CA) that the DirectAccess server is configured to trust for the purpose of DirectAccess authentication, it cannot connect successfully. DirectAccess clients and the DirectAccess server almost always receive their certificates from an Active Directory Certificate Services Certificate Authority that is integrated into the domain. This ensures that both client and server trust each other’s certificates. To verify that a computer certificate is present and valid on a client running Windows 7, perform the following actions: 1. Open a blank Microsoft Management Console by typing mmc into the In The Search Programs And Files text box. 2. Add the Certificates snap-in for the local Computer account. 3. Navigate to the Certificates (Local Computer)\Personal\Certificates node and verify that the computer has enrolled a certificate for the intended purposes of Client Authentication and Server Authentication, as shown in Figure 10-4. FIGURE 10-4 Verifying the DirectAccess client certificate You can verify the current DirectAccess configuration using several command-line utilities. To verify the DirectAccess client’s settings for 6to4, issue the command Netsh interface 6to4 show relay When the client is assigned DirectAccess configuration through Group Policy, this command displays one of the public IPv4 addresses assigned to the Direct Access server as the relay address. If the relay setting is set to Default, the DirectAccess Group Policy has not Lesson 1: Managing DirectAccess CHAPTER 10 521 been applied properly. Similarly, when DirectAccess configuration is applied through Group Policy, you should see one of the two public addresses assigned to the DirectAccess server when you verify the Teredo configuration. You can verify the Teredo configuration by issuing the command Netsh interface ipv6 show teredo You can also get information about the IP-HTTPS configuration by issuing the command Netsh interface httpstunnel show interfaces More Info TROUBLESHOOTING DIRECTACCESS For more information on troubleshooting DirectAccess, consult the following Microsoft TechNet document: http://technet.microsoft.com/en-us/library/dd637786.aspx. Quick Check n Which IPv6 transition technology does DirectAccess use if you are in a remote location and your computer has been assigned a public IPv4 address, but not a public IPv6 address? Quick Check Answer n DirectAccess uses the 6to4 IPv6 transition technology if the client is assigned a public IPv4 address but not a public IPv6 address. Configuring the DirectAccess server You configure DirectAccess primarily by configuring the DirectAccess server. When you configure the DirectAccess server, you also end up configuring the necessary Group Policy Objects (GPOs) that support DirectAccess. Prior to installing DirectAccess, you should ensure that the DirectAccess server meets the following requirements: n The computer needs to have Windows Server 2008 R2 installed and be a member of a domain. n This server must have two network adapters. n One of these network adapters needs to a direct connection to the Internet. You must assign this adapter two consecutive public IPv4 addresses. n The second network adapter needs a direct connection to the corporate intranet. n The computer needs digital certificates to support server authentication. This includes having a computer certificate that matches the fully qualified domain name (FQDN) that is assigned to the IP addresses on the DirectAccess server’s external network interface. 5 2 2 CHAPTER 10 DirectAccess and VPN Connections You should also create at least one global security group in AD DS that you use with DirectAccess. You can give this group any name that you like, though it is easier to keep track of it if you give it a DirectAccess-related name. It is possible to create and specify multiple DirectAccess-related security groups if necessary. You create multiple groups when you need to differentiate access to segments of the corporate intranet. To install DirectAccess on a server running Windows Server 2008 R2, add the DirectAccess Management Console feature using the Add Features Wizard, as shown in Figure 10-5. Installing the DirectAccess Management Console allows you to configure and manage DirectAccess features. Installing the DirectAccess Management console also requires that you add the Group Policy Management feature. The Group Policy Management feature is necessary because the DirectAccess setup wizard creates DirectAccess-related GPOs that configure DirectAccess clients. You need to run the DirectAccess setup wizard with a user account that has permissions to create and apply GPOs in the domain. FIGURE 10-5 Install the DirectAccess feature on Windows Server 2008 R2 After you install the DirectAccess Management console, you can configure the DirectAccess server. To do this, perform the following steps: 1. Open the DirectAccess Management console from the Administrative Tools menu on the computer running Windows Server 2008 R2. This opens the DirectAccess Management console, shown in Figure 10-6. Lesson 1: Managing DirectAccess CHAPTER 10 523 FIGURE 10-6 DirectAccess console 2. Select the Setup node. In the details pane, in the Remote Clients area, click Configure. This opens the DirectAccess Client Setup dialog box. Click Add and then specify the name of the security groups to which you add computer accounts when you want to grant access to DirectAccess to specific clients running Windows 7. These groups can have any names. The one in Figure 10-7 is called DA_Clients. FIGURE 10-7 DirectAccess client groups 5 2 4 CHAPTER 10 DirectAccess and VPN Connections 3. Use the DirectAccess Server Setup item to specify which interface is connected to the Internet and which interface is connected to the internal network. Performing this step will enable IPv6 transition technologies on the DirectAccess server, as shown in Figure 10-8. You use this item to specify the CA that client certificates must ultimately come from, either directly or through a subordinate CA. You also must specify the server certificate used to secure IP-HTTPS traffic. FIGURE 10-8 DirectAccess Server Setup 4. On the Infrastructure Server Setup page, you specify the location of the internal Web site (known as the Network Location Server) that DirectAccess clients attempt to contact to determine whether they are connected to the corporate intranet or a remote location. You must ensure that you secure this Web site with a Web server certificate, as shown in Figure 10-9. You also use this dialog box to specify which DNS servers and domain controllers the DirectAccess clients are able to contact for authentication purposes. 5. The final step involves specifying which resources on the corporate intranet are accessible to DirectAccess clients. The default setting is to allow access to all resources. In more secure environments, it is possible to use isolation policies to limit the contact to the membership of specific security groups. For example, you might create a security group and add the computer accounts of some file servers and mail servers, but not others. 6. When you click Finish, DirectAccess interfaces with a domain controller and creates two new GPOs in the domain. The first of these is targeted at the security groups that contain the computer accounts of DirectAccess clients. The second GPO is targeted at the DirectAccess server itself. You can see these GPOs in Figure 10-10. Lesson 1: Managing DirectAccess CHAPTER 10 525 FIGURE 10-9 Specifying the network location server FIGURE 10-10 Direct Access GPOs DirectAccess relies upon several other components in a Windows Server 2008 R2 network infrastructure. The domain in which you install the DirectAccess server must also have the following: n At least one domain controller running Windows Server 2008 R2 and DNS server on the internal network. n A server running Windows Server 2008 with Active Directory certificates installed, either as an enterprise root CA or an enterprise subordinate CA. 5 2 6 CHAPTER 10 DirectAccess and VPN Connections To make internal network resources available to remote DirectAccess clients, you need to do one of the following: n Ensure that all internal resources that will be accessed by DirectAccess support IPv6. n Deploy ISATAP on the intranet. ISATAP allows intranet servers and applications to be reached by tunneling IPv6 traffic over an IPv4 intranet. n Deploy an NAT-PT device. NAT-PT devices allow hosts that only support IPv4 addresses to be accessible to DirectAccess clients using IPv6. All application servers that DirectAccess clients access need to allow ICMPv6 traffic in Windows Firewall with Advanced Security (WFAS). You can accomplish this by enabling the following firewall rules using Group Policy. n Echo Request – ICMPv6-in n Echo Request – ICMPv6-out The following ports on an organization’s external firewall must be open to support DirectAccess: n UDP port 3544 Enables Teredo traffic. n IPv4 protocol 41 Enables 6to4 traffic. n TCP port 443 Allows IP-HTTPS traffic. n ICMPv6 and IPv4 Protocol 50 Required when remote clients have IPv6 addresses. eXaM tIP Remember which conditions necessitate the use of Teredo, 6to4, and IP-HTTPS on DirectAccess clients. Practice Configure DirectAccess with Netsh DirectAccess requires a Windows Server 2008 R2 network infrastructure, so it is not possible to simulate DirectAccess on a client running Windows 7 without also having access to several servers running Windows Server 2008 R2. In this practice, you simulate manually configuring different IPv6 DirectAccess components using Netsh. exercise 1 Netsh DirectAccess Configuration In this exercise, you simulate setting DirectAccess policies using the Netsh command-line utility. In reality, DirectAccess configuration comes through Group Policy, though there may be circumstances, such as when a client has been out of the office for some time and when the DirectAccess server address has changed, where you need to perform this type of manual configuration. 1. Log on to computer Canberra using the Kim_Akers user account and open an elevated command prompt. Lesson 1: Managing DirectAccess CHAPTER 10 527 2. Enter each of the following commands and press Enter: Netsh interface ipv6 set teredo enterpriseclient 131.107.0.5 Netsh interface 6to4 set relay 131.107.0.5 3. Now enter the following diagnostic commands and press Enter after each one to verify that the correct configuration was set. The configuration should match the IP address 131.107.0.5: Netsh interface 6to4 show relay Netsh interface ipv6 show teredo Lesson Summary n DirectAccess allows a client running Windows 7 Enterprise or Ultimate edition to connect automatically to a corporate intranet when an active Internet connection is established without requiring user intervention. n If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is made. If the client has a public IPv4 address, a connection is made using the 6to4 transition technology. If the client has a private IPv4 address, a connection is made using the Teredo transition technology. If the client has a private IPv4 address and is behind a firewall that restricts most forms of network traffic, a connection using IP-HTTPS is made. n DirectAccess clients require computer certificates from a CA that is trusted by the DirectAccess server. The DirectAccess server requires a certificate from a CA trusted by the DirectAccess client. n DirectAccess clients must be members of an AD DS domain. DirectAccess clients must be members of a special domain security group which has been configured during the setup of the DirectAccess server. n A DirectAccess server must run Windows Server 2008 R2. A domain controller running Windows Server 2008 R2 and a DNS server must also be present on the internal network to support DirectAccess. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing DirectAccess.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 5 2 8 CHAPTER 10 DirectAccess and VPN Connections 1. A client running Windows 7 is connecting to a hotel network. Clients on the hotel network are assigned IP addresses in the 10.0.10.0 /24 range. The hotel firewall blocks all traffic except that on ports 25, 80, and 443. Which DirectAccess connectivity method does the client use to make the connection? a. Teredo B. 6to4 c. Globally routable IPv6 address D. IP-HTTPS 2. You have 10 stand-alone laptop computers running Windows 7 Professional. You want to configure these computers so that they can use DirectAccess to access the internal network when users connect to remote networks. Your internal network has a Windows Server 2008 R2 functional level domain. Which of the following steps must you take before you can accomplish this goal? (Choose all that apply.) a. Upgrade the computers to Windows 7 Ultimate. B. Join the computers to the domain. c. Configure AppLocker policies. D. Configure BranchCache policies. 3. Which of the following computers can you configure as a DirectAccess server? a. A server running Windows Server 2008 R2 with two network adapters that has been assigned two consecutive public IPv4 addresses B. A server running Windows Server 2008 R2 with one network adapter that has been assigned two consecutive public IPv4 addresses c. A server running Windows Server 2008 R2 with two network adapters that has been assigned one public IPv4 address D. A server running Windows Server 2008 R2 with one network adapter that has been assigned one public IPv4 address 4. Kim Akers, who uses the Kim_Akers user account, has been using a computer running Windows 7 Enterprise named laptop-122 with DirectAccess to access the internal corporate network when working remotely. Laptop-122 is a member of the Direct_Access domain security group. Laptop-122 has developed a fault and Kim has been given Laptop-123, which also runs Windows 7 Enterprise and is joined to the Contoso.internal domain. When Kim is working remotely, she is unable to connect to the internal network. Which of the following steps should you take to resolve this problem? a. Add the computer account for Laptop-123 to the Direct_Access group in the domain. B. Add the computer account for Laptop-123 to the Direct_Access group on Laptop-123. c. Add the Kim_Akers user account to the Direct_Access group in the domain. D. Add the Kim_Akers user account to the Direct_Access local group on Laptop-123. Lesson 1: Managing DirectAccess CHAPTER 10 529 5. Your client running Windows 7 is connected to a hotel network, has an address on the 192.168.10.0 /24 network, and is located behind a Network Address Translation (NAT) device. The network blocks all outbound traffic except that on ports 80 and 443. You want the address of the DirectAccess IP-HTTPS server to be set correctly. Which of the following commands could you use? a. ipconfig B. netsh interface 6to4 show relay c. netsh interface ipv6 show teredo D. netsh interface httpstunnel show interfaces [...]... Connections Figure 1 0-2 0  Set Up Dial-up Connection Figure 1 0-2 1  Specifying connection information Configuring Windows 7 to Accept Incoming Connections You can configure Windows 7 to accept incoming VPN and dial-up connections When you configure Windows 7 to accept incoming VPN and dial-up connections, the client running Windows 7 is able to function as a VPN and dial-up server Windows 7 supports ­ncoming... infrastructure Most third-party VPN solutions support c L2TP/IPsec L2TP/IPsec cannot be used behind NAT unless the client and server s ­ upport IPsec NAT Traversal (NAT-T) Windows 7, Windows Server 2003, and Windows Server 2008 support NAT-T You can configure L2TP to use either certificate-based ­ a ­ uthentication or a pre-shared key by configuring the advanced properties, as shown in Figure 1 0-1 1 n SSTP  SSTP... n PEAP/PEAP-TLS (Protected Extensible Authentication Protocol with Transport Layer Security)  This is a certificate-based authentication protocol where users authenticate using certificates Requires the installation of a computer certificate on the VPN server n EAP-MS-CHAPv2/PEAP-MS-CHAPv2  The most secure password-based authentication protocols available to VPN clients running Windows 7; requires... Figure 1 0-1 1  L2TP Advanced Properties n IKEv2  IKEv2 is a VPN protocol new to Windows 7 and is not present in previous versions of Windows IKEv2 supports IPv6 and the new VPN Reconnect feature IKEv2 supports Extensible Application Protocol (EAP) and computer certificates for clientside authentication This includes Microsoft Protected EAP (PEAP), Microsoft Secured Password (EAP-MSCHAP v2), and Microsoft. .. applications to be published to clients on the Internet n EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2 n You can create a VPN or dial-up connection using the Create New Connection Wizard, which is available from the Network And Sharing Center n Windows 7 can function as a dial-up and VPN server if... Lesson 1: Managing BitLocker  555 n Lesson 2: Windows 7 Mobility  574 CHAPTER 11 553 Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: n Installed the Windows 7 operating system on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7. ” n Make sure you have access to a small removable... noncompliant clients from accessing the network NAP can be used for clients on the LAN, but also can be used for VPN, RD Gateway, and DirectAccess clients Administrators can configure NAP to restrict network access based on the following criteria: n Does a client have antivirus software installed and up to date? n Does a client have anti-spyware software installed and up to date? n Does a client have Windows. .. update enabled? n Have all software updates been installed on the client computer? Administrators specify these criteria through Security Health Validators (SHVs) Administrators configure SHVs to specify the components of the system health benchmark Figure 1 0-1 6 shows the Windows 7 SHV that is included with Windows Server 2008 R2 Figure 1 0-1 6  Windows Security Health Validator 5 36 CHAPTER 10 DirectAccess... a Windows Server Update Services (WSUS) server so that the client can get the most recent software updates and an antivirus update server so that the client can reach a compliant state and be granted access to the network It is possible for a client running Windows 7 to perform some steps automatically towards remediation when the Security Center service is enabled This service interacts with the Windows. .. their clients running W ­ indows 7 compliant so they will be able to access the internal network More Info  NAP To find out more about NAP, consult the Network Access Protection TechCenter at the f ­ ollowing address: http://technet .microsoft. com/en-us/network/bb545 879 .aspx Remote Desktop and Application Publishing Windows Server 2008 R2 Remote Desktop Services, known as Terminal Services on Windows . access to DirectAccess to specific clients running Windows 7. These groups can have any names. The one in Figure 1 0 -7 is called DA_Clients. FIGURE 1 0 -7 DirectAccess client groups 5 2 4 CHAPTER 10. certificate on the VPN server. n EAP-MS-CHAPv2/PEAP-MS-CHAPv2 The most secure password-based authentication protocols available to VPN clients running Windows 7; requires the installation of a. for client- side authentication. This includes Microsoft Protected EAP (PEAP), Microsoft Secured Password (EAP-MSCHAP v2), and Microsoft Smart Card or Other Certificate, as shown in Figure 1 0-1 2.