The app identifier you use when configuring a app-triggered VPN, as shown previously in Figure 15-13, is a property that uniquely identifies an app. For Windows UWP apps, you use the Package Full Name. Desktop apps can be identified using the Product ID or GUID.
Note
You learned about Microsoft Intune and Mobile Device Management (MDM) in Chapter 13, “Microsoft Intune.” Review the section “Managing Policies”
for details about Intune policies and how to create and deploy policies for your managed devices.
Note
If you need to use EAP XML for an VPN connection, refer to the article
“EAP configuration” at https://msdn.microsoft.com/en-
us/windows/hardware/commercialize/customize/mdm/eap-configuration for a technique for automatically generating the XML file required.
Traffic Filters
Windows 10 provides the capability to add traffic filters to any native
Windows VPN profile. Filters allow you to control what types of traffic are allowed over the VPN. There are two types of traffic filter rules.
• App-based rules: You can specify a list of applications so that only traffic originating from those apps are allowed over the VPN interface.
• Traffic-based rules: You can use rules based on ports, IP addresses, and protocol to specify that only traffic matching the rules is allowed over the VPN interface.
You can combine many sets of rules, both app-based and traffic-based, to specify the types of traffic allowed. For instance, you can specify that your in-house accounting application must be allowed through the VPN, and access only port 3850, and that all other apps on a device can use only port 443.
You can create traffic filters for a VPN connection using the VPN policy in Microsoft Intune. The Corporate Boundaries section of the VPN policy allows you to configure rules that specify the type of network traffic. See Figure 15-14 for the dialog you would use to add a traffic filter rule to the profile.
Figure 15-14. Configuring Traffic Filters in a Microsoft Intune VPN Policy
LockDown VPN
The LockDown VPN feature in Windows 10 allows you to enforce a VPN profile on a device that allows network traffic only over the VPN interface.
Users of the device would not be able to connect to the Internet or any other local network without connecting to the VPN connection you specify.
LockDown VPN has the following characteristics:
• The device tries to keep the VPN always connected.
• Users of the device cannot disconnect the VPN.
• Users of the device cannot delete or modify the VPN profile.
• The VPN LockDown profile uses forced tunnel connection.
• If the device cannot connect to the VPN, all network traffic is blocked.
• You can create only a single VPN LockDown profile on a device.
• The VPN LockDown profile is limited to using only the IKEv2 connection type.
You can only configure the LockDown VPN feature using an MDM solution, such as Microsoft Intune, by deploying a ProfileXML configuration profile.
There is no way to configure this type of VPN profile using PowerShell or Group Policy.
Configuring DirectAccess
Microsoft has introduced some new technologies to enable remote access requirements that make it easier to configure and manage for administrators and the mobile workforce. Microsoft introduced DirectAccess and Remote Desktop Gateway (RD Gateway) for Windows Server 2008 R2. The RD Gateway component of RDS enables employees on the public Internet to securely access Windows desktops and applications that are hosted in a Microsoft Azure cloud service. You will not need to know the details of server-side configuration of these technologies for the 70-698 exam, but you should be familiar with the features of RDS and DirectAccess, how they work, and when they should be used in an organization.
Remote Desktop Services (RDS)
Remote Desktop Services (RDS) is a platform for building virtualization services for customers, including delivering individualized application, secure mobile, and remote desktop access, and enabling users to run applications and the desktop from the cloud.
RDS can be deployed on-premises with Windows Server 2016, or by using Microsoft Azure for cloud deployments. RDS can be used to set up session- based virtualization or virtual desktop infrastructure (VDI), or both. You can publish desktops to provide users with a full desktop experience with
applications installed and managed centrally in an enterprise environment.
Using RemoteApps, you can specify individual applications hosted on the virtualized machines, while users use their own desktops to run the
applications as if they were locally installed.
DirectAccess
DirectAccess, first introduced as a feature with Windows 7 and Windows Server 2008 R2, enables users to directly connect to corporate networks from any Internet connection. When enabled, a user can access network resources as though he were actually at the office. DirectAccess uses IPv6 over IPsec to create a seamless, bidirectional, secured tunnel between the user’s computer and the office network, without the need for a virtual private network (VPN) connection.
The benefits of DirectAccess include the following:
• Improved mobile workforce productivity: Users have the same
connectivity to network resources whether they are in or out of the office.
Users can be connected through any Internet connection, such as a client’s office, a home, a hotel, an airport Wi-Fi connection, and so on.
• Improved management of remote users: You can apply Group Policy updates and software updates to remote computers whenever they are connected by means of DirectAccess.
• Improved network security: DirectAccess uses IPv6 over IPsec to enable encrypted communications and secured authentication of the computer to the corporate network even before the user has logged on. IPv6 also provides globally routable IP addresses for remote access clients. Encryption is provided using Data Encryption Standard (DES), which uses a 56-bit key, and Triple DES (3DES), which uses three 56-bit keys.
• Access control capabilities: You can choose to allow only specific applications or subnets of the corporate network or to allow unlimited network access by DirectAccess users.
• Simplified network traffic: Unnecessary traffic on the corporate network is reduced because DirectAccess separates its traffic from other Internet traffic. You can specify that DirectAccess clients send all traffic through the DirectAccess server.
Windows Server 2008 R2 and later includes the required server functionality to operate DirectAccess. Optionally, you can also include Microsoft
Forefront Unified Access Gateway (UAG). This option provides enhanced security within and outside the corporate network, enabling DirectAccess for IPv4-only applications and resources on the network. Security is improved on the DirectAccess server, and built-in wizards and tools simplify deployment and reduce configuration errors.
Windows 10 DirectAccess client computers must be running Windows Enterprise edition; it is not available in Windows 10 Home or Windows 10 Pro. DirectAccess can be deployed using either basic or advanced
deployments. In the basic deployment scenario, a single DirectAccess server is used, with no need for infrastructure settings such as a certificate authority or Active Directory security groups. You should be aware of the following prerequisites for deploying a basic DirectAccess server.
• The server must be running Windows Server 2008 R2 or later.
• Windows firewall must be enabled on all profiles.
• Basic deployment of DirectAccess is supported only when all client computers are running Windows 10, Windows 8, or Windows 8.1.
• ISATAP is not supported. You must use native IPv6.
• Two-factory authentication is not supported; domain credentials are required for authentication.
• DirectAccess will be deployed to all mobile computers in the current domain.
• The DirectAccess server is the Network Location Server.
• Changing policies outside of the DirectAccess management console or PowerShell is not supported.
Note
For more details on deploying DirectAccess using the basic deployment method, access the article “Install and Configure Basic DirectAccess” at https://technet.microsoft.com/windows-server-docs/networking/remote- access/directaccess/single-server-wizard/install-and-configure-basic- directaccess and follow the references for the steps involved.
Deploying DirectAccess with advanced settings has more infrastructure requirements, but provides greater flexibility in how DirectAccess is configured and managed in a large enterprise. The requirements for
deploying DirectAccess using the advanced scenario include the following:
• Public key infrastructure (PKI) must be deployed in the domain.
• Windows firewall must be enabled on all profiles.
• Windows Server 2008 R2 or later must be used.
• DirectAccess clients must be running either Windows Server 2008 R2 or later, Windows 7 Enterprise or Ultimate, Windows 8 or 8.1 Enterprise, Windows 10 Enterprise LTSB, or Windows 10 Enterprise.
• Changing policies by using a feature other than the DirectAccess
management console or Windows PowerShell is not supported.
• Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported. These roles must be run on the DirectAccess server.
Note
For more details on deploying DirectAccess using the advanced deployment method, access the article “Deploy a Single DirectAccess Server with
Advanced Settings” at https://technet.microsoft.com/en-us/windows-server- docs/networking/remote-access/directaccess/single-server-advanced/deploy- a-single-directaccess-server-with-advanced-settings.
After your infrastructure and servers have been configured for DirectAccess, including the Group Policy Objects for DirectAccess clients, the clients will have DirectAccess capability after they have updated group policy settings.
To update them right away, run the gpupdate /force command-line command from an administrative command prompt.
Configuring Remote Management
Performing administration and management tasks on a number of Windows servers and Windows 10 clients can be a challenge even in a small
organization. As the number of computers grows, the task can become
daunting without the capability to remotely manage computers from a central location.
Microsoft has provided a number of network technologies and tools to assist administrators in the many management and support tasks needed to keep their systems secure and performing correctly. In this section you learn some principles to guide you in selecting the right tools for the job in your
organization. You also learn about the remote management command-line tools that you can use to automate administration tasks across a set of
computers, saving you a significant amount of time. You need to know how to configure these tools ahead of time so that you can perform any
management tasks from a central location.
In this section you also learn about Remote Assistance, and how users can request help when needed. Instead of traveling to their location, Remote Assistance enables you to help them from a remote location.
Choosing the Right Tools
The capability to remotely management computers and servers is vital in large enterprises. If you must physically visit a computer to perform routine administrative tasks, you will either need a large staff of technicians or you will get so far behind that you can end up with security vulnerabilities.
Microsoft continues to expand and improve the capabilities of remote management tools with each iteration of Windows, and with Windows 10, remote management capabilities are continuing to improve.
You learned about the Remote Server Administration Tools (RSAT) in Chapter 4, “Managing Windows in an Enterprise,” and how to install the tools on a Windows 10 computer to manage servers, domains, Group Policies, and other remote management tasks. You also learned in Chapter 13, “Microsoft Intune,” about using cloud services such as Microsoft Intune and Office 365 to remotely manage devices and computers.
In this chapter you were introduced to Remote Desktop configuration and how to use Remote Desktop to connect to remote computers. Remote
Desktop allows you to log on to any computer in your enterprise that includes a full GUI desktop, and perform any administration task.
In this section you learn about some additional tools that allow you to not only remotely administer servers and computers, but to perform
administration tasks on groups of computers all at once, and tools that enable you to write scripts to automate routine administration and management tasks using the command-line.
Table 15-5 lists some of the remote management tools available in Windows 10 or Windows Server 2016.
Table 15-5. Remote Management Tools
Tool
Name Description
Command- line or GUI
Remote Desktop
Connect to a computer remotely and log in to the GUI as if you are in front of the computer console.
Cannot be used on Windows Server Core.
GUI
MMC
Microsoft Management Console (MMC) has many snap-ins that can connect to remote computers for managing settings.
GUI
WinRM
Windows Remote Management (WinRM) is a platform for remote management. It enables the use of Winrs, event forwarding for MMC Event
Viewer, and Windows PowerShell remoting.
Command- line
platform
Winrs
Winrs, or Windows Remote Shell, allows you to manage and execute programs remotely. Requires WinRM enabled on the remote computer.
Command- line
PowerShell Remoting
PowerShell remoting features allow you to remotely run PowerShell commands. Require WinRM
enabled on the remote computer.
Command- line
The tool to use depends entirely on the administration scenario. If you need to check the Windows Event log for many computers, you can use the MMC and Event Viewer to collect logs from many computers into a single view on your local computer. Performing complex configuration tasks or
troubleshooting an issue on one or a few computers is probably best handled using Remote Desktop or Remote Assistance.
You should consider using Group Policy Objects for many configuration tasks when you need to modify or enforce a specific configuration on a group of computers. When using a GPO is not practical or the settings you want are not available, using a command-line tool or script enabled by WinRM may be the best choice. WinRM and PowerShell Remoting will also be your tool of choice for administration of remote Windows Server Core installations.
Because Windows Server Core does not include a desktop GUI, you will not be able to use Remote Desktop. If you plan on significant use of command- line tools for remote management, be aware that WinRM must be enabled on each computer.
Windows Remote Management (WinRM)
Microsoft has provided Windows Remote Management (WinRM) to assist you in managing hardware on a network that includes machines that run a diverse mix of operating systems. WinRM is the Microsoft implementation of the WS-Management Protocol, which was developed by an independent
group of manufacturers as a public standard for remote computer management. You can use WinRM to monitor and manage remote computers.
WinRM is a series of command-line tools that operate from an administrative command prompt. Use the following procedure to set up the Remote
Management Service:
Step 1. Right-click Start and choose Command Prompt (Admin).
Step 2. Accept the UAC prompt, type winrm quickconfig, and then press Enter.
Step 3. You receive the output shown in Figure 15-15. Type y twice as shown in the figure to enable the granting of remote administrative rights to local users, create a WinRM listener on HTTP, and enable a firewall
exception that allows WinRM packets to pass.
Figure 15-15. Enabling WinRM from an Administrative Command Prompt or an Administrator Windows PowerShell Session
You can also configure WinRM by means of Group Policy. This enables you to enable WinRM for all computers in the same AD DS site, domain, or
organizational unit (OU). Access the Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management node. This node contains two subnodes: WinRM Client and WinRM Service. The
WinRM Client policies deal with permitted authentication methods and available trusted hosts, whereas the WinRM Service policies deal with how the service listens on the network for requests, as well as client authentication methods that it will accept and whether unencrypted messages are permitted.
You can also enable or disable an HTTP listener. For more information on the available policies in each of these subnodes, double-click any policy and consult the Help text provided. If you use Group Policy, remember to enable rules for Windows Firewall. You need to enable two inbound rules: the Windows Remote Management service rule and the Network List Manager Policies rule. You can learn about details of working with Windows Firewall in Chapter 16, “Configuring and Maintaining Network Security.”
After you've set up WinRM, you are able to use either of two tools included in the Remote Management Service: Windows Remote Shell and Windows PowerShell. We take a quick look at each of these tools in turn. See the next section for use of Windows PowerShell.
Note
For more information about Windows Remote Management, refer to "About Windows Remote Management" at http://msdn.microsoft.com/en-
us/library/aa384291(VS.85).aspx.
Using Windows Remote Shell
Windows Remote Shell (WinRS) enables you to execute command-line utilities or scripts against a remote computer. For example, you can run the ipconfig command on a remote computer named Server1 by typing the following command:
winrs -r:Server1 ipconfig
You can specify the NetBIOS name of a computer located on the local subnet or the fully qualified domain name (FQDN) of a computer on a remote
network. You can also specify user credentials under which the WinRS command will be executed, by using the following command:
Winrs -r:Server1 -u:user_name -p:password command
In this command, user_name is the username in whose context you want to run the command, password is the password associated with this username, and command is the command to be run. You can use this syntax to remotely execute any command that you can normally run locally using the cmd.exe command prompt. If you don't specify the password, Windows Remote Shell prompts you for the password. You can also use http:// or https:// against the computer name in the -r parameter to specify an HTTP or Secure HTTP connection to a remote computer specified by its URL or IP address.
Note
For more information on using WinRS, open a command prompt and type winrs /?. You can also reference the “winrs” article at
https://technet.microsoft.com/en-us/windows-server- docs/management/windows-commands/winrs.
Using Windows PowerShell and MMCs for Remote Management Windows PowerShell, currently in version 5.1 for Windows 10, is a task- based command-line scripting interface that enables you to perform a large
number of tasks and is particularly useful for remote management.
PowerShell includes the Integrated Scripting Environment (ISE), which assists you in the task of writing, testing, and executing scripts. You can control and automate the administration of remote Windows computers and their applications. Installed by default in Windows 7 and later, as well as Windows Server version 2008 R2 and later, PowerShell also enables you to perform automated troubleshooting of remote computers. You can even read from and write to the Registry as though its hives were regular drives; for example, HKLM for HKEY_LOCAL_MACHINE and HKCU for
HKEY_CURRENT_USER.
Note
You can also use PowerShell 5.0 on computers running Windows 7 (with Service Pack 1)/Server 2008 R2 with Service Pack 1/2012 or newer. Any scripts you write using PowerShell 5.0 can then be run on computers using any of these operating systems. To install PowerShell 5.0, download the Windows Management Framework 5.0, which includes PowerShell,
PowerShell Desired State Configuration (DSC), WMI, WinRM, and other tools.
PowerShell and PowerShell ISE
Windows PowerShell borrows from the functionality of the object-oriented Microsoft .NET programming model. Objects used by this mode have well- defined properties and methods; for example, a file object has properties such as its size, modification date and time, and so on. All commands issued to PowerShell are in the form of a command-let, or cmdlet, which is an
expression of the form verb-object: for example, Get-process. You can run a cmdlet on its own or build these tools into complex scripts that enable you to perform almost unlimited tasks against any computer on the network. The following are several verbs used in many cmdlets:
• Get: Retrieves data