Добавил:

Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Алматинский университет энергетики и связи

Предмет:

[НЕСОРТИРОВАННОЕ]

Файл:

20411B-ENU-TrainerHandbook

.pdf

Скачиваний:

237

Добавлен:

01.05.2015

Размер:

16.48 Mб

Скачать

☆

<<< < Предыдущая 10 11 12 13 14 15 16 17 18 19 20 2122 / 5322 23 24 25 26 27 28 29 30 31 32 33 34 > Следующая >>>

			Administering Windows Server® 2012		MCT
			Administering Windows Server® 2012	6-23
Module Review and Takeaways
	Best Practices Related to Group Policy Management				USE
	•	Include comments on GPO settings			USE
	•	Include comments on GPO settings
	• Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7,
		and Windows 8
	• Use Group Policy preferences to configure settings that are not available in the Group Policy set of				.ONLY
		settings
	•
	•	Use Group Policy software installation to deploy packages in .msi format to a large number of users
		or computers
	Common Issues and Troubleshooting Tips

		Common Issue	Troubleshooting Tip
		Common Issue	Troubleshooting Tip

		You have configured folder redirection for			STUDENT
		an OU, but none of the user’s folders are
		being redirected to the network location.
		being redirected to the network location.
		When you look in the root folder, you
		observe that a subdirectory named for
		each user has been created, but they are
		empty.

		You have assigned an application to an
		OU. After multiple logons, users report that
		no one has installed the application.

		You have a mixture of Windows XP and			USE
		Windows 8 computers. After configuring			USE
		Windows 8 computers. After configuring
		several settings in the Administrative
		Templates of a GPO, users with Windows
		XP operating system report that some
		settings are being applied and others are
		not.

		Group Policy preferences are not being			PROHIBITED
		Group Policy preferences are not being
		applied.

6-24 Managing User Desktops with Group Policy

Review Questions

Question: Why do some Group Policy settings take two logons before going into effect?

Question: How can you support Group Policy preferences on Windows XP?

Question: What is the benefit of having a central store?

Question: What is the main difference between Group Policy settings and Group Policy preferences?

Question: What is the difference between publishing and assigning software through Group Policy?

Question: Can you use Windows PowerShell scripts as startup scripts?

PROHIBITED USE STUDENT .ONLY USE MCT

		7-1

Module 7		MCT
Module 7		USE
Configuring and Troubleshooting Remote Access
Contents:
Contents:		.ONLY
Module Overview	7-1
Lesson 1: Configuring Network Access	7-2
Lesson 2: Configuring VPN Access	7-10
Lesson 3: Overview of Network Policies	7-19
Lesson 4: Troubleshooting Routing and Remote Access	7-25
Lab A: Configuring Remote Access	7-30
Lab A: Configuring Remote Access	7-30
Lesson 5: Configuring DirectAccess	7-34
Lab B: Configuring DirectAccess	7-47
Module Review and Takeaways	7-56

Module Overview

Most organizations have users that work remotely, perhaps from home or maybe from customer sites.
To facilitate and support these remote connections, you must implement remote access technologies to
support this distributed workforce. You must become familiar with the technologies that enable remote		STUDENT

users to connect to your organization’s network infrastructure. These technologies include virtual private
networks (VPNs), and DirectAccess, a feature of the Windows® 7 and Windows 8 operating systems. It is
important that you understand how to configure and secure your remote access clients by using network
policies. This module explores these remote access technologies.		USE
Objectives
After completing this module, you will be able to:
		PROHIBITED
•	Configure network access.
• Create and configure a VPN solution.
• Describe the role of network policies.
• Troubleshoot routing and remote access.
•	Configure DirectAccess.

7-2 Configuring and Troubleshooting Remote Access

	Lesson 1	MCT
	Configuring Network Access
		USE

Network Access in the Windows Server® 2012 operating system provides the required services that enable remote users to connect to your network. To support the needs of both your organization and your remote users, it is important that you are able to install and configure these Windows Server 2012 network access components successfully.

Lesson Objectives

After completing this lesson, you will be able to:

•Describe the components of a Network Access Services infrastructure.

•Describe the Network Policy and Access Services role.

•Describe Routing and Remote access.

•Explain network access authentication and authorization.

•Explain the types of authentication methods that are used for network access.

•Describe a public key infrastructure (PKI).

•Explain how Dynamic Host Configuration Protocol (DHCP) servers are used with the Routing and Remote Access Service.

Components of a Network Access Services Infrastructure

The underlying infrastructure in a complete Network Access Services infrastructure in Windows Server 2012 typically includes the following components:

•Virtual Private Network (VPN) Server. Provides remote access connectivity based on various VPN tunneling protocols over a public network, such as the Internet.

•Active Directory® Domain Services (AD DS). Services authentication requests from remote access client connection attempts.

•Active Directory Certificate Services (AD CS). You can use digital certificates to provide for authentication in remote access scenarios. By deploying AD CS, you can create a PKI in your organization to support the issue, management, and revocation of certificates.

•DHCP Server. Supplies accepted inbound remote access connections with an IP configuration for network connectivity to the corporate local area network (LAN).

•Network Policy Server (NPS). Provides authentication services for other network access components.

•Network Access Protection (NAP) components:

o NAP Health Policy Server. Evaluates system health against configured health policies that describe health requirements and enforcement behaviors, such as requiring that connecting clients must be compliant before they gain access to the network.

.ONLY

PROHIBITED USE STUDENT

	Administering Windows Server® 2012	MCT
	Administering Windows Server® 2012	7-3
	o Health Registration Authority (HRA). Obtains health certificates for clients that pass the health
	policy verification.
	o Remediation Servers. Provide remediation services to those clients that do not meet the health	USE
	requirements for the corporate network. Remediation Servers are special servers on a limited	USE

	network.
	What Is the Network Policy and Access Services Role?

•Enforces health policies. Establishes and ONLY enforces health policies automatically, which

can include software requirements, security . update requirements, and required computer

configurations. STUDENT

•Helps to secure wireless and wired access. When you deploy 802.1X wireless access points, secure wireless access provides wireless users with a secure certificate or

password-based authentication method that is simple to deploy. When you deploy 802.1X authenticating switches, they allow you to secure your wired network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using DHCP.

•Centralizes network policy management with Remote Authentication Dial-in User Service (RADIUS) server and proxy. Rather than configuring network access policy at each network access server (such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers), you can create policies in a single location that specify all aspects of network connection requests. These

policies can include who is allowed to connect, when they can connect, and the level of security that

they must use to connect to your network. USE

What Is the Remote Access Role?

The Remote Access role enables you to provide users with remote access to your organization’s network using one of the following technologies:

•VPN Access. A VPN provides a point-to-point connection between components of a private network through a public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a connection to a VPN server’s listening virtual port. You also can connect branch offices to your network with VPN solutions, deploy fullfeatured software routers on your network,

and share Internet connections across the intranet.

PROHIBITED

7-4 Configuring and Troubleshooting Remote Access	MCT
7-4 Configuring and Troubleshooting Remote Access

• DirectAccess. DirectAccess enables seamless remote access to intranet resources without the user first
establishing a VPN connection. DirectAccess ensures seamless connectivity to the application
infrastructure for both internal users and remote users.

•DirectAccess and VPN Remote Access Service (RAS). Using DirectAccess and VPN RAS, you can enableUSE and configure:

o DirectAccess solutions for your organization.

o VPN connections to provide end users with remote access to your organization’s network. ONLY

•Routing. This provides a full-featured software router and an open platform for routing and Internet working. It offers routing services to businesses in LAN and wide area network (WAN) environments.

When you choose routing, Network Address Translation (NAT) is also installed. When you deploy NAT, the server that is running Remote Access is configured to share an Internet connection with

computers on a private network, and to translate traffic between its public address and the private

network. By using NAT, the computers on the private network gain some measure of protection .

because the router on which you configure NAT does not forward traffic from the Internet into the

private network unless a private network client requests it or traffic is explicitly allowed. STUDENT

When you deploy VPN and NAT, you configure the server that is running Remote Access to provide NAT for the private network, and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same

network.NetworkThe

	authorization is important in understanding why		USE
	connection attempts are accepted or denied:

	• Authentication is the verification of the
	connection attempt’s credentials. This process
	consists of sending the credentials from the
	remote access client to the Remote Access		PROHIBITED
	server in either plaintext or encrypted form
	by using an authentication protocol.

	• Authorization is the verification that the
	connection attempt is allowed. Authorization

	occurs after successful authentication.
	For a connection attempt to be accepted, the connection attempt must be authenticated and authorized.
	It is possible for the connection attempt to be authenticated by using valid credentials, but not
	authorized; in this case, the connection attempt is denied.
	If you configure a Remote Access server for Windows Authentication, the security features of Windows
	Server 2012 verify the authentication credentials, while the user account’s dial-in properties and locally
	stored remote access policies authorize the connection. If the connection attempt is both authenticated
	and authorized, then the connection attempt is accepted.

Administering Windows Server® 2012 7-5

If you configure the Remote Access server for RADIUS authentication, the connection attempt’s	MCT
credentials are passed to the RADIUS server for authentication and authorization. If the connection
attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the
	USE
Remote Access server and the connection attempt is accepted. If the connection attempt is either not
authenticated or not authorized, the RADIUS server sends a reject message back to the Remote Access
server and the connection attempt is rejected.

Authentication Methods		.ONLY
The authentication of access clients is an
The authentication of access clients is an
important security concern. Authentication
methods typically use an authentication
protocol that is negotiated during the connection
establishment process. The following methods
are supported by the Remote Access role.

PAP
Password Authentication Protocol (PAP) uses
plaintext passwords and is the least secure
authentication protocol. It typically is negotiated if
the remote access client and Remote Access server
the remote access client and Remote Access server
cannot negotiate a more secure form of
validation. PAP is included in Microsoft Windows Server 2012 to support older client operating systems
than support no other authentication method.

CHAP

	The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication
	protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors
		STUDENT
	of network access servers and clients use CHAP. Because CHAP requires the use of a reversibly encrypted
	password, you should consider using another authentication protocol, such as Microsoft® Challenge	USE
	Handshake Authentication Protocol (MS-CHAP) version 2.
	MS-CHAP V2
	MS-CHAP V2

MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:

1.The authenticator (the Remote Access server or the computer that is running NPS) sends a challenge

to the remote access client. The challenge consists of a session identifier and an arbitrary challenge PROHIBITED string.

2.The remote access client sends a response that contains a one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.

3.The authenticator checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the client’s encrypted response, and the user password.

4.The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

7-6 Configuring and Troubleshooting Remote Access

EAP

With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a remote access connection. The remote access client and the authenticator (either the Remote Access server or the RADIUS server) negotiate the exact authentication scheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAP-TLS) by default. You can plug in other EAP modules to the server that is running Routing and Remote Access to provide other EAP methods.

Other Options

USE MCT

In addition to the previously mentioned authentication methods, there are two other options that you can enable when selecting an authentication method:


•	Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather the lack of	.ONLY

	one. Unauthenticated access allows remote systems to connect without authentication. This option
	should never be enabled in a production environment, however, as it leaves your network at risk.
	Nonetheless, this option can sometimes be useful for troubleshooting authentication issues in a test
	environment.
• Machine Certificate for Internet Key Exchange version 2 (IKEv2). Select this option if you wish to use		STUDENT
	VPN Reconnect.

What Is a PKI?
A PKI consists of several components that help

you secure corporate communications and
transactions, including those used in remote
access scenarios. There are many components
that are required to work together to provide a
complete PKI solution. The PKI components in
Windows Server 2012 are:

•Certification Authority (CA). CA issues and

manages digital certificates for users, services, USE and computers. By deploying CA, you

establish the PKI in your organization.

•Digital certificates. Digital certificates are

similar in function to an electronic passport. A digital certificate is used to prove the identity of the

user (or other entity). Digital certificates contain the electronic credentials that are associated with a PROHIBITED public key and a private key, which are used to authenticate users and other devices such as Web

servers and mail servers. Digital certificates also ensure that software or code is run from a trusted source. Digital certificates contain various fields, such as Subject, Issuer, and Common Name. These fields are used to determine the specific use of the certificate. For example, a Web server certificate might contain the Common Name field of web01.contoso.com, which would make that certificate valid only for that web server. If an attempt were made to use that certificate on a web server named web02.contoso.com, the user of that server would receive a warning.

•Certificate templates. This component describes the content and purpose of a digital certificate. When requesting a certificate from an AD CS enterprise CA, the certificate requestor will, depending on his or her access rights, be able to select from a variety of certificate types based on certificate templates, such as User and Code Signing. The certificate template saves users from low-level, technical decisions about the type of certificate they need. In addition, they allow administrators to distinguish who might request which certificates.

Administering Windows Server® 2012 7-7

• CRLs and Online Responders.
o Certificate revocation lists (CRLs) are complete, digitally signed lists of certificates that have beenMCT
	revoked. These lists are published periodically and can be retrieved and cached by clients, based
	on the configured lifetime of the CRL. The lists are used to verify a certificate’s revocation status.
o Online Responders are part of the Online Certificate Status Protocol (OCSP) role service in
	Windows Server 2008 and Windows Server 2012. An Online Responder can receive a request to
	check for revocation of a certificate without requiring the client to download the entire CRL. This
		USE
	speeds up certificate revocation checking, and reduces the network bandwidth. It also increases
	scalability and fault tolerance by allowing for array configuration of Online Responders.
• Public key–based applications and services. This relates to applications or services that support public
key encryption. In other words, the application or services must be able to support public key		ONLY.
implementations to gain the benefits from it.
• Certificate and CA management tools. Management tools provide command-line and GUI-based
tools to:
o	Configure CAs.

o Recover archived private keys.
o Import and export keys and certificates.
o Publish CA certificates and CRLs.
o	Manage issued certificates.

• Authority information access (AIA) and CRL distribution points (CDPs). AIA points determine the location where CA certificates can be found and validated, and CDP locations determine the points where certificate revocation lists can be found during certificate validation process. Because CRLs can become large, (depending on the number of certificates issued and revoked by a CA), you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since

	the last regular CRL was published. This allows clients to retrieve the smaller delta CRLs and more	STUDENT
		STUDENT
	quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data
	to be published more frequently, because the size of a delta CRL means that it usually does not	USE
	require as much time to transfer as a full CRL.
	• Hardware security module (HSM). A hardware security module is an optional secure cryptographic
	hardware device that accelerates cryptographic processing for managing digital keys. It is a high
	security, specialized storage that is connected to the CA for managing the certificates. An HSM is

	typically attached to a computer physically. This is an optional add-on in your PKI, and is most widely
		PROHIBITED

used in high security environments where there would be a significant impact if a key were compromised.

When the Remote Access server uses this type of proactive caching of DHCP address leases for dial-up clients, it records the following information for each lease response that it obtains from the DHCP server:

	7-8 Configuring and Troubleshooting Remote Access		MCT
	7-8 Configuring and Troubleshooting Remote Access

	Integrating DHCP with Routing and Remote Access
	You can deploy the DHCP role with the Remote		USE
	You can deploy the DHCP role with the Remote
	Access role, which provides remote access clients
	with a dynamically assigned IP address during
	with a dynamically assigned IP address during
	connection. When you use these services together
	on the same server, the information that is
	provided during dynamic configuration is
	provided in a way that is different from typical		ONLY
	DHCP configuration for LAN–based clients.		ONLY
	DHCP configuration for LAN–based clients.
	In LAN environments, DHCP clients negotiate and
	receive the following configuration information,
	based entirely on settings that you configure in
	the DHCP console for the DHCP server:
	the DHCP console for the DHCP server:		.
	• A leased IP address that is provided from an available address pool of an active scope on the DHCP
	server. The DHCP server directly manages and distributes the address to the LAN-based DHCP client.

	• Additional parameters and other configuration information that assigned DHCP options in the
	address lease provided. The values and list of options correspond to option types that you configure
	and assign on the DHCP server.
	When a Remote Access server provides dynamic configuration for remote access clients, it first performs
	the following steps:		STUDENT
	1. When the server that is running Remote Access starts with the Use DHCP to assign remote TCP/IP
	addresses option, it instructs the DHCP client to obtain 10 IP addresses from a DHCP server.

	2. The Remote Access server uses the first of these 10 IP addresses that are obtained from the DHCP
	server for the Remote Access server interface.
	3. The remaining nine addresses are allocated to TCP/IP-based clients as they dial in to establish a
	session with the Remote Access server.		USE
			USE

IP addresses that are freed when remote access clients disconnect are reused. When all 10 IP addresses are used, the Remote Access server obtains 10 more from a DHCP server. When the Routing and Remote Access service stops, all IP addresses that were obtained through DHCP are released.

•The IP address of the DHCP server.

•The client-leased IP address (for later distribution to the Routing and Remote Access client).

•The time at which the lease was obtained.

•The time at which the lease expires.

•The lease duration.

All other DHCP option information that the DHCP server returns—such as server, scope, or reservation options—is discarded. When the client dials in to the server and requests an IP address (that is, when Server Assigned IP Address is selected), it uses a cached DHCP lease to provide the dial-up client with dynamic IP address configuration.

When the IP address is provided to the dial-up client, the client is unaware that the IP address has been obtained through this intermediate process between the DHCP server and the Remote Access server. The Remote Access server maintains the lease on the client’s behalf. Therefore, the only information that the client receives from the DHCP server is the IP address.

PROHIBITED

<<< < Предыдущая 10 11 12 13 14 15 16 17 18 19 20 2122 / 5322 23 24 25 26 27 28 29 30 31 32 33 34 > Следующая >>>

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]

#
01.05.201559.39 Кб101_Diplom_Trebovania_Tekhnika_bezopasnosti.doc
#
01.05.201548.15 Кб272 д-ріс.docx
#
01.05.2015110.08 Кб152 лаба.doc
#
01.05.2015224.26 Кб52-РГР техника жне технология негіздері.doc
#
01.05.2015624.64 Кб542012215.pdf
#
01.05.201516.48 Mб23720411B-ENU-TrainerHandbook.pdf
#
01.05.2015134.66 Кб182192_srs2_politology.doc
#
10.03.2016475.65 Кб42222.doc
#
01.05.201569.93 Кб1924 билет ЗИ в ТКС.docx
#
01.05.201518.89 Кб133 д-ріс.docx
#
01.05.2015675.84 Кб123 лаба метод указ.doc