![](/user_photo/2706_HbeT2.jpg)
20411B-ENU-TrainerHandbook
.pdf![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd261x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd262x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd263x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd264x1.jpg)
7-52 Configuring and Troubleshooting Remote Access |
|
MCT |
||||
|
|
|
||||
|
|
|
|
|
||
4. Publish the CRL to LON-RTR by performing the following steps: |
|
|
||||
|
|
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess |
USE |
|||
|
|
|||||
clients. |
|
|
||||
|
|
|
|
|||
|
|
a. |
Switch to LON-DC1. |
|
|
|
|
|
b. |
Start the Certification Authority console. |
|
.ONLY |
|
|
|
c. |
In the console tree, open Adatum-LON-DC1-CA, right-click Revoked Certificates, point to All |
|||
|
|
|
|
|||
|
|
|
Tasks, and then click Publish. |
|
|
|
5. Complete the DirectAccess Setup Wizard on LON-RTR by performing the following steps: |
|
|
||||
|
|
a. |
On LON-RTR, open Server Manager. |
|
|
|
|
|
b. |
In Server Manager, in Tools, select Routing and Remote Access. |
|
|
|
|
|
c. |
In Routing and Remote Access, disable the existing configuration, and close the console. |
STUDENT |
||
|
|
d. |
In Server Manager console, start the Remote Management console, click Configuration, and |
|||
|
|
|
|
|||
|
|
|
start the Enable DirectAccess Wizard. |
|
|
|
|
|
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator, |
|
|
||
|
|
|
|
|||
and then restart from c). |
|
|
|
|||
|
|
e. |
Complete the wizard with following settings: |
|
|
|
|
|
|
Network Topology: Edge is selected |
|
|
|
|
|
|
131.107.0.2 is used by clients to connect to the Remote Access server. |
|
|
|
|
|
f. |
In the Remote Access Management console, under Step 1, click Edit. |
|
|
|
|
|
g. |
Add the DA_Clients group. |
|
USE |
|
|
|
h. |
Clear the Enable DirectAccess for mobile computers only check box. |
|||
|
|
|
|
|||
|
|
i. |
Remove the Domain Computers group. |
|
|
|
|
|
j. |
In the Remote Access Management console details pane, under Step 2, click Edit. |
|
|
|
|
|
k. |
On the Network Topology page, verify that Edge is selected, and type 131.107.0.2. |
PROHIBITED |
||
|
|
s. |
In the DNS Suffix Search List, click Next. |
CN=131.107.0.2 is used as a certificate to |
||
|
|
l. |
On the Network Adapters page, verify that |
|
|
|
|
|
|
authenticate IP-HTTPS connection. |
|
|
|
|
|
m. |
On the Authentication page, click Use computer certificates, click Browse, and then click |
|
|
|
|
|
|
Adatum Lon-Dc1 CA. |
|
|
|
|
|
n. |
On the VPN Configuration page, click Finish. |
|
|
|
|
|
p. |
On the Network Location Server page, click The network location server is deployed on a |
|
|
|
|
|
|
remote web server (recommended), and in the URL of the NLS, type https://nls.adatum.com, |
|||
|
|
|
and then click Validate. |
|
|
|
|
|
q. |
Ensure that URL is validated. |
|
|
|
|
|
r. |
On the DNS page, examine the values, and then click Next. |
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd265x1.jpg)
|
|
|
|
Administering Windows Server® 2012 7-53 |
|||
|
|
|
t. On the Management page, click Finish. |
MCT |
|||
|
|
|
|
|
|
||
|
|
|
u. In the Remote Access Management console details pane, review the setting for Step 4. |
|
|
|
|
|
|
|
v. In Remote Access Review, click Apply. |
|
|
|
|
|
|
|
w. Under Applying Remote Access Setup Wizard Settings, click Close. |
|
|
|
|
|
6. Update Group Policy settings on LON-RTR by performing the following step: |
|
|
|
|||
|
|
|
o Open the command prompt, and type the following commands, pressing Enter after each line:USE |
||||
|
|
|
|
gpupdate /force |
|
|
|
|
|
|
|
Ipconfig |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: Verify that LON-RTR has an IPv6 address for Tunnel adapter IPHTTPSInterface |
.ONLY |
|||
|
|
|
|||||
|
starting with 2002. |
||||||
|
|
|
|
|
|||
|
Results: After completing this exercise, you will have configured the DirectAccess infrastructure. |
|
|
|
|||
|
Exercise 2: Configuring the DirectAccess Clients |
STUDENT |
|||||
|
Scenario |
||||||
|
|
|
|
|
After you configured the DirectAccess server and the required infrastructure, you must configure DirectAccess clients. You decide to use Group Policy to apply DirectAccess settings to the clients and for certificate distribution.
1.Configure DirectAccess Group Policy settings.
2.Verify client computer certificate distribution.
3.Verify internal connectivity to resources.
1.Start LON-CL1, and then sign in as Adatum\Administrator with the password of Pa$$w0rd. OpenUSEa command prompt window, and then type the following commands, pressing Enter at the end of each line:
|
|
|
|
2. |
Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for |
||
|
the Computer Settings. |
PROHIBITED |
|
1. |
On LON-CL1, open the Certificates MMC. |
||
2. |
Verify that a certificate with the name LON-CL1.adatum.com displays with Intended Purposes of |
||
|
Client Authentication and Server Authentication. |
||
3. |
Close the console window without saving it. |
||
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd266x1.jpg)
7-54 Configuring and Troubleshooting Remote Access
|
Task 3: Verify internal connectivity to resources |
MCT |
||
1. |
On LON-CL1, open Windows Internet Explorer® from the Desktop, and in the address bar, type |
|||
|
|
http://lon-svr1.adatum.com/. The default IIS 8 web page for LON-SVR1 displays. |
|
|
2. |
In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1 |
|
|
|
|
|
displays. |
|
|
3. |
Open a Windows Explorer window, in the address bar, type \\Lon-SVR1\Files, and then press Enter. |
|||
|
|
A window with the contents of the Files shared folder will display. |
USE |
|
|
|
|
|
|
4. |
Close all open windows. |
|
|
|
|
|
|
|
|
|
Results: After completing this exercise, you will have configured the DirectAccess clients. |
|
|
|
|
|
|
|
|
|
Exercise 3: Verifying the DirectAccess Configuration |
ONLY. |
||
|
Scenario |
|||
|
|
|
1. |
Move the client computer to the Internet virtual network. |
STUDENT |
||
2. |
Verify connectivity to the DirectAccess server. |
|||
|
||||
3. |
Verify connectivity to the internal network resources. |
|
||
4. |
To prepare for the next module. |
|
||
Task 1: Move the client computer to the Internet virtual network |
|
|||
1. |
Switch to LON-CL1. |
USE |
||
2. |
Change the network adapter configuration to the following settings: |
|||
|
o |
IP address: 131.107.0.10 |
||
|
|
|||
|
o |
Subnet mask: 255.255.0.0 |
|
|
|
o |
Default gateway: 131.107.0.2 |
|
|
3. |
Disable and then re-enable the Local Area Network network adapter. |
|
||
4. |
Close the Network Connections window. |
|
||
5. |
On your host, in Hyper-V Manager, right-click 20411B-LON-CL1, and then click Settings. Change |
|
||
|
the Legacy Network Adapter to be on the Private Network 2 network, and then click OK. |
PROHIBITED |
||
|
Task 2: Verify connectivity to the DirectAccess server |
|||
|
||||
1. |
On LON-CL1, open a command prompt, and type the following command: |
|
||
|
|
|
|
|
|
|
ipconfig |
|
|
|
|
|
||
2. |
Notice that the returned IP address starts with 2002. This is IP-HTTPS address. |
|
||
3. |
At the command prompt, type the following command, and then press Enter: |
|
Netsh name show effectivepolicy
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd267x1.jpg)
|
Administering Windows Server® 2012 |
MCT |
||
|
7-55 |
|
|
|
4. At the command prompt, type the following command, and then press Enter: |
|
|
|
|
|
|
|
|
|
|
powershell |
|
|
|
|
|
|
|
|
5.At the Windows PowerShell® command-line interface, type the following command, and then pressUSE Enter:
|
|
|
|
|
|
|
|
|
1. |
|
Switch to Internet Explorer, and go to http://lon-svr1.adatum.com/. You should see the default IIS |
||||||
|
|
|
|
8 web page for LON-SVR1. |
.ONLY |
|||
2. |
|
Open Windows Explorer, in the address bar, type \\LON-SVR1\Files, and then press Enter. |
||||||
3. |
|
A folder window with the contents of the Files shared folder should display. |
STUDENT |
|||||
4. |
|
At a command prompt, type the following command, and then press Enter: |
||||||
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7. |
|
Close all open windows. |
|
|
|
|
||
8. |
|
Switch to LON-RTR. |
|
|
|
|
||
9. |
|
Start the Remote Access Management console, and review the information on Remote Client |
USE |
|||||
|
|
|
|
Status. |
||||
|
|
|
|
Note: Notice that LON-CL1 is connected via IP-HTTPS. In the Connection Details pane, in |
||||
|
|
|
|
|||||
|
the bottom-right of the screen, note the use of Kerberos for the Machine and the User. |
|||||||
10. |
|
Close all open windows. |
PROHIBITED |
|||||
|
|
|
|
|
||||
|
To prepare for the next module |
|
|
|
|
|||
|
• |
|
When you finish the lab, revert the virtual machines to their initial state. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Results: After completing this exercise, you will have verified the DirectAccess configuration.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd268x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd269x1.jpg)
|
|
8-1 |
|
|
|
|
|
|
|
Module 8 |
|
MCT |
||
|
USE |
|||
Installing, Configuring, and Troubleshooting the Network |
||||
Policy Server Role |
|
|||
|
|
|||
Contents: |
|
.ONLY |
||
Module Overview |
8-1 |
|||
Lesson 1: Installing and Configuring a Network Policy Server |
8-2 |
|||
Lesson 2: Configuring RADIUS Clients and Servers |
8-6 |
|||
Lesson 3: NPS Authentication Methods |
8-12 |
|||
Lesson 4: Monitoring and Troubleshooting a Network Policy Server |
8-20 |
|||
|
|
|||
Lab: Installing and Configuring a Network Policy Server |
8-25 |
|
|
|
Module Review and Takeaways |
8-29 |
|
|
Module Overview
The Network Policy Server (NPS) role in Windows Server® 2012 provides support for the Remote |
|
|
Authentication Dial-In User Service (RADIUS) protocol, and can be configured as a RADIUS server or |
|
|
proxy. Additionally, NPS provides functionality that is essential for the implementation of Network Access |
||
Protection (NAP). To support remote clients and to implement NAP, it is important that you know how to |
||
install, configure, and troubleshoot NPS. |
STUDENT |
|
Objectives |
USE |
|
After completing this module, you will be able to: |
||
|
||
• Install and configure NPS. |
|
|
• Configure RADIUS clients and servers. |
PROHIBITED |
|
• Explain NPS authentication methods. |
||
• Monitor and troubleshoot NPS. |
||
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd270x1.jpg)