EXERCISE 6
Moving the New Certificate to the Machine Store
By default, the server authentication certificate you have just requested and installed is created in the user personal store. However, the certificate must be moved to the machine store to be used. In this exercise, you perform this step. You do this while you are still logged on to DC1 as a domain administrator.
1. Click Start, type mmc, and then press Enter. A Microsoft Management Console (MMC) window named Console1 appears.
2. In Console1, click File, and then click Add/Remove Snap-in.
3. In the Add Or Remove Snap-ins window, under Available Snap-ins, click Certificates, and then click Add.
4. In the Certificates snap-in window, click Finish to accept the default setting of My User Account.
5. In the Add Or Remove Snap-ins window, click Add a second time, click Computer Account, and then click Next.
6. In the Select Computer dialog box, click Finish to accept the default setting of Local Computer.
7. Click OK to close the Add Or Remove Snap-ins dialog box.
8. In the Console1 console tree, expand Certificates – Current User, expand Personal, and then click Certificates.
9. In the details pane, right-click the DC1.nwtraders.msft certificate, click All Tasks, and then click Export. The Certificate Export Wizard opens.
10. On the Welcome page, click Next.
11. On the Export Private Key page, click Yes, Export The Private Key, and then click Next.
12. On the Export File Format page, click Next to accept the default file format.
13. On the Password page, type a password in both text boxes, and then click Next.
14. On the File To Export page, click Browse.
15. Under Favorites, click Desktop.
16. In the File Name text box, type DC1cert, and then click Save to save the certificate to the desktop.
17. Back on the File To Export page, click Next.
18. On the Completing The Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box.
19. In the Console1 console tree, expand Certificates (Local Computer), and then expand Personal.
20. Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard opens.
21. On the Welcome page, click Next.
22. On the File To Import page, click Browse.
23. Under Favorites, click Desktop.
24. In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12).
25. In the list of files, double-click DC1cert.
26. On the File To Import page, click Next.
27. On the Password page, type the password you assigned to the certificate in step 13, and then click Next.
28. On the Certificate Store page, click Next to accept the Personal store location.
29. Click Finish to close the wizard, and then click OK in the confirmation dialog box.
EXERCISE 7
Generating a Root Certificate
In this exercise, you use Internet Explorer to generate a root certificate for the local CA. This root certificate is later imported on Client1. You do this while still logged on to DC1 as
a domain administrator.
1. In the Internet Explorer address bar, type http://localhost/certsrv, and then press Enter.
2. Under Select A Task, click Download A CA Certificate, Certificate Chain, Or CRL.
3. Click Yes to allow the ActiveX control, and Yes again to allow the certificate operation.
4. Click Download CA Certificate.
5. Save the certificate to the Desktop with the name RootCACert.
EXERCISE 8
Configuring the VPN Client with the Root Certificate
This exercise is performed on Client1. In the exercise, you install the root certificate for the CA that issued the server authentication certificate. This step is required for the client computer to trust the server authentication certificate and complete the VPN connection.
1. Log on to Nwtraders from Client1 as a domain administrator.
2. Click Start, type mmc, and then press Enter. A Microsoft Management Console (MMC) window named Console1 appears.
3. In the Console1 window, click File, and then click Add/Remove Snap-in.
4. Under Available Snap-ins, select Certificates, and then click Add.
5. In the Certificates Snap-in dialog box, select Computer Account, and then click Next.
6. In the Select Computer dialog box, click Finish to accept the default selection of Local Computer.
7. Click OK to close the Add/Remove Snap-ins dialog box.
8. In the Console1 console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, click All Tasks, and then click Import. The Certificate Import Wizard opens.
9. On the Welcome page, click Next.
10. On the File To Import page, click Browse.
11. In the Open window, in the address text box, type \\dc1.nwtraders.msft\c$\users\, and then press Enter.
12. In the list of folders, double-click to open the folder whose name corresponds to the name of the domain administrator account with which you have performed the previous exercises in this practice. The folders associated with the user account appear.
13. Double-click the Desktop folder to open it.
14. Select RootCACert from the file list, and then Click Open.
15. With the path to the certificate now complete on the File To Import page, click Next.
16. On the Certificate Store page, click Next to select the default value of placing the certificate in the Trusted Root Certification Authorities store.
17. On the Completing The Certificate Import Wizard page, click Finish, and then click OK to close the message box indicating that the import was successful.
EXERCISE 9
Installing the Network Policy and Access Services Server Role
You perform this exercise on DC1 logged on as a domain administrator. In the exercise, you use the Add Roles Wizard to add the Network Policy Server and Routing And Remote Access Services roles services. These two role services are features of the Network Policy and Access Services server role.
1. Open Server Manager.
2. In the Server Manager console tree, select the Roles node, and then click Add Roles in the Roles Summary area of the details pane. The Add Roles Wizard opens.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, click Network Policy And Access Services, and then click Next.
5. On the Network Policy And Access Services page, click Next.
6. On the Select Role Services page, select both Network Policy Server and Routing And Remote Access Services, and then click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation Results page, click Close.
EXERCISE 10
Configuring DC1 as a VPN Server
In this exercise, you enable and configure the Routing and Remote Access service so that DC1 can receive and establish connections from VPN clients. You do this while still logged on to DC1 as a domain administrator.
1. Open the Routing and Remote Access console by clicking Start, pointing to Administrative Tools, and then clicking Routing And Remote Access.
2. In the Routing And Remote Access console tree, right-click DC1 (Local), and then click Configure And Enable Routing And Remote Access.
3. On the Welcome To The Routing And Remote Access Server Setup Wizard page, click Next.
4. On the Configuration page, click Next to accept the default setting of Remote Access (Dial-up Or VPN).
5. On the Remote Access page, select VPN, and then click Next.
6. On the VPN Connection page, under Network Interfaces, verify that the connection that is associated with the network shared by DC1 and Client1 is selected.
7. Clear the option Enable Security On The Selected Interface By Setting Up Static Packet
Filters, and then click Next.
NOTE
ENABLING SECURITY ON A PUBLIC INTERFACE
In a production environment, you should leave security enabled on the public interface. For the purposes of testing connectivity in a lab environment, however, you can disable it.
8. On the IP Address Assignment page, click Next to accept the default setting of Automatically.
9. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting of using Routing and Remote Access to authenticate connection requests.
10. On the Completing The Routing And Remote Access Server Setup Wizard page, click Finish.
11. On the warning about possible NPS policy conflicts, click OK.
EXERCISE 11 Configuring Network Policy Services (NPS)
In this exercise, you enable and configure the remote access policies required for an IKEv2-based VPN connection. Perform this exercise while you are still logged on to DC1 as
a domain administrator.
1. Open the Routing and Remote Access console if it is not already open.
2. In the Routing and Remote Access console tree, expand DC1 (Local).
3. Select and right-click Remote Access Logging & Policies, and then select Launch NPS. The Network Policy Server console opens.
4. In the details pane, in the Network Access Policies section, click the Network Access Policies link.
5. In the details pane, in the Network Policies area, double-click Connections To Microsoft Routing And Remote Access Server. The Connections To Microsoft Routing And Remote Access Server Properties dialog box opens.
6. On the Overview tab, in the Access Permission section, select Grant Access. Grant Access If The Connection Request Matches This Policy.
7. Select the Constraints tab. In the Constraints list, Authentication Methods is selected by default. In the right pane, two EAP types are listed: Microsoft: Secured Password (EAP-MSCHAP v2) and Microsoft: Smart Card Or Other Certificate. In this exercise, only the first authentication method is needed.
8. Select Microsoft: Smart Card Or Other Certificate and click Remove to remove this EAP type.
9. Click OK to save your changes.
10. Close all open windows.
EXERCISE 12 Creating the VPN Connection on the VPN Client
In this exercise, you create a VPN connection on Client1 that you will use later to connect to DC1.
1. If you have not already done so, log on the Nwtraders from Client1 as a domain administrator.
2. Click Start, type Network and Sharing Center, and then press Enter. The Networking And Sharing Center opens.
3. Click Set Up A New Connection Or Network.
4. Click Connect To A Workplace, and then click Next.
5. Click Use My Internet Connection (VPN).
6. Click I’ll Set Up An Internet Connection Later.
7. In the Internet Address text box, type DC1.nwtraders.msft. Leave VPN Connection as the destination name, and then click Next.
8. In the User Name and Password text boxes, type the name and password of the VPN user account you created in Exercise 1.
9. Select the Remember This Password check box.
10. In the Domain (Optional) text box, type nwtraders.msft.
11. Click Create, and then click Close.
EXERCISE 13
Configuring and Testing the VPN Connection
In this exercise, you verify that you can establish a VPN connection between Client1 and DC1. You do this while still logged on to Client1 as a domain administrator.
1. In the Network and Sharing Center, click Change Adapter Settings.
2. Double-click VPN Connection, and then click Properties.
3. On the Security tab, in the Type Of VPN drop-down list, select IKEv2, and then click OK.
4. In the Connect VPN Connection dialog box, click Connect. The user is authenticated, and the VPN connection is established successfully.
Lesson Summary
■ In a Windows network, a VPN infrastructure includes at least a VPN client, a VPN server running RRAS, and a DNS server. However, additional elements are typically used, such
as a domain controller, a certificate server/PKI, a DHCP server, and an NPS server.
■ Four VPN tunneling protocols are available in Windows 7, and a Windows 7 VPN client attempts to negotiate tunneling protocols in this order: IKEv2, SSTP, L2TP/IPSec, and PPTP.
■ IKEv2 is a new tunneling protocol that requires Windows 7 and Windows Server 2008 R2. An advantage of IKEv2 is its support of VPN Reconnect, a feature that allows client
mobility between wireless access points without losing the VPN connection.
■ To attempt a VPN connection, a VPN client first contacts the VPN server with a request for a tunneling protocol. The terms of the VPN tunnel are then negotiated, after which
the VPN tunnel is created. Remote access authentication of the user (and sometimes the computer) follows. Finally, if the user and connection request is determined to be
authorized for remote access, the VPN connection is established.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1, “Understanding VPN Client Connections.” The questions are also available on the companion
CD if you prefer to review them in electronic form.
NOTE
ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.
1. You work as a desktop support technician in a large enterprise. The company has recently upgraded all client computers to Windows 7 Enterprise. All servers are running
Windows Server 2008.
Your company supports many mobile users who access the corporate network through a VPN. Your VPN users have complained that when they are connecting to the Internet wirelessly, they lose their VPN connection when they switch between wireless access points. You want VPN users to be able to move between wireless access points without losing a connection. Which of the following steps must you take to achieve this?
A. Instruct VPN users to select SSTP as the Type Of VPN in the adapter settings of the VPN connection.
B. Instruct VPN users to configure the maximum encryption strength in the adapter settings of the VPN connection.
C. Configure the server running Windows acting as the VPN server to forward authentication to an NPS server.
D. Upgrade the server running Windows acting as the VPN server to Windows Server 2008 R2.
2. Which of the following actions do you need to perform to enable a client running
Windows 7 to access a corporate network through an IKEv2 VPN?
A. Install the VPN server certificate on the client running Windows 7.
B. Ensure that the root certificate of the CA that has issued the VPN server’s server certificate has been installed in the Trusted Root Certification Authorities certificate
store on the client running Windows 7.
C. In the VPN connection properties on the client running Windows 7, configure the Type Of VPN setting as IKEv2.
D. Obtain a computer certificate for the client running Windows 7.
Lesson 2: Understanding DirectAccess Client Connections
DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that automatically and transparently connects a remote user to a private corporate network from any location on the Internet. DirectAccess was developed to eventually replace traditional VPNs, which require users to initiate a VPN connect once their computer is connected to the Internet. This lesson provides an overview of the benefits of Direct Access, how it works, and how to troubleshoot settings on the DirectAccess client.
After this lesson, you will be able to:
■ Understand the benefits of DirectAccess
■ Understand the prerequisites and features of a DirectAccess infrastructure
■ Understand the steps performed in a DirectAccess connection
■ Perform basic troubleshooting of DirectAccess client connections
Estimated lesson time: 45 minutes
Overview of DirectAccess
DirectAccess is a new technology that automatically establishes bidirectional connectivity between a remote user’s computer and that user’s company intranet. The remote user
does not have to initiate the connection to the intranet manually, and administrators can manage this and other remote computers outside the office through the same DirectAccess
connection. DirectAccess is supported on Windows 7 Enterprise, Windows 7 Ultimate, and Windows Server 2008 R2.
Understanding the Limitations of VPNs
Traditionally, users connect to intranet resources with a VPN. However, using a VPN has a number of disadvantages, including the following:
■ Connecting to a VPN takes several steps, and the user needs to wait for authentication. For organizations that check the health of a computer before allowing the connection,
establishing a VPN connection can take several minutes.
■ Anytime users lose their Internet connection, they need to reestablish the VPN connection.
■ VPN client machines typically are not subject to Group Policy.
■ Internet performance is slowed if both intranet and Internet traffic goes through the VPN connection.
Because of these inconveniences, many users avoid connecting to a VPN. Instead, they use application gateways, such as Microsoft Outlook Web Access (OWA), to connect to
intranet resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection. However, users still need to connect to a VPN to open documents that are
located on intranet file shares, such as those that are linked to in an e-mail message.
Understanding the Benefits of DirectAccess
DirectAccess overcomes the limitations of VPNs by providing the following benefits to enterprises and their users:
■ Always-on connectivity Unlike with a VPN, a DirectAccess connection is always on, even before the user logs on to his or her computer.
■ Seamless connectivity To the user, the DirectAccess connection to the corporate network is completely transparent. Aside from any delay that could be caused by a slow Internet connection, the user experience is the same as if the user’s computer were connected directly to the corporate network.
■ Bidirectional access With DirectAccess, the user’s remote computer not only has access to the corporate intranet, but the intranet can also see the user’s computer.
This means that the remote computer can be managed using Group Policy and other management tools in exactly the same way that computers located on the internal
network are managed.
■ Enhanced security DirectAccess provides administrators with flexibility in how they control access to internal resources for remote users and their computers. For example,
DirectAccess can be configured to provide user access only to selected resources. In addition, Direct Access fully integrates with Server and Domain Isolation solutions and the NAP infrastructure to help ensure compliance with security, access, and health policies for both local and remote computers.
No hay comentarios:
Publicar un comentario