■ The DirectAccess client must be able to reach the IPv6 addresses of the DirectAccess server.
Use the Ipconfig /all command on the DirectAccess server. Note the global IPv6 addresses of the DirectAccess server. From the DirectAccess client, you should be able to ping any of the global IPv6 addresses of the DirectAccess server.
If this attempt is not successful, troubleshoot the connection by looking for the break in IPv6 connectivity between the DirectAccess client and server.
Use the following methods to help fix IPv6 connectivity breaks:
If your DirectAccess client is assigned a private IPv4 address, ensure that the local Teredo client is configured as an enterprise client and that the IPv4 address of the DirectAccess server is configured as the Teredo server. To do so, type the following command:
netsh interface teredo set state type=enterprise client servername=First Public IP v4AddressOfDirectAccessServer
If your DirectAccess client is assigned a public IPv4 address, ensure that the DirectAccess server IPv4 address is assigned as the 6to4 relay by typing the following command:
netsh interface 6to4 set relay name=First Public IPv4AddressOfDirectAccessServer
If these methods fail, you can attempt to use IP-HTTPS to establish IPv6 connectivity to
the DirectAccess server. To do so, type the following command:
netsh interface https tunnel add interface client https://FQDNofDirectAccessServer/IPHTTPS
NOTE
USING PING OVER IPSec
To use Ping as a troubleshooting tool, ensure that Internet Control Message Protocol (ICMP) is exempt from IPSec protection between the DirectAccess client and the remote endpoint of the IPSec connection.
■ The intranet servers must have global IPv6 addresses.
Use the Ipconfig /all command on any intranet server that cannot be contacted. The output of the command should list a global IPv6 address.
If not, troubleshoot the IPv6 infrastructure on your intranet. For ISATAP networks, ensure that your DNS servers running Windows Server 2008 or later have the name
ISATAP removed from their global query block lists. In addition, verify that the DirectAccess server has registered an ISATAP A record in the intranet DNS.
NOTE
USING IPV6/IPV4 NAT DEVICES
If you are using a NAT-PT or NAT64 device to reach the intranet server, the intranet server will not have a global IPv6 address. In this case, ensure that the NAT-PT or NAT64 device has a global IPv6 address.
■ The DirectAccess client on the Internet must correctly determine that it is not on the intranet.
Type netsh namespace show effective policy to display the NRPT on the DirectAccess client. You should see NRPT rules for the intranet namespace and an exemption for
the fully qualified domain name (FQDN) of the network location server.
If not, determine the network location server URL by typing the following command:
reg query
HKLM\software\policies\microsoft\windows\NetworkConnectivityStatusIndicator\Corporate Connectivity /v Domain Location Determination Url
Ensure that the FQDN of this URL either matches an exemption entry or does not match the DNS suffix for your intranet namespace in the NRPT.
■ The DirectAccess client must not be assigned the domain firewall profile.
Type netsh adv firewall monitor show current profile to display the attached networks and their determined firewall profiles. If you have not yet established
a DirectAccess connection, none of your networks should be in the Domain profile.
If any of your networks has been assigned the domain profile, determine if you have an active remote access VPN connection or a domain controller that is available on
the Internet, and disable that connection.
■ The DirectAccess client must be able to contact its intranet DNS servers through IPv6.
Type netsh namespace show effective policy on the client to obtain the IPv6 addresses of your intranet DNS servers. Ping these IPv6 addresses from the DirectAccess client.
If not successful, locate the break in IPv6 connectivity between the DirectAccess client and the intranet DNS servers. Ensure that your DirectAccess server has only a single
IPv4 default gateway that is configured on the Internet interface. Also ensure that your DirectAccess server has been configured with the set of IPv4 routes on the intranet
interface that allow it to access all of the IPv4 destinations of your intranet.
■ The DirectAccess client must be able to use intranet DNS servers to resolve intranet FQDNs.
Type nslookup Intranet FQDN IntranetDNSServerIPv6Address
to resolve the names of intranet servers (for example: nslookup dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1).
The output should display the IPv6 addresses of the specified intranet server.
If the intranet DNS server cannot be contacted, troubleshoot connectivity to that DNS server. If the server can be contacted but the server name specified is not found,
troubleshoot the intranet DNS. (Determine why a AAAA record for the intranet server is not available.)
■ The DirectAccess client must be able to reach intranet servers.
Use Ping to attempt to reach the IPv6 addresses of intranet servers. If this attempt does not succeed, attempt to find the break in IPv6 connectivity between the DirectAccess client and the intranet servers.
■ The DirectAccess client must be able to communicate with intranet servers using application layer protocols.
Use the application in question to access the appropriate intranet server. If File And Printer Sharing is enabled on the intranet server, test application layer protocol access
by typing net view \\IntranetFQDN.
PRACTICE Demonstrating DirectAccess in a Test Lab (Optional)
The requirements for a DirectAccess infrastructure far surpass the two-computer network that is used in this book. However, if you have a computer with sufficient RAM to run six virtual machines, it is recommended that you download Step By Step Guide: Demonstrate DirectAccess in a Test Lab, available at http://www.microsoft.com/downloads/details.aspx?familyid=8D47ED5FD217-4D84-B698-F39360D82FAC, and use the instructions in the guide to set up a test network for DirectAccess. You will need at least four hours to complete the project.
Lesson Summary
■ DirectAccess is a new technology that replaces a traditional VPN. When configured, it enables remote clients running Windows 7 Enterprise or Windows 7 Ultimate to
establish an always-available, bidirectional connection with the corporate network automatically, even before the user logs on.
■ DirectAccess runs on IPv6 only. To use DirectAccess in an IPv4 network, computers rely on IPv6 transition technologies such as Teredo, 6to4, ISATAP, and IP-HTTPS.
■ A DirectAccess infrastructure includes a DirectAccess client, a DirectAccess server at the edge of the corporate network, domain controllers, a network location server,
and a PKI.
■ To establish a DirectAccess connection, a client first determines its location by attempting to contact the network location server. If the client determines it is on
the Internet, it attempts to contact the DirectAccess server over IPv6 (using a transition technology if necessary). It then creates an IPSec tunnel with the DirectAccess server.
Finally, the server validates that the client is authorized for remote access, and the DirectAccess connection is established.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2, “Understanding DirectAccess Client Connections.” The questions are also available on the companion CD if you prefer to review them in electronic form.
NOTE
ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.
1. Which of the following operating systems CANNOT act as a DirectAccess client?
A. Windows 7 Enterprise
B. Windows 7 Professional
C. Windows 7 Ultimate
D. Windows Server 2008 R2
2. Which of the following is NOT required to establish a DirectAccess connection successfully to a remote client?
A. A server certificate on the DirectAccess server
B. A computer certificate on the DirectAccess client
C. A global IPv6 address on the DirectAccess client
D. A global IPv4 address on the DirectAccess client
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks:
■ Review the chapter summary.
■ Review the list of key terms introduced in this chapter.
■ Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution.
■ Complete the suggested practices.
■ Take a practice test.
Chapter Summary
■ To troubleshoot a remote access VPN connection, you need to understand the requirements of a VPN infrastructure and the many steps to establish such
a connection. Those steps include the VPN client contacting the VPN server, the negotiation of the terms of the VPN tunnel, the creation of the VPN tunnel,
remote access authentication, and remote access authorization.
■ To troubleshoot a DirectAccess connection, you need to understand the requirements of a DirectAccess infrastructure and the many steps of establishing such a connection.
Those steps include the DirectAccess client contacting the network location server, the client contacting the DirectAccess server over IPv6, the client establishing an IPSec tunnel with the DirectAccess server, and the server authorizing the client for remote access.
Key Terms
Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book.
■ tunneling
■ data authentication
■ VPN Reconnect
Case Scenarios
In the following case scenarios, you will apply what you’ve learned about troubleshooting remote access connections. You can find answers to these questions in the “Answers” section at the end of this book.
Case Scenario 1: Troubleshooting a Remote Access VPN
You work as a desktop support technician for a company whose network includes 600 clients running Windows 7 and 30 servers running Windows Server 2008 R2. Your network infrastructure includes an L2TP/IPSec VPN that employees use to access the corporate intranet remotely. The VPN server is running RRAS, and authentication is performed by using a pre-shared key. The company network does not include its own PKI, and no computer certificates are installed on either the VPN clients or the VPN server.
The help desk receives many complaints about VPN access. Remote users complain that the VPN connection takes too long to be established, and that connectivity is frequently disrupted when they move among wireless access points. Users also complain that they have trouble connecting to the network from behind remote NAT devices or firewalls. Your manager asks you to review the situation and to answer the following questions:
1. What technical actions can be taken to resolve the problems of VPN performance?
Assume that the VPN connections on all clients running Windows 7 have the Type Of VPN security setting configured as Automatic (the default).
2. What technical actions can be taken to allow users to connect to the VPN from behind remote NAT devices or firewalls?
Case Scenario 2: Troubleshooting DirectAccess
You work as an enterprise support technician for Contoso.com, a large pharmaceutical company with over 2,000 employees. Many company employees travel with laptops, and your IT department has implemented DirectAccess as a means to connect users’ computers automatically to the corporate network when they are removed from the company premises.
The company no longer has any alternate VPN access.
Over the course of a day, you receive the following calls from the help desk about problems related to DirectAccess connections.
1. The help desk informs you that a user cannot connect to the corporate intranet from a public wireless hotspot. Help desk support staff have already determined that the user’s only assigned IPv4 address is 192.168.0.110, and the only IPv6 address on his computer begins with “fe80::”.
You want to enable the user’s remote computer to connect to the DirectAccess server. Which IPv6 interface or transition technology on the client should you first attempt to configure by specifying the DirectAccess server’s first public IPv4 address, and why?
2. You later receive a call from the help desk about another remote user who cannot establish a DirectAccess connection to the corporate network successfully. In this case, the help desk has established that the user’s only assigned IPv4 address is 207.46.197.32, and that the only IPv6 address begins with “fe80::”.
Which IPv6 interface or transition technology on the client should you first attempt to configure by specifying the DirectAccess server’s first public IPv4 address, and why?
Suggested Practices
To help you master the exam objectives presented in this chapter, complete the following tasks.
Identify and Resolve Remote Access Issues
Perform both practices to increase your experience with remote access in Windows 7.
■ Practice 1 Create an IKEv2 or SSTP remote access VPN. Set up a VPN server running Windows Server 2008 R2. Create a VPN connection on a computer running Windows 7, and then attempt to connect to the VPN server over the Internet.
■ Practice 2 Deploy a DirectAccess server. Add the DirectAccess feature to a server running Windows Server 2008 R2, and then follow the instructions to deploy all of the DirectAccess prerequisites, such as a PKI. When the prerequisites are met, run the DirectAccess Setup Wizard.
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-685 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question.
MORE INFO
PRACTICE TESTS
For details about all the practice test options available, see the section entitled “How to Use the Practice Tests,” in the Introduction to this book.
No hay comentarios:
Publicar un comentario