Академический Документы
Профессиональный Документы
Культура Документы
10. On the Manage Multiple Remote Access Servers page, choose No, use Routing
and Remote Access to authenticate connection requests
a. On DC1, open the Certificate Authority console via Server Manager, right click
Certificate Template and click Manage.
b. Right click the Web Server template and select Duplicate Template. Select the
General tab on the properties dialog box.
c. Type yourlastname DA Server Certificate in the Template Display Name.
d. Select the Request Handling tab and select Allow Private key to be exported.
e. Select the Security tab and ensure Authenticated Users is selected and click
Enroll and Autoenroll under the allow column.
f. Click OK to close the Properties dialog box.
g. Issue a certificate:
i. In the Certificate Authority console, right click Certificate Templates and select
New -> Certificate Template to issue and select yourlastname DA Server Certificate
and click OK.
2. Configure machines for Automatic Certificate Requests:
a. Edit the default domain policy in Group Policy Management Console.
b. Navigate to Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies
c. Right click Automatic Certificate Request Settings and select New -> Automatic
Certificate Request.
d. On the Certificate Template page, select the Computer certificate template.
3. Enroll the certificate on MS1.
a. Run gpupdate /force to update the policies
b. Open mmc and add the Certificates snap-in.
c. Select Computer account and click finish.
d. Navigate to \Personal\Certificates, you should see your computer certificate
shown.
e. Right click Certificates and select All Tasks -> Request New Certificate.
f. On the Request Certificates page select yourlastname DA Server Certificate.
g. Click More information is required to enroll for this certificate. Click here to
configure settings.
h. Select Common name for the subject name type.
i. In the value text box, type in directaccess.yourlastname.ca and click Add.
j. Click OK to close the dialog box.
b. On the Remote Access Server Setup page, ensure Behind an edge device (with a
single
network adapter) is selected. Enter in directaccess.yourlastname.ca under Type the
public
name or IPv4 address used by clients to connect to the Remote Access server.
6. Under Step 1 Remote Clients, click Edit
a. Select Deploy full DirectAccess for client access and remote management
b. Under the Select Groups page, remove Domain Computers and Add DA-Clients
security
group. Uncheck Enable DirectAccess for mobile computers only.
7. Under Step 2 Remote Access Server, click Edit
a. On the Network Adapters page, under select the certificate used to authenticate
IP-HTTPS
connections, choose Browse
b. Ensure directaccess.lastname.ca certificate is selected.
8. Under Step 3 Infrastructure Servers, click Edit
a. On the Network location Server page, Browse for the certificate
directaccess-nls.yourlastname.ca (if you receive an error, ensure your host record
for
directaccess-nls.yourlastname.ca resolves to your MS1 IP, flush DNS cache and try
again.)
b. On the DNS page, ensure lastname.ca has the DNS Server Address of
192.168.100.20.
c. Ensure directaccess-nls.lastname.ca does not have a DNS Server Address
d. Ensure directaccess.lastname.ca does not have a DNS Server Address
9. On the Remote Access Management Console click Finish, review the settings and
click Apply
10. Restart the Remote Access Management Service for changes to take effect.
11. Take note of Group Policies created and resource records created in DNS on DC1.
forwarders.
2. Run IPConfig on MS1 and collect the IPv6 addresses (first 2) for our
IPHTTPSInterface. (Should end
in ::1 and ::2). Record these IP addresses as you will need them later.
3. In PowerShell, run Set-NetDnsTransitionConfiguration AcceptInterface
IPHTTPSInterface.
4. Run Get-NetDnsTransitionConfiguration and verify the AcceptINterface is set to
IPHTTPSInterface
5. Edit the Group Policy object DirectAccess Client Settings and navigate to
Computer
Configuration\Policies\Windows Settings\Name Resolution Policy.
6. Locate in the Name Resolution Policy Table the namespace .yourlastname.ca.
Select this record
and click on Edit Rule below the table.
7. Scroll up and select DNS Settings for DirectAccess tab under Create Rules
8. In the DNS settings for DirectAccess remove all existing IP addresses and add the
two IP addresses
recorded in Task #5 Step 2. Click Update and Apply. Tip: Edit the same rule to verify
your settings
were saved properly.
9. Edit the DirectAccess Server Settings group policy object and navigate to
Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced
Security\Windows Firewall with Advanced Security\Inbound Rules and Edit the two
following
rules and add the IPv6 addresses for your IPHTTPS Interface recorded earlier.
Rule Name Scope Tab Local IP Address
Domain Name Server (TCP-In) Remove Current address and add
IPHTTPS (2 IPv6 Addresses)
Domain Name Server (UDP-In) Remove Current address and add
IPHTTPS (2 IPv6 Addresses)
10. Update your policies on MS1.
CONNECT A CLIENT TO YOUR NETWORK USING DIRECT ACCESSis unique to our lab
environment.
a. Create a Server 2012 R2 linked clone to use as a client. Name the client
yourlastname-C2 (We
only have Windows 8 Professional, required Enterprise for a DirectAccess Client to
work,
DirectAccess client is included in Server 2012 R2).
b. Since we will be moving this client between the Office and NAT networks, it is
helpful to
create a second network adapter. One configured for the Office LAN Segment and
one for the
NAT interface. Disable the NIC you are not using.
c. Configure the virtual NIC connected to the Office LAN Segment to obtain an IP
address and DNS
information automatically.
d. Configure the virtual NIC connected to the NAT interface as follows:
i. Static IP: 192.168.99.200/24
ii. Default Gateway: 192.168.99.254 (Needs to detect for internet access)
iii. Preferred DNS: 200.1.0.2 (Your public DNS Server)
iv. Add a second IP address on this interface for 200.1.0.200
e. Disable the NAT interface virtual adapter.
f. Join the client to the domain
g. Ensure the client machine is a member of the DA-Clients Security Group and
reboot client.
h. Update the policies on the client machine.
i. Disable the Office LAN Segment Adapter and connect the NAT interface adapter.
j. Run: Netsh int httpstunnel show interfaces to view HTTPS connections. Should say
Active, takes
about 15 20 seconds typically. Troubleshoot as necessary.
k. Once httpstunnel is active, run Get-DAConnectionStatus from PowerShell. You
should see your
status as Remotely Connected. Troubleshoot as necessary.
1. Task Hints:
a. Add a test user to your VPN Users security group.
b. Ensure your test users Dial-in properties is set back to Control access through
NPS Network Policy (User properties).
c. Change the authenticating protocol for the client connection to match what we
configured on NPS.
(On the Configure Authentication Methods page, check Extensible Authentication
Protocol and choose Microsoft: Protected EAP (PEAP) from the drop down menu.)
CONFIGURE NETWORK POLICIES
Pages 344 350
EXPORT NPS CONFIGURATION
Pages 352 353
INSTALL NAP AND CONFIGURE NAP ENFORCEMENT FOR VPN
Pages 361 362; 370 371
CONFIGURE SYSTEM HEALTH VALIDATORS
Pages 371 374
CONFIGURE ISOLATION AND REMEDIATION
Pages 375 376
CONNECT VPN CLIENT USING NAP
Pages 376 377
1. Tips not covered in the text book.
a. Under Connection Request Policies in NAP VPN properties, ensure Authentication
Methods
is set to Overide and only EAP Types is selected with Microsoft: Protected EAP
(PEAP). Edit
the properties of EAP (PEAP) and ensure Enforce Network Access Protection is
checked.
b. On the client machine, run napclcfg.msc and enable EAP Quarantine Enforcement
Client.
c. On the clients VPN connection Properties, go to the properties for EAP and check
the
following two items:
i. Under Trusted Root Certificate Authorities, check yourlastname-DC1-CA