Module 6

Remote access in Windows Server

2016
Module Overview

• Overview of remote access

• Implementing Web Application Proxy
Lesson 1: Overview of remote access

• Discussion: When to use remote access

• Remote access options
• Managing remote access in Windows Server 2016
• Demonstration: Installing and managing the Remote
Access server role
• What is Network Policy Server?
• Network Policy Server policies
• Demonstration: Configuring Network Policy Server
policies
• Considerations for deploying PKI for remote access
• Configuring Routing and NAT with the remote access
role
Discussion: When to use remote access

• Do you allow users to connect to your

network resources remotely? If so, how?
• What are your business requirements
for using remote access?

10 minutes
Remote access options

• DirectAccess
• VPN
• Routing
• Web Application Proxy
Managing remote access in Windows Server 2016

You can manage the Remote Access server role by

using:
• Remote Access Management console
• Routing and Remote Access console
• Windows PowerShell commands:
• Set-DAServer
• Get-DAServer
• Set-RemoteAccess
• Get-RemoteAccess
Demonstration: Installing and managing the
Remote Access server role

In this demonstration, you will see how to:

• Install the Remote Access server role
• Manage the Remote Access server role
What is Network Policy Server?

A Network Policy Server in Windows Server 2016

provides the following functions:
• RADIUS server. Network Policy Server performs
centralized connection authentication,
authorization, and accounting for wireless,
authenticating switch, and dial-up and VPN
connections
• RADIUS proxy. You configure connection request
policies that indicate which connection requests
the Network Policy Server will forward to other
RADIUS servers and to which RADIUS servers you
want to forward connection requests
Network Policy Server policies

• Network Policy Server supports policies that manage

and control connections from remote access clients
• Two types of policies exist:
• Connection request policies:
• Used when Network Policy Server should act as a RADIUS server or
RADIUS proxy
• Network policies:
• Used to authenticate and authorize the connection attempt
• You set conditions and constraints to control access
• When you first deploy Network Policy Server, remote
access is denied, and you must configure at least one
policy to allow access
Network Policy Server policies

START

Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Yes
Is the remote access
permission for the user
No account set to Deny Access?
Reject
No Yes connection
attempt
Is the remote Is the remote access
Reject access permission on the
Yes No
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
connection
No Does the attempt
connection attempt
match the user
object and profile
settings?
Demonstration: Configuring Network Policy
Server policies

In this demonstration, you will see how to configure

remote access policies
Considerations for deploying PKI for remote access

• Will you use PKI for encryption of only data and

traffic?
• Will you use PKI not just for encryption, but for
authenticating users and their computers?
• Will you use self-signed certificates, certificates
provided by internal private CAs, or external public
CAs?
Configuring Routing and NAT with the remote
access role

Routing in RRAS:
• RRAS is a software-based router
• Can route LAN-to-LAN, LAN-to-WAN, demand-
dial, and NAT traffic
• Supports the following type of routing:
• Static routes (IPv4/IPv6)
• IGMP (IPv4)
• RIP (IPv4)
• NAT (IPv4)

• A good option for directing traffic between

networks with light-to-medium traffic
Configuring Routing and NAT with the remote
access role

Simple routing scenario

RRAS server functioning

as a router

Network 1 Network 2
172.16.1.0/24 172.16.2.0/24
Configuring Routing and NAT with the remote
access role
Advanced routing scenario

RRAS server 1 RRAS server 2

Network 1 Network 2 Network 3

172.16.1.0 172.16.2.0 10.10.10.0/24
Configuring Routing and NAT with the remote
access role

Site A Demand-dial routing scenario Site B

RRAS server 1 RRAS server 2

VPN/Dial-up

Network 1 Network 2
172.16.1.0/24 10.10.10.0/24
Configuring Routing and NAT with the remote
access role

Corporate computers

172.16.0.50
Internet websites NAT server

172.16.0.1
131.107.0.10

172.16.0.10

172.16.0.51
Lesson 2: Implementing Web Application Proxy

• What is Web Application Proxy?

• Authentication options for Web Application Proxy
• Publishing applications with Web Application
Proxy
• Demonstration: Publishing a secure website
What is Web Application Proxy?

Web Application Proxy:

• Was introduced in Windows Server 2012 R2
• Is a reverse web proxy functionality
• Uses AD FS proxy functionality
• Is located in a perimeter network
AD FS AD DS
Web Application
Proxy LOB
Client devices applications

Firewall Firewall
Internet Microsoft
applications

Corporate network
Authentication options for Web Application Proxy

• User authentication:
• AD FS preauthentication
• Pass-through preauthentication

• AD FS benefits:
• Workplace join
• SSO
• Multifactor authentication
• Multifactor access control
Publishing applications with Web Application Proxy

Configuring Web Application Proxy settings:

• AD FS server name
• AD FS administrator credentials
• AD FS certificate
Publishing applications with Web Application Proxy

Publishing a web application:

• The type of preauthentication—for example, pass-
through
• The application that will be published
• The external URL of the application—for example,
https://lon-svr1.adatum.com/
• A certificate whose subject name covers the
external URL—for example, lon-svr1.adatum.com
• The URL of the back-end server
Publishing applications with Web Application Proxy

Publishing Remote Desktop Gateway:

• The type of preauthentication—for example, pass-
through
• The application that will be published
• The external URL of the application—for example,
https://rdgw.adatum.com/
• A certificate whose subject name covers the
external URL—for example, rdgw.adatum.com
• The URL of the back-end server
Demonstration: Publishing a secure website

In this demonstration, you will learn how to:

• Install the Web Application Proxy role service
• Configure access to an internal website
• Verify access to the internal website from the
client computer
Lab: Implementing Web Application Proxy

• Exercise 1: Implementing Web Application Proxy

• Exercise 2: Validating the Web Application Proxy
deployment

Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-LON-SVR2
20741B-EU-RTR
20741B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Virtual machine: 20741B-INET1
User name: Administrator
Password: Pa55w.rd

Estimated Time: 70 minutes

Lab Scenario

The remote access deployment is working well at

A. Datum Corporation, but IT management also
wants to enable access to some internal
applications for users from partner companies.
These users should not have access to any internal
resources except for the specified applications.
You must implement and test Web Application
Proxy for these users. Furthermore, administrators
at A. Datum should be able to remotely manage
servers in the internal network in the most secure
manner possible.
Lab Review

• Where should you deploy the Web Application

Proxy server?
• What is required for clients to access a published
web application?
Module Review and Takeaways

• Best Practice
• Review Questions
• Tools