Module 6

Troubleshooting Remote
Connectivity Issues

Module Overview
Troubleshooting VPN Connectivity Issues
Using Remote Desktop
Troubleshooting User Issues by Using Remote Assistance
Troubleshooting NAP Issues
Troubleshooting DirectAccess Issues
Lesson 1: Troubleshooting VPN Connectivity Issues
What Is a Virtual Private Network?
VPN Tunneling Protocols
VPN Authentication Methods
Demonstration: How to Create a VPN Connection
What Are Network Policies?
Troubleshooting VPNs
What Is VPN Reconnect?
What Is a Virtual Private Network?
Large Branch Office
Medium Branch Office
Small Branch Office
Home Office with
VPN Client
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
VPN Server
VPN Server
VPN Server
VPN Tunneling Protocols
Windows 7 supports four VPN tunneling protocols:
PPTP
L2TP/IPsec
SSTP
IKEv2
VPN Authentication Methods
Protocol Description Security Level
PAP
Uses plaintext passwords.
Used if remote access client and
remote access server cannot negotiate
a more secure form of validation.
Least secure authentication protocol.
Does not protect against: replay attacks,
remote client impersonation, remote
server impersonation.
CHAP
A challenge-response authentication
protocol.
Uses the industry-standard MD5
hashing scheme to encrypt the
response.
An improvement over PAP because
password is not sent over the PPP link.
Requires plaintext version of the password
to validate the challenge response.
Does not protect against remote server
impersonation.
MS-CHAPv2
An upgrade of MS-CHAP.
Two-way/mutual authentication
provided.
Remote access client receives
verification that the remote access
server has access to the users
password.
Provides stronger security than CHAP.
EAP
Allows for arbitrary authentication of a
remote access connection through the
use of authentication schemes, known
as EAP types.
Offers the strongest security by providing
the most flexibility in authentication
variations.
Demonstration: How to Create a VPN Connection
In this demonstration, you will see how to:
Configure user dial-in settings
Configure Routing and Remote Access as a VPN server
Configure a VPN client


The VPN Reconnect feature maintains connectivity across network
outages. It requires Windows Server 2008 R2 or Windows 7.
What Are Network Policies?
Are there policies
to process?
START
Does connection attempt
match policy conditions?
Yes
Reject
connection
attempt
Is the remote access permission for the
user account set to Deny Access?
Is the remote access
permission for the
user account set to
Allow Access?
Yes
Yes
No
Go to next policy
No
Yes
Is the remote access permission
on the policy set to Deny remote
access permission?
Does the connection
attempt match the user
object and profile settings?
No
Yes
Accept
connection
attempt
Reject
connection
attempt
No
Yes
No
No
A network policy consists of the
following elements:
Conditions
Constraints
Settings
Network policies enable you to designate who is authorized to
connect to the network, and the circumstances under which they
can or cannot connect.
Troubleshooting VPNs
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
What Is VPN Reconnect?
The VPN Reconnect feature maintains connectivity across network
outages. It requires Windows Server 2008 R2 or Windows 7.
VPN Reconnect:
Provides seamless and consistent VPN connectivity
Uses the Internet Key Encryption version 2 (IKEv2) technology
Automatically reestablishes VPN connections when connectivity
is available
Maintains the connection if users move between different
networks
Makes the connection status transparent to users

Lesson 2: Using Remote Desktop
Overview of Windows Remote Desktop
Practice: Enabling Remote Desktop
Configuring Remote Desktop by Using GPOs
Troubleshooting Remote Desktop
Overview of Windows Remote Desktop
Remote Desktop
A Windows 7 feature
that enables users
to connect to their
desktop computer
from another device
Enables
administrators to
connect to multiple
remote servers for
administrative
purposes
Practice: Enabling Remote Desktop
In this practice, you will:
Configure the Windows Firewall
Enable Remote Desktop
Use Remote Desktop



15 min


Configuring Remote Desktop by Using GPOs
Troubleshooting Remote Desktop
Cannot Connect
to Remote
Computer
Check the Windows 7 edition
Check Windows Firewall status
Check that remote desktop is enabled
on the target
Ensure the remote computer is not in
sleep mode or hibernation
Check remote desktop permissions
Remote Computer
Cannot be Found
Try using the IP address
Check DNS records
Cannot Copy Text
from Remote
Computer
Ensure the clipboard is selected as a
local resource
Lesson 3: Troubleshooting User Issues by Using
Remote Assistance
Using Remote Assistance to Assist Your Users
Remote Assistance in Windows 7
Demonstration: How to Use Remote Assistance (Optional)
Configuring Remote Assistance by Using GPOs
Using Remote Assistance to Assist Your Users
See remote desktop
Chat session
Take remote control
Remote Assistance in Windows 7
Remote Assistance
A Windows 7 feature
that enables support
staff to connect to a
remote desktop
computer
Optionally allows for
remote control of
that computer
Assistance can be
sought or offered
Demonstration: How to Use Remote Assistance
(Optional)
In this demonstration, you will see how to:
Create a Word document
Request Remote Assistance
Provide Remote Assistance


Configuring Remote Assistance by Using GPOs
Lesson 4: Troubleshooting NAP Issues
What Is NAP?
Components of NAP
Discussion: How Would You Use NAP?
Configuring Client-Side NAP Settings
Best Practices for Troubleshooting NAP
What Is NAP?
Network Access Protection can:
Enforce health-requirement policies on client computers
Ensure client computers are compliant with policies
Offer remediation support for computers that do not
meet health requirements
Network Access Protection cannot:
Enforce health requirement policies on client computers
Ensure client computers are compliant with policies
Components of NAP
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
Can you envision using NAP?
What NAP enforcement
method would be suitable?
Discussion: How Would You Use NAP?

5 min


Configuring Client-Side NAP Settings
Some NAP deployments that use Windows Security Health
Validator require that you enable Security Center
The Network Access Protection service is required when you
deploy NAP to NAP-capable client computers
You also must configure the NAP enforcement clients on the
NAP-capable computers
Best Practices for Troubleshooting NAP
You can use tracing logs to:
Evaluate the health and security of
your network
Troubleshoot and perform maintenance
on your network
You can use the netsh NAP command to help
troubleshoot NAP
Use the Event Viewer to identify NAP-related
problems
Lesson 5: Troubleshooting DirectAccess Issues
What Is DirectAccess?
How Does DirectAccess Work?
Configuring DirectAccess
Troubleshooting DirectAccess Client Issues

What Is DirectAccess?
Always-on connectivity
Seamless connectivity
Bidirectional access
Improved security
Integrated solution
DirectAccess server
Connects automatically to corporate network over public network
Uses various protocols, including HTTPS, to establish IPv6 connectivity
Supports selected server access and IPsec authentication
Supports end-to-end authentication and encryption
Supports management of remote client computers
Allows remote users to connect directly to intranet servers
Features of DirectAccess:
Benefits of DirectAccess:
How Does DirectAccess Work?
The DirectAccess client running Windows 7 detects whether it is connected
to a network
The client attempts to connect to an intranet website that is specified
during the DirectAccess configuration
The client connects to the DirectAccess server using IPv6 and IPsec
The DirectAccess client and server authenticate each other by using
computer certificates to establish the IPsec session
The DirectAccess server verifies that the computer and user are authorized
to connect by using DirectAccess
The client obtains a health certificate from an HRA located on the Internet
prior to connecting to the DirectAccess server
The DirectAccess server begins forwarding traffic from the DirectAccess
client to the intranet resources to which the user has been granted access
Steps to Configure DirectAccess:











Configuring DirectAccess
Join the DirectAccess server to an Active Directory domain
Configure the DirectAccess server on the perimeter network
Enable ports and protocols needed for DirectAccess in the
firewall exceptions
Create a security group in Active Directory
Install a web server on the DirectAccess server
Designate one of the server network adapters as the
Internet-facing interface
Add and configure the Certificate Authority server role
Steps to Troubleshoot DirectAccess Client Issues:











Troubleshooting DirectAccess Client Issues
Verify the version of Windows 7 on the client
Verify that the client is joined to the domain and is a
member of the security group
Verify GPO application
Verify IPv6 connectivity
Verify correct identification of the internal and external network
Verify the domain profile is not used on Internet
Verify the DNS resolution for the internal network
Verify IPsec connectivity
Lab: Resolving Remote Connectivity Issues
Exercise: Resolving a Remote Connectivity Problem

Estimated time: 30 minutes
Logon information
Virtual machines
6293A-NYC-DC1
6293A-NYC-SVR2
6293A-NYC-CL1
User name
Contoso\Administrator
NYC-CL1\WSAdmin
Password Pa$$w0rd
Lab Scenario
A user reported a recent problem connecting to the
corporate intranet from his home. He cannot connect to the
intranet, and receives the error documented in the help
desk ticket. The help desk checked the basic network
settings, but is unsure how to proceed.
Lab Review
In the lab, your user complained of being unable to logon.
What solutions did you attempt?
What solution was successful?
Module Review and Takeaways
Review Questions
Tools