Client Initiated Remote Access

Transcription

In this section I will look at configuring remote access. Now days with more people working away from the office and even at home, remote access is an important topic to understand. In this video I will first look at the 3 stages that make up a remote connection. It is important to understand these steps to help you troubleshooting network problems. Next I will look at Nat. Nat is a technology that allows one public IP address to be used by many computers. On smaller networks and at home you may however want to consider using internet connection sharing. This is simpler to NAT but requires a dedicated computer to access the internet. If you want to allow VPN access into you company, Microsoft offers remote access service. One I look at how remote access service works and how to install it, I will have a closer look at the VPN protocols that make it work. Depending on which operating systems you are using with remote access server will determine which protocols you make available on it. Next I will look at network policy server. With remote access there are a lot of settings to configure, network policy server helps you to configure these settings throughout your environment. Lastly I will look at radius. Radius is a system that allows you to centralized control of remote access. In other words, who has access and keeping records of who accesses what. When looking at remote access it makes it easier to look at it in 3 stages. The first is connection. The connection stage makes the physical connection between the 2 parties. At this stage encryption and protocols are decided. When troubleshooting connection problems, make sure that both sides of the connection support the same protocols and encryption. If they don’t, a connection will not be made. If a connection cannot be made the next stage, authentication cannot occur. The authentication stage identifies who the connection is been made by. Typically the connection is identified by username and password or certificates. You could however use IP addresses as well but this is seen as not been very secure. The last stage of remote access is authorization. Authorization determines what they can access. This is done through IP filters which either allow or block connections to certain IP addresses and NTFS permissions which block or allow access to files. When troubleshooting remote access problems try to keep these stages in mind. If you are not being prompted for a username and password the problem is probably a connection problem. If you keep getting denied access the problem may be with your certificate or user name and password. If everything seems to be working and your connection is up and running but you can’t see or access anything, the problem is probably with authorization. Remember to keep these 3 stages in mind when troubleshooting network problems. With IP version 4 addresses starting to run out, systems had to be devised to help use the available IP addresses a lot better. One of these systems is NAT. Nat standards for network address translation. The concept behind NAT is that many computers communicates with a Nat Device. The NAT device communicates with the internet. As shown here, 4 computers are connected to the same NAT device and share the one public IP address. NAT is very scalable and could be used for 100’s or even 1000’s of computers. As you can see on the left hand side, each client computer has its own IP address but the IP address is a private IP address. NAT is usually found in most D S L modems and is the reason why you can connect multiple computers to the same D S L modem. NAT was designed to better utilized the remaining IP version 4 addresses. With the larger address space in IP version 6, Nat is not required for IP version 6 since IP addresses in IP version 6 are far from being scarce. If you want to use NAT with windows you will require windows server. Client operating systems like Windows Vista and windows 7 do not support NAT. In the real world you probably won’t see windows used for NAT as Nat is usually done with hardware devices. NAT is primary aimed at large business, if you have a small business or are a home user you may want to look at something like ICS. ICS, or internet connection sharing is used when one computer shares it’s connection with other computers. For example, imagine this computer was connected to the internet but the DSL modem used is a USB modem and thus can only be connected to one computer at a time. Later on you wanted to connect some more computers up to the internet. Since the DSL modem only has one USB connection you can’t connect up any more computers to the connection. With internet connection sharing you could connect the other computers up via the main computer. The down side with internet connection sharing is that the computer that is accessing the internet must always be on for the other computer to access the internet. One common use for internet connection sharing is when you place a wireless device on your network for example a laptop. You can of course upgrade your D S L modem to one that supports wireless, but another solution is to install a network card in the computer running ICS. This will allow your laptop to connect to the internet using it wireless adapter without having to upgrade any of your existing networking gear. Let’s have a look at how to configure ICS. ICS works off an existing network connection, to access an existing network connection, open the control panel and select the option view network status and tasks. From here you need to select change adapter settings from the right hand side. This will show you all the currently installed network connections. The one that I am interested in is my I S P connection which is a dial up connection. ICS works on almost any type of connection. To configure it, select the properties of the connection and then select the tab sharing. On the sharing tab select the option allow other network users to connect through this computers internet connection. Next I need to select which adapter the other computers are connected to, in this case it will be local area connection. You will also notice the option establish a dial-up connection whenever a computer on my network attempts to access the internet. This will essentially bring up the connection automatically when one of the computers on your network requests it. ICS is now set up and will allow computers connected to local are connection to access the internet. If I select the button settings, this allows me to set up port forwarding. Port forwarding will forward a request for a particular services to a particular computer. If I were to select remote desktop and enter in work station 10. All remote desktop connections that come through this internet connection will be directed to work station 10. If you don’t set up any port forwarding than all incoming services will remain on the computer with ICS enabled. Now that you have an understanding of ICS, let’s have a look at remote access service it’s bigger brother. The Microsoft Remote Access Service provides two basic services for clients. The first is dial up services. The client will access the RAS server through a modem. Generally the modem will be in a bank of modems rather than a standalone modem. The RAS server will provide access to the production network for the client connect to that modem. RAS also provides, VPN access. Over the years VPN access has become more common and now days it is rare for anyone to use modem access. When VPN is used, the client creates a tunnel over the public internet to access the RAS server. This means the RAS server needs to have access to the internet. For this reason, the RAS server is normally a member server and placed on the D M Z or perimeter network. Doing this helps prevent the RAS server being compromised and if it is, helps prevent the rest of the network being compromised as well. To install the Remote access server, launch server manager from the start menu under administrative tools. From the left hand side select the option add roles and then select add roles from the right hand side. If you have watched the previous video on routing, you would remember me doing the same thing as I am going to do now and that is select network policy and access services. If I now move on to the components screen I need to select routing and remote access component. You will notice that the routing component is also select. This is not required for remote access so I will deselect it. I can now move on and start installing the role. Depending on the speed of your server, this role will generally take a few minutes to install. Once completed I can close server manager and then launch the routing and remote access server tool from administrative tools under the start menu. Routing and remote access in windows server 2008 has not changed that much from windows server 2003 and windows server 2000, so if you have some previous experience in remote access you should not have to many problems configuring it on windows server 2008. In order to start using remote access, you need to configure it. To do this, right click on the remote access server, in this case RAS 1 and select the option configure routing and remote access. This will launch the routing and remote access server wizard. In this particular case I want to set up this server to allow remote access so I will leave it on the default option at the top, remote access dial up and VPN. On the next screen you get to decide if you want this server to support connections via VPN or via Dial UP, in this case I will select both. On most servers providing remote access they will have more than one network card. One network card will generally be connected to the internet and the other will be connected to the production network. I will in this case select the second network card as it is the network card that my client are connected to. Notice also the option "enable security on the selected interface by setting up static packet filters". This means the local firewall will be configured to deny anything other than VPN traffic. This is one good reason to use the wizard to ensure that these rules are created. Be warned however, ticking this tick box will deny all traffic through that network card that is not a remote connection. You will no longer be able to receive pings, contact domain controllers or retrieve web pages. If have a second network card that will perform these duties tick this tick box, if not it is probably best not to tick this box. On the next screen you can decide where the clients will get their IP addresses from, this can either be from a pool you enter in or from the DHCP server. I have a DHCP server on the network, however for this example I will enter in a manual range. For a client to operate on the network, it needs to be allocated a IP address from the production network. The RAS server makes the client think that it is directly connected to that network and other devices on the network will think that it is directly connected. When I set up a RAS server on a network I like to manually enter in a range of IP addresses as this helps with troubleshooting. If you have a range of IP addresses that you know is just been used for VPN, when you see one of those IP addresses in a log file you know that it came from a remote connection. When you enter in the range of IP addresses, you only need to enter in the start IP address and the amount of IP addresses that your want to use. Windows will automatically work out the end IP address for you. Once you have configure how you want your clients to obtain their IP addresses, you will need to decide if you want to use radius or not. Radius is an authentication system. I will cover radius in more detail later in this video. For the present just think of radius as a system that authenticates users on the network. Radius is often used when you have multiple remote access servers and you want to authenticate them all using one system. Once IPress finish, Routing and remote access will be installed. Remote access services does not take long to install. Once done your RAS server is ready to go. You may how ever want to do some more configuration to the server depending on what type of clients will be connecting. Let’s have a look at the protocols RAS supports. The first is PPTP. PPTP or point to point tunneling protocol and was developed by Microsoft and thus is supported by most Microsoft operating system. If you are using a non Microsoft operating system you will need to use anther protocol to connect the VPN server. PPTP is becoming obsolete by newer protocols but may be your only choice if you have some older windows operating systems that need to connect up to your VPN server. The protocol only supports TCP IP which now days with the popularly of the protocol may not present a problem. The protocol requires TCP port 1723 to be open to operate effectively. The next protocol is L2TP or layer two tunneling protocol. This protocol is and open standard so you can use it to connect your non Microsoft clients. L2TP also supports multiple protocols, not just TCP IP. L2TP can use Ipsec for encryption assuming that you are using certificates in your organization. The down side with L2TP is that it is not supported on older operating systems. L2TP uses TCP port 1701 and UDP port 500 for communication and also has IP version 6 support. L2TP is a better protocol in a lot of ways but because of its lack of backward support it is not uncommon for VPN servers to have both PPTP and L2TP both configured. With both installed the client can decide which one they want to use. The disadvantage with both these protocols is that they require ports to be open on the firewall to operate that may not normally be open. A lot of administrator don’t like opening additional port on their firewalls which brings us to the last protocol. SSTP or secure socket tunneling protocol addresses some of the problems with firewalls by using SSL for encryption. SSL uses port 443 to transfer traffic. Because of this, SSTP has better firewall support because port 443 may all ready be open as it is commonly used by web traffic to encrypt data. The protocol also supports certificates for authentication if your organization has a certificate authority. The protocol is designed for client access and thus can’t be use for site to site access. The protocol is new to Windows server 2008 and has limited support for older clients. When SSTP first arrived you needed to have windows vista with service pack 1 or above. Since then Microsoft has added support to windows XP with the release of service pack 3. SSTP is a good protocol to use and gives you a lot of features if you clients support it. Let’s have a look at how to configure and connect to RAS server. First of all I want to see what protocols are enabled on my RAS server. To this, select ports. Here you can see all the ports that are currently waiting connections. You can see a port waiting for an SSTP connection and further down a port waiting for a PPTP connection. If a client was connected to this server, the status would change from inactive to connected. If I now right click on ports and select properties, you can see all the protocols I just talked about. If IPress configure for SSTP, you can see here that by default it is enabled and accepting Remote access connections. SSTP can only be used for incoming connections so you will notice that the options for outgoing are grayed out. You will also notice that the maximum ports is set to 128 by default. This means that this server can accept 128 SSTP connections. Bear in mind that when I set up the IP Address pool I only allocated 50 IP addressees. If you are planning on have a lot of incoming connections, make sure that you maximum ports is high enough to support them and also you have a big enough pool of free IP addresses. If I now select PPTP and again press configure, you will notice that again I have the option to enable or disable incoming connections. I also have the option to enable or disable demand dial connections. Demand dial connections will create a connections as required. For example, if you had two branches offices connected by VPN, a demand dial connection will bring up the connection when the client attempts to use it. The next protocol is L2TP, you can see the options are the same as the other protocols. If you want to disable any of these protocols just clear the relevant check box. The last of the RAS protocols is IKE. This is essentially IPSec meaning if you want to make a native IPSec connection RAS supports it. This may be a good option for you if you have none windows computers that want to connect up to RAS. To start using RAS you need to make a connection from a client computer. To do this, I will switch to my windows 7 computer. I will use a windows 7 as a client for this demonstration as it is more than likely that a non windows server 2008 will be used to connect to RAS. To create the new connection, open the control panel and then select" view network status and tasks". This will take you into the network and sharing center. To start the new connection wizard, select the option set up a new connection or network. Depending on which version of windows you are running, the wizard may be a little different and may be launched from a different location. In this case, the option I want is connect to a workplace. This wizard can also be used to create a dial up connection, in this case I want a VPN connection so I will select use my internet connection. The next screen will ask if you want to set up an internet connection to connect to the VPN server. You would select this option if you needed to dial up to an ISP using a modem or you had to connect via a different connection. When configured correctly, whenever this VPN connection is activated the connection to the internet will first be opened before trying to connect to the RAS server. On this screen I need to enter in the IP address or server name of the RAS server, I can also give the connect a suitable name. At the bottom of the screen you will notice the option allow other people to use this connection. Ticking this option will allow other users on the computer to connect up using this connection. If this connection connects back to your head office for example, ticking this option allows you to set up the connection using the administrator and than any user that logs onto the computer will be able to use the connection. On this screen you can enter in the username and password for this connection. Just to prove a point, I am going to user the domain administrators user name and password which has access to everything on the network. If you are creating a shared connection, it is often a good idea to tick the tick box remember this password. If you don’t tick this tick box, a user will be prompted each time the connect is run for a password. The connection does not take long to create, once created I can select connect or disconnect and go down to VPN work and press connect to start the connect up. You will notice that the connection will fail to connect. Windows will come back saying there was an error verifying the username and password even though I used a domain administrators account. This is because no user by default has access to the RAS server. To fix this problem, I need to switch to my domain controller. To enable access to the administrator, I need to make a change to the domain administrators account. To do this, I need to run active directory users and computers found in administrative tools under the start menu. All I need to do is locate the administrators account under the users “o u”. Select the properties on the administrator account and then go to the dial in tab. On this tab you can see by default dial in access is determined by the N P S network policy. I don’t have N P S configured on this network as yet. N P S is a system designed to help you control access to your network. Why is it required? Well if you look at the options above, if I want to enable access for the administrator I need to select the option allow access. If you have a network with 1000's of users you need a system like N P S to simplifier administration. In a moment I will look at how we can use N P S to configure our network, if I now go back to my windows 7 clients and press the redial button, you will notice that the computer now connects up to the network. You will notice that under connections, work VPN has appeared. This computer is now connected to the work network and to other computers it will appear as if it is on the network even though it is accessing the network through the RAS server. To demonstrate this, if I now open a command prompt from the start menu and run the command IP config. You will notice that computer now has and IP Address of 10 dot 0 dot 0 dot 151. This is one the IP addresses that I allocated to the RAS server earlier using the configuration wizard. Imagine on a large network with 100’s or even 1000’s of users having to manually go into active directory and configure them to be allow access to the network via remote access. Back in the windows NT days, this is what you had to do. Now days we can use N P S to do the hard work for us. N P S or network policy server allows you to create rules defining how users can connect to your network. If you have used remote access services before, you may notice N P S is simpler to remote access policy. Network policy server replaces remote access policy and improves on it. The main role of N P S is to provide, authentication and authorization settings. On a large network it is essential to have something like network policy server to deploy settings, otherwise trying to administrator dial in services using active directory and manually tick and un tick boxes for individual users would be a night mare. Also as you will see, there are a lot of things you can do with Network Policy Server that you can’t do by modifying the settings in active directory or using the routing and remote access tool. Let’s have a look how to use Network policy server. I already have the routing and remote access tool open from the previous demonstration. All I need to do is select remote access logging and policies, right click it and select launch N P S. To see what policies have already been created, select the folder network polices. You can see here by default that two polices have already been created. There are created during the installed and you can see they both have an access type of deny. The second policy checks the time and checks it rule lists for a match. It’s rule list is set for 24 7 so anything that makes it to this policy is going to be denied. This policy acts as a catch all to ensure any connections that do not match a policy are denied. To create a new policy, right click network policies and select new. For the policy name I will enter in company VPN and for the type of policy I will select remote access server. You will notice that there are a lot of other type of policies available. This is one of the reasons for the name change from remote access policies because the polices have expand to include more than remote access. On the specify condition you need to enter in some conditions this policy will check for. You can enter in more than one set of conditions, for example you could enter in a user group and a date and time condition. As you can see, there are a lot of different conditions you can set. You can even set conditions based on the protocols been used. In this particular case I want to create a policy for domain users so I will select windows groups. From here, it is a simple matter of looking up the domain users group in active directory and adding it. Once added any user in the domain users group will be effected by this policy. On this screen you need to select whether this is an allow or deny policy. In this particular case I want to allow all domain users to be able to connect to my RAS server. Notice the tick box access is determined by user dial-in properties. If I tick this tick box, if the condition of the policy are meet, network policy server will than refer to active directory and either allow or deny based on the settings in active directory. On this screen you can set the authentication types, at the top you have E A P types. This basically refers to devices like smart cards. At the bottom of the screen you have other authentication methods. Later in the course I will go into more details about these authentication methods. On this screen you can configure some constraints for your connections. First there is the idle timeout. If you set a value here, for example 15 minutes, if the user does not perform any activity for 15 minutes they will be disconnected. The session time out when set will determine how long a session will be allowed to run for before it is disconnected. The called station ID can be used to determine where the connection is been made from. If the connect ion is not been made from an authorized station it will be disconnected. Day and time restrictions allow the connection only to be made at certain times and if running outside these times they will be disconnected. With VPN’s and high speed networks, a lot of these settings are no longer used on most networks. When you had a network with limited modems, setting like these needed to be set up to allow a fair access to these facilities. Without settings like these, modem banks would become jammed and end users would not be able to connect. With VPN, one server can handle a high amount of connections so fair play issues hardly ever come up. The last constraints setting is N A S port types. These settings relate to the type of media the connection comes over. If you want certain settings for wireless and different settings for wired networks you could set them here. For example, you could require a higher encryption standard for wireless than VPN traffic. On the next screen you can configure even more settings. The first two options relate to RADIUS. If your clients are using radius to connect to your server, you can send additional options to the client if you wish. If your vendor has special radius attributes, you can use the next option vendor specific. The multilink sections refers to using multiple modems together to give you a higher speed. With high speed internet now days, this is hardly worth the effort setting up, but it is on by default if you choose to use it. In the IP filters section, you can set IP filters to block certain traffic. As you can see in the dialog you can set IP addresses and select different protocols. This allows you to restrict incoming connections from certain addresses and also stop them connecting to certain locations. On the encryption screen you can set what type of encryption standard will be allowed. It is important to note that no encryption is ticked by default. On your network you may want to clear this tick box. Depending on how old the clients are that are connecting to your server you may want to deselect lower encryption options. Remember that high encryption does also put more load on your server, in some cases you may want to deselect the higher options if you are having performance problems on your server. The last section let’s you have more control over how the IP address is allocated to the client. If you want to set static IP addresses or want to let the client choose their own IP address you will need to set it here. That’s it, press finish and your new policy has been created. Notice now the policy is the first in the list. This is important. Policy are evaluated in order until a match is made. If you for example you had the deny policy first, all connections would be denied regardless of what you set in the other polices. When troubleshooting policy problems, make sure you look at any policies that are before the policy in question. If a match is made, windows will not look at the policy. The last thing that I want to look at is radius. Radius stands for remote authentication dial in user service. Radius allow for the central management of authentication, authorization and accounting also known as triple A. If you have a large organization and you want to centralized administration of your remote connections you should consider installing a radius server or multiple radius servers throughout your organization. Radius over the years has expanded from the dial up service that it was originally aimed at. I have seen radius set up to use smart cards and secure tokens. When a client connections up to a RAS server, the RAS server will connect to the radius server and either allow or deny the user. Radius is an open standard so you will find it is used with other products, not just Microsoft products. If you want to centralize your authentication, authorization and accounting consider installing a radius server. When you start configuring your network for remote access remember, a lot of protocols and devices are used when a remote connection is made. This means there are a lot of places where problems can occurs. When troubleshooting break the problem down into smaller parts. Can you ping the other side, if so the connection is fine, the problem may be with authorization. Check the firewall rules the connection is passing through. Certain protocols require some non standard ports to be open. If these ports are being blocked on the client, server or a firewall in between the connection than the connection will fail. Remote access can be a lot of effort to set up, but when it is running well it is worth the effort.