In the last part of the series we looked at how you can manage and use your Windows computers from anywhere as long as you are on the same network. But what if you are not?
Be sure to check out the previous articles in this Geek School series on Windows 7:
Introducing How-To Geek School Upgrades and Migrations Configuring Devices Managing Disks Managing Applications Managing Internet Explorer IP Addressing Fundamentals Networking Wireless Networking Windows Firewall Remote Administration
And stay tuned for the rest of the series all this week.
Network Access Protection
Network Access Protection is Microsoft’s attempt to control access to network resources based on the health of the client trying to connect to them. For example, in the situation where you are a laptop user, there may be many months where you are on the road and do not connect your laptop to your corporate network. During this time there is no guarantee that your laptop does not get infected with a virus or malware, or that you even receive anti-virus definition updates.
In this situation, when you get back to the office and connect the machine to the network, NAP will automatically determine the machines health against a policy you have set up on one of your NAP servers. If the device that connected to the network fails the health inspection it automatically gets moved to a super-restricted section of your network called the remediation zone. When in the remediation zone, the remediation servers will automatically try and rectify the problem with your machine. Some examples could be:
If you firewall is disabled and your policy requires it to be enabled, the remediation servers would enable your firewall for you. If your health policy states that you need to have the latest Windows updates and you don’t, you could have a WSUS server in your remediation zone that will install the latest updates on your client.
Your machine will only get moved back to the corporate network if it is deemed healthy by your NAP servers. There are four different ways you can enforce NAP, each having its own advantages:
VPN – Using the VPN enforcement method is useful in a company where you have telecommuters remotely working from home, using their own computers. You can never be sure about what malware someone might install on a PC that you have no control over. When you use this method, a client’s health will be checked every time they initiate a VPN connection. DHCP – When you use the DHCP enforcement method a client will not be given a valid network addresses from your DHCP server until they have been deemed healthy by your NAP infrastructure. IPsec – IPsec is a method of encrypting network traffic using certificates. Although not very common, you can also use IPsec to enforce NAP. 802. 1x – 802. 1x is also sometimes called port based authentication and is a method of authenticating clients at the switch level. Using 802. 1x to enforce a NAP policy is standard practice in today’s world.
Dial-Up Connections
For some reason in this day and age Microsoft still wants you to know about those primitive dial-up connections. Dial-up connections use the analog telephone network, also known as POTS (Plain Old Telephone Service), to deliver information from one computer to another. They do this using a modem, which is a combination of the words modulate and demodulate. The modem gets hooked up to your PC, normally using a RJ11 cable, and modulates the digital information streams from your PC into an an analog signal that can be transferred across the telephone lines. When the signal reaches its destination it is demodulated by another modem and turned back into a digital signal that the computer can understand. In order to create a dial-up connection, right click on the network status icon and open the Network and Sharing Center.
Then click on the Set up a new connection or network hyperlink.
Now choose to Set up a dial-up connection and click next.
From here you can fill in all the information required.
Note: If you get a question that requires you to set up a dial-up connection on the exam, they will provide the relevant details.
Virtual Private Networks
Virtual Private Networks are private tunnels you can establish over a public network, such as the internet, so that you can securely connect to another network.
For example, you might establish a VPN connection from a PC on you home network, to your corporate network. That way it would appear as if the PC on your home network was really part of your corporate network. In fact, you can even connect to network shares and such as if you had taken your PC and physically plugged it into your work network with an Ethernet cable. The only difference is of course speed: instead of getting the Gigabit Ethernet speeds that you would if you were physically in the office, you will be limited by the speed of your broadband connection.
You are probably wondering how safe these “private tunnels” are since they “tunnel” over the internet. Can every one see your data? No, they can’t, and thats because we encrypt the data sent over a VPN connection, hence the name virtual “private” network. The protocol used to encapsulate and encrypt the data sent over the network is left up to you, and Windows 7 supports the following:
Note: Unfortunately these definitions you will need to know by heart for the exam.
Point-to-Point Tunneling Protocol (PPTP) – The Point to Point Tunneling Protocol allows network traffic to be encapsulated into an IP header and sent across an IP network, such as the Internet. Encapsulation: PPP frames are encapsulated in an IP datagram, using a modified version of GRE. Encryption: PPP frames are encrypted using Microsoft Point-to-Point Encryption (MPPE). Encryption keys are generated during authentication where the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocols are used. Layer 2 Tunneling Protocol (L2TP) – L2TP is a secure tunneling protocol used for transporting PPP frames using the Internet Protocol, it is partially based on PPTP. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP frames. Instead L2TP uses IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Encapsulation: PPP frames are first wrapped with a L2TP header and then a UDP header. The result is then encapsulated using IPSec. Encryption: L2TP messages are encrypted with either AES or 3DES encryption using keys generated from the IKE negotiation process. Secure Socket Tunneling Protocol (SSTP) – SSTP is a tunneling protocol that uses HTTPS. Since TCP Port 443 is open on most corporate Firewalls, this is a great choice for those countries that don’t allow traditional VPN connections. It is also very secure since it uses SSL certificates for encryption. Encapsulation: PPP frames are encapsulated in IP datagrams. Encryption: SSTP messages are encrypted using SSL. Internet Key Exchange (IKEv2) – IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. Encapsulation: IKEv2 encapsulates datagrams using IPSec ESP or AH headers. Encryption: Messages are encrypted with either AES or 3DES encryption using keys generated from the IKEv2 negotiation process.
Server Requirements
Encapsulation: PPP frames are encapsulated in an IP datagram, using a modified version of GRE. Encryption: PPP frames are encrypted using Microsoft Point-to-Point Encryption (MPPE). Encryption keys are generated during authentication where the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocols are used.
Encapsulation: PPP frames are first wrapped with a L2TP header and then a UDP header. The result is then encapsulated using IPSec. Encryption: L2TP messages are encrypted with either AES or 3DES encryption using keys generated from the IKE negotiation process.
Encapsulation: PPP frames are encapsulated in IP datagrams. Encryption: SSTP messages are encrypted using SSL.
Encapsulation: IKEv2 encapsulates datagrams using IPSec ESP or AH headers. Encryption: Messages are encrypted with either AES or 3DES encryption using keys generated from the IKEv2 negotiation process.
Note: You can obviously have other operating systems set up to be VPN servers. However, these are the requirements to get a Windows VPN server running.
In order to allow people to create a VPN connection to your network, you need to have a server running Windows Server and has the following roles installed:
Routing and Remote Access (RRAS) Network Policy Server (NPS)
You will also need to either set up DHCP or allocate a static IP pool that machines connecting over VPN can use.
Creating a VPN Connection
In order to connect to a VPN server, right click on the network status icon and open the Network and Sharing Center.
Then click on the Set up a new connection or network hyperlink.
Now choose to connect to a workplace and click next.
Then choose to use your existing broadband connection.
P
Now you will need to enter the IP or DNS Name of the VPN server on the network you want to connect to. Then click next.
Then enter your username and password and click connect.
Once you have connected, you will be able to see if you are connected to a VPN by clicking on the network status icon.
Homework
Read the following article on TechNet, which guides you through planning security for a VPN.
Note: Today’s homework is a little bit out of scope for the 70-680 exam but it will give you a solid understanding of what’s going on behind the scene when you connect to a VPN from Windows 7.
If you have any questions, you can tweet me @taybgibb, or just leave a comment.