Professional Documents
Culture Documents
Chapter7 - Remote Access Services - Full
Chapter7 - Remote Access Services - Full
Chapter7 - Remote Access Services - Full
COURSE
Network Technology
Understanding Organization
Chapter 1 Networks and Remote Access
REMOTE ACCESS SERVICES
07
November 8, 2022
3 4
Understanding Organization Networks Understanding Organization Networks
Demilitarized Zone (DMZ) Demarc (demarcation point)
❖ Separates LAN from untrusted networks ❖ A translation device or router with a
Fig. A (internet). Fig. A specialized network interface for the last
sample ❖ Also known as perimeter networks or sample mile technology that passes traffic directly
network screened subnetworks. network between the ISP and NAT router.
structure structure
❖ Servers and resources in the DMZ are ❖ Common last mile technologies:
accessible from the internet (and/or LAN) o Digital subscriber line (DSL): uses a
(Ex: web, email, DNS, FTP and proxy telephone network.
servers.), but the rest of the internal LAN o Cable broadband: uses a television
remains unreachable. cable network.
❖ Provides an additional layer of security o Gigabit Passive optical Network
to the LAN as it restricts a hacker's (GPON): uses fiber optic cable.
ability to directly access internal servers o Long-range Wi-Fi: uses radio wireless,
and data from the internet. often using wireless transmitters
5 positioned in a line of sight. 6
IPsrc: DA SA
Private 209.165.201.1 192.168.10.10
7 8
Understanding Organization Networks Understanding Organization Networks
Receive NAT (Network Address Translation)
❖ To access the Internet, public IP address is
DA SA 209.165.200.226 Fig. A needed.
192.168.10.10 209.165.201.1 sample
network IPsrc: ❖ NAT is a process in which one or more local IP
structure Public address is translated into one or more Global
IP address and vice versa in order to provide
Internet access to the local hosts.
SA DA SA DA
SA DA
SA DA
209.165.202.129:80 192.168.10.11:1331
209.165.200.226:1331 209.165.202.129:80
SA DA SA DA
(PAT) (PAT)
11 12
Understanding Remote Access Understanding Remote Access
❖Members of the organization need to connect to resources hosted on ❖Provide access to these resources using a
servers in the DMZ from outside the organization. remote access technology.
➢For example, when an executive or sales team member needs to ➢At least one server in your DMZ must be
access work files on a file server in the organization when on a configured as a remote access server that
business trip. accepts requests from remote access
clients on the Internet.
13/80
/50 14
➢DirectAccess
VPN Benefits
19 20/80
/50
VPN Benefits VPN Benefits
❖Security: ❖Security:
➢Confidentiality ➢Confidentiality
o Guarantees that only authorized users can read the message. If o Encryption: Symmetric Encryption
the message is intercepted, it cannot be deciphered within a
reasonable amount of time.
21/80
/50 22/80
/50
23/80
/50 24/80
/50
VPN Benefits VPN Benefits
❖Security: ❖Security:
➢Confidentiality ➢Confidentiality
o Encryption: Asymmetric Encryption •
o Encryption: Asymmetric Encryption
▪
- DH uses very large numbers in its calculations.
• EX: DH2: 1024-bit (~ decimal number of 309 digits).
27 28/80
/50
VPN Benefits VPN Benefits
❖Security: ❖Security: PSK Authentication
➢Origin Authentication ➢Origin Authentication (Pre-shared Secret Key)
o Guarantees that the message is not a forgery and does actually
come from whom it states.
29/80
/50 30/80
/50
➢A “virtual” network is created between the remote access client ➢Each end of the VPN tunnel is
and server that is used in addition to the underlying physical represented by a virtual network interface
network. that is configured with an IP address.
o Also called an overlay network.
35 36
VPN Types: Site-to-Site VPNs VPN Types: Site-to-Site VPNs
❖VPNs can also be ❖VPN between routers can also be used to encrypt server traffic that
used to encrypt passes across the Internet between different locations.
IP traffic that
➢For example:
passes across the
Internet between o Active Directory replication between domain controllers.
two routers at o Folder content that is synchronized between file servers using
different locations DFS replication.
in an
organization.
39/80
/50 40
VPN Protocols VPN Protocols
➢IPsec ➢IPsec
43 44/80
/50
VPN Protocols VPN Protocols
➢GRE over IPsec ➢Layer Two Tunneling Protocol (L2TP)
o A standard IPsec VPN (non-GRE) can only create secure tunnels o Developed by Microsoft and Cisco.
for unicast traffic.
▪ Ex: Routing protocols will not exchange routing information o Relies on IP Security (IPSec) for the encryption of data packets.
over an IPsec VPN. ▪ Encryption keys length from 56 to 256 bits.
- Encapsulate routing protocol traffic using a GRE packet,
and then encapsulate the GRE packet into an IPsec packet
o The remote access client and server authenticate to each other.
to forward it securely to the destination VPN gateway.
▪ Configure the same preshared key (password) or install an
IPSec encryption certificate on both the remote access client
and server.
45 46/80
/50
o Requires that remote access clients and servers authenticate to o Modern SSTP implementations use 256-bit keys alongside
each other using an IPSec encryption certificate or preshared key. Transport layer Security (TLS) encryption.
▪ Sometimes expressed as SSL/TLS.
▪ Both terms are often used interchangeably.
49/80
/50 50
51/80
/50 52/80
/50
VPN Authentication
❖Using RADIUS
➢After a RADIUS server receives credentials from a remote access
server, it forwards them to a domain controller for validation.
➢After the domain controller validates the credentials and dial-in
permission, it returns the Kerberos ticket for the user to the RADIUS
server.
➢The RADIUS server then checks its remote access policies to ensure
that the user meets necessary requirements before allowing the
3 DIRECTACCESS
remote access connection and forwarding the Kerberos ticket to the
remote access server.
➢The remote access server will then create the VPN tunnel, send the
Kerberos ticket to the remote access client, and relay traffic from the
VPN to the DMZ to allow for resource access.
53/80
/50 54
DIRECTACCESS DIRECTACCESS
❖VPNs remote users must manually initiate a VPN connection each time ❖To determine whether they are located on a network outside the
they wish to connect to the resources in their organization. organization, each remote access client that participates in DirectAccess
contains a Network Connectivity Assistant service.
❖For organizations that deploy laptop computers that are joined to an
Active Directory domain, secure remote access for these computers can ➢Probes a server’s location using HTTPS each time their network
be automated using DirectAccess. interface is activated on a network.
o If a DirectAccess client can connect to the Network Location
❖When laptop computers Server (NLS), it must be inside the corporate network.
connect to a network outside of
the organization, DirectAccess o If it cannot, it must be outside of the corporate network.
automatically initiates an IPSec
tunnel that functions like a VPN
❖
to provide remote access to the
organization DMZ.
55/80
/50 56/80
/50
DIRECTACCESS DIRECTACCESS
❖If the remote access client determines that it is on a network outside of ❖DirectAccess remote access servers use HTTPS to authenticate users to
the organization: Active Directory.
➢It automatically creates an IPSec tunnel to the remote access ❖After a user enters their Active Directory credentials, the credentials are
server after prompting the user to log into the Active Directory cached for use with future remote access connections.
domain, if necessary.
57/80
/50 58/80
/50
DIRECTACCESS
❖Remote access clients use IPv6 when contacting a network location
server or authenticating to a remote access server using DirectAccess.
❖These IPv6 packets are automatically enclosed in IPv4 packets when
sent across an IPv4 network.
3 REMOTE DESKTOP
59/80
/50 60
REMOTE DESKTOP REMOTE DESKTOP
❖Remote desktop uses a different method to achieve remote access ❖After a remote access client obtains a graphical desktop session, they
compared to VPNs and DirectAccess. can run programs on the remote access server and access resources on
the DMZ network to which the remote access server is connected.
❖Remote access clients use a Remote desktop app to log into a remote ❖In other words, Remote Desktop allows remote access clients to access
access server to obtain a graphical desktop session on the remote a graphical desktop running in the organization DMZ to provide access
access server itself (called to organization resources.
session-based desktop
deployment), or a graphical
desktop session from a Hyper-V
virtual machine running on the
remote access server (called
virtual machine-based
desktop deployment).
61/80
/50 62/80
/50
63/80
/50 64/80
/50
Services available for the Remote Desktop services server role Services available for the Remote Desktop services server role
65/80
/50 66/80
/50
67/80
/50 68/80
/50
THANK YOU FOR YOUR ATTENTION