THE UNIVERSITY OF SCIENCE, VNU-HCM

FACULTY OF ELECTRONICS AND TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS AND NETWORKS

COURSE
Network Technology

Understanding Organization
Chapter 1 Networks and Remote Access
REMOTE ACCESS SERVICES
07
November 8, 2022

Nguyen Viet Ha, Ph.D. Email: nvha@hcmus.edu.vn 2

Understanding Organization Networks Understanding Organization Networks

Demilitarized Zone (DMZ)
❖ Separates LAN from untrusted networks
Fig. A Fig. A (internet).
sample sample ❖ Also known as perimeter networks or
network network screened subnetworks.
structure structure

3 4
 Understanding Organization Networks
Demilitarized Zone (DMZ)
❖ Separates LAN from untrusted networks
Fig. A (internet).
sample ❖ Also known as perimeter networks or
network screened subnetworks.
structure
❖ Servers and resources in the DMZ are
accessible from the internet (and/or LAN)
(Ex: web, email, DNS, FTP and proxy
servers.), but the rest of the internal LAN
remains unreachable.
❖ Provides an additional layer of security
to the LAN as it restricts a hacker's
ability to directly access internal servers
and data from the internet.
5 positioned in a line of sight.
Understanding Organization Networks
Demarc (demarcation point)
❖ A translation device or router with a
Fig. A specialized network interface for the last
sample mile technology that passes traffic directly
network between the ISP and NAT router.
structure
❖ Common last mile technologies:
o Digital subscriber line (DSL): uses a
telephone network.
o Cable broadband: uses a television
cable network.
o Gigabit Passive optical Network
(GPON): uses fiber optic cable.
o Long-range Wi-Fi: uses radio wireless,
often using wireless transmitters
6

Understanding Organization Networks Understanding Organization Networks

NAT (Network Address Translation) Send
❖ To access the Internet, public IP address is
Fig. A needed. 209.165.200.226
sample
network IPsrc: ❖ NAT is a process in which one or more local IP
DA SA
structure Public address is translated into one or more Global
209.165.201.1 209.165.200.226
IP address and vice versa in order to provide
Internet access to the local hosts.

❖ NAT generally operates on a router or firewall.

IPsrc: DA SA
Private 209.165.201.1 192.168.10.10

7 8
 Understanding Organization Networks Understanding Organization Networks
Receive NAT (Network Address Translation)
❖ To access the Internet, public IP address is
DA SA 209.165.200.226 Fig. A needed.
192.168.10.10 209.165.201.1 sample
network IPsrc: ❖ NAT is a process in which one or more local IP
structure Public address is translated into one or more Global
IP address and vice versa in order to provide
Internet access to the local hosts.

❖ NAT generally operates on a router or firewall.

❖ Also, it does the translation of port numbers

IPsrc:
i.e. masks the port number of the host with
DA SA another port number, in the packet that will be
Private
209.165.200.226 209.165.201.1 routed to the destination. (PAT – Port Address
9 Translation or NAT Forwarding) 10

Understanding Organization Networks Understanding Organization Networks

209.165.200.226 209.165.200.226
SA DA
SA DA
192.168.10.10:1555 209.165.201.1:80 209.165.201.1:80 209.165.200.226:1555

SA DA SA DA

209.165.200.226:1555 209.165.201.1:80 209.165.201.1:80 192.168.10.10:1555

SA DA
SA DA
209.165.202.129:80 192.168.10.11:1331
209.165.200.226:1331 209.165.202.129:80

SA DA SA DA

192.168.10.11:1331 209.165.202.129:80 209.165.202.129:80 209.165.200.226:1331

(PAT) (PAT)

11 12
 Understanding Remote Access Understanding Remote Access
❖Members of the organization need to connect to resources hosted on ❖Provide access to these resources using a
servers in the DMZ from outside the organization. remote access technology.
➢For example, when an executive or sales team member needs to ➢At least one server in your DMZ must be
access work files on a file server in the organization when on a configured as a remote access server that
business trip. accepts requests from remote access
clients on the Internet.

13/80
/50 14

Understanding Remote Access Understanding Remote Access

❖Provide access to these resources using a ❖Alternatively, organizations can connect
remote access technology. remote access servers directly to a demarc.
➢At least one server in your DMZ must be
(1a. NAT: configured as a remote access server that
1.2.3.4 → accepts requests from remote access ❖The remote access server must have two
172.16.0.50) clients on the Internet. network interfaces.
➢One is connected to the demarc.
➢Another is connected to the DMZ.
(1b)
❖(1) The remote access client first connect to
the remote access server in the DMZ, using ❖The remote access server is exposed directly
encryption provided by the remote access
to the Internet.
(2) server.
➢Must have a firewall (and preferably
❖(2) The remote access server then
authenticates the user before allowing additional security software) enabled to
remote access. ensure that the security of the remote
15
access server is not compromised. 16
 Understanding Remote Access
❖A NAT router often contains additional management and security
capabilities, such as traffic throttling, intrusion prevention, and malware
filtering. Often referred to as a Next Generation Firewall (NGFW).
Understanding Remote Access
❖Microsoft provides three main remote access technologies that can be
used to obtain access to servers in a DMZ from across the Internet:
➢Virtual private network (VPN)

➢DirectAccess

➢Remote Desktop Services

❖Each of these remote access technologies provides its own protocols, as

well as supports different authentication and encryption types.
❖Some NGFWs contain built-in remote access server functionality,
eliminating the need for a separate remote access server.
17/80
/50 18/80
/50

VPN Benefits

2 Virtual private network (VPN)

19 20/80
/50
 VPN Benefits VPN Benefits
❖Security: ❖Security:
➢Confidentiality ➢Confidentiality
o Guarantees that only authorized users can read the message. If o Encryption: Symmetric Encryption
the message is intercepted, it cannot be deciphered within a
reasonable amount of time.

21/80
/50 22/80
/50

VPN Benefits VPN Benefits

❖Security: ❖Security:
➢Confidentiality ➢Confidentiality
o Encryption: Symmetric Encryption o Encryption: Asymmetric Encryption
▪

23/80
/50 24/80
/50
 VPN Benefits VPN Benefits
❖Security: ❖Security:
➢Confidentiality ➢Confidentiality
o Encryption: Asymmetric Encryption •
o Encryption: Asymmetric Encryption
▪
- DH uses very large numbers in its calculations.
• EX: DH2: 1024-bit (~ decimal number of 309 digits).

• Extremely slow for any sort of bulk encryption.

▪ Asymmetric Encryption is normally used as Authentication

or Secure Key Exchange.
25 26

VPN Benefits VPN Benefits

❖Security: ❖Security:
➢Confidentiality ➢Data Integrity
o Encryption: Asymmetric Encryption o Guarantees that the message was not altered. Any changes to
▪ data in transit will be detected.

•DH Group 1: 768 bits

•DH Group 2: 1024 bits
•DH Group 5: 1536 bits
•DH Group 14: 2048 bits
•DH Group 15: 3072 bits
•DH Group 16: 4096 bits

27 28/80
/50
 VPN Benefits VPN Benefits
❖Security: ❖Security: PSK Authentication
➢Origin Authentication ➢Origin Authentication (Pre-shared Secret Key)
o Guarantees that the message is not a forgery and does actually
come from whom it states.

▪ Pre-shared Secret Key (PSK)

- Uses an additional secret key
as input to the hash function.

29/80
/50 30/80
/50

VPN Benefits VPN Benefits

❖Security: ❖Security: RSA Authentication
➢Origin Authentication ➢Origin Authentication

▪ RSA authentication uses digital certificates to authenticate.

- Local device derives a hash and encrypts with private key.
- The encrypted hash is attached to the message and is
forwarded to the remote end and acts like a signature.
- At the remote end, the encrypted hash is decrypted using
the public key of the local end.
- If the decrypted hash matches the recomputed hash, the
signature is genuine.
- Each peer must authenticate its opposite peer before the
tunnel is considered secure.
31/80
/50 32
 VPN Types: Remote-Access VPNs
❖VPN is a remote access technology that provides encryption for data
that is sent across the Internet between a remote access client and
server.
➢A “virtual” network is created between the remote access client
and server that is used in addition to the underlying physical
network.
o Also called an overlay network.
➢Data that is sent on the virtual
network is encrypted automatically
and can only be decrypted by the
remote access server or client.
33/80
/50
VPN Types: Remote-Access VPNs
❖The default gateway configured in the VPN
network interface on the remote access
client is automatically set to 0.0.0.0
➢To ensure that all packets generated
client are encrypted and sent on the VPN
to the remote access server.
❖The remote access server then decrypts
these packets and relays them to the DMZ
network to allow users to access resources in
the organization.
35
VPN Types: Remote-Access VPNs
❖VPNs provide an encrypted channel (or
“tunnel”) between systems on a network,
they are often referred to as VPN tunnels.
➢Each end of the VPN tunnel is
represented by a virtual network interface
that is configured with an IP address.
34
VPN Types: Remote-Access VPNs
❖By default, all the traffic will pass through
the remote access server.
❖However, if remote access clients configure
split tunneling, they will be able to:
➢Access the resources in their
organization’s DMZ across the VPN tunnel.
➢Use the default gateway on their physical
network interface to access Internet
resources.
36
 VPN Types: Site-to-Site VPNs VPN Types: Site-to-Site VPNs
❖VPNs can also be ❖VPN between routers can also be used to encrypt server traffic that
used to encrypt passes across the Internet between different locations.
IP traffic that
➢For example:
passes across the
Internet between o Active Directory replication between domain controllers.
two routers at o Folder content that is synchronized between file servers using
different locations DFS replication.
in an
organization.

❖Internal hosts ❖Most organizations use a hardware-based router or NGFW appliance to

have no provide VPNs between different locations in an organization.
knowledge that a ❖However, you can instead configure a Windows Server system as a
VPN is being router that provides VPNs between locations.
used.
37/80
/50 38/80
/50

VPN Protocols VPN Protocols

❖Many different VPN technologies have been developed since the 1990s, ➢IPsec
and each one uses a specific VPN protocol to tunnel traffic. o IETF (Internet Engineering Task Force) standard.

o IPsec protects and authenticates IP packets between source and

❖When you implement a remote access server using Windows Server,
four different VPN protocols are supported:
➢Point-to-Point Tunneling Protocol (PPTP)
o It was developed by a consortium of vendors including Microsoft
o Encrypts data using Microsoft Point-to-Point Encryption (MPPE).
▪ Supports encryption key length from 40 to 128 bits.
▪ Windows operating systems contain a registry key that
prevent the use of MPPE keys less than 128 bits by default.
destination.
▪ Protect traffic from Layer 4 through Layer 7 (OSI model).
o IPsec is not bound to any specific rules for secure
communications.
▪ This flexibility of the framework allows IPsec to easily integrate
new security technologies without updating the existing IPsec
standards.

39/80
/50 40
 VPN Protocols VPN Protocols
➢IPsec ➢IPsec

41 Security Association (SA). 42

VPN Protocols VPN Protocols

➢IPsec ➢GRE over IPsec
o Generic Routing Encapsulation (GRE) is a non-secure site-to-site
VPN tunneling protocol.
▪ Not support encryption.

o It can encapsulate various network layer protocols.

o Supports multicast and broadcast traffic

43 44/80
/50
 VPN Protocols
➢GRE over IPsec
o A standard IPsec VPN (non-GRE) can only create secure tunnels
for unicast traffic.
▪ Ex: Routing protocols will not exchange routing information
over an IPsec VPN.
- Encapsulate routing protocol traffic using a GRE packet,
and then encapsulate the GRE packet into an IPsec packet
to forward it securely to the destination VPN gateway.
VPN Protocols
➢Layer Two Tunneling Protocol (L2TP)
o Developed by Microsoft and Cisco.
o Relies on IP Security (IPSec) for the encryption of data packets.
▪ Encryption keys length from 56 to 256 bits.
o The remote access client and server authenticate to each other.
▪ Configure the same preshared key (password) or install an
IPSec encryption certificate on both the remote access client
and server.

45 46/80
/50

VPN Protocols VPN Protocols

➢Internet Key Exchange version 2 (IKEv2)
o An enhancement to IPSec that provides VPN tunneling with faster
speeds compared to L2TP.
o It uses 256-bit encryption keys
➢Secure Socket Tunneling Protocol (SSTP)
o Tunnels data through HTTPS packets on a network.
o It originally used Secure Sockets layer (SSL) encryption with
128-bit keys.

o Requires that remote access clients and servers authenticate to o Modern SSTP implementations use 256-bit keys alongside
each other using an IPSec encryption certificate or preshared key. Transport layer Security (TLS) encryption.
▪ Sometimes expressed as SSL/TLS.
▪ Both terms are often used interchangeably.

o To use SSTP, the remote access server must contain an HTTPS

encryption certificate.
47/80
/50 48/80
/50
 VPN Protocols VPN Authentication
➢Secure Socket Tunneling Protocol (SSTP) ❖Before a VPN tunnel can be established, the remote access client must
o TLS works at layer 4 (OSI) first authenticate to the remote access server using credentials.

49/80
/50 50

VPN Authentication VPN Authentication

❖Remote access server validate received credentials before providing ❖Using RADIUS
remote access. ➢You can optionally
configure a remote
access server to
❖In Active Directory domain
forward credentials it
➢Remote access server will forward the credentials to a domain receives from a remote
controller in the DMZ. access client to a
➢If match, and dial-in permission is granted, the domain controller will Remote Access dial-In
allow the remote access connection and return a Kerberos ticket for user Authentication
the user to the remote access server. Service (RADIUS)
➢The remote access server will then create the VPN tunnel, send the server instead of a
Kerberos ticket to the remote access client, and relay traffic from the domain controller.
VPN to the DMZ to allow for resource access.

51/80
/50 52/80
/50
 VPN Authentication
❖Using RADIUS
➢After a RADIUS server receives credentials from a remote access
server, it forwards them to a domain controller for validation.
➢After the domain controller validates the credentials and dial-in
permission, it returns the Kerberos ticket for the user to the RADIUS
server.
➢The RADIUS server then checks its remote access policies to ensure
that the user meets necessary requirements before allowing the
3 DIRECTACCESS
remote access connection and forwarding the Kerberos ticket to the
remote access server.
➢The remote access server will then create the VPN tunnel, send the
Kerberos ticket to the remote access client, and relay traffic from the
VPN to the DMZ to allow for resource access.

53/80
/50 54

DIRECTACCESS DIRECTACCESS
❖VPNs remote users must manually initiate a VPN connection each time ❖To determine whether they are located on a network outside the
they wish to connect to the resources in their organization. organization, each remote access client that participates in DirectAccess
contains a Network Connectivity Assistant service.
❖For organizations that deploy laptop computers that are joined to an
Active Directory domain, secure remote access for these computers can ➢Probes a server’s location using HTTPS each time their network
be automated using DirectAccess. interface is activated on a network.
o If a DirectAccess client can connect to the Network Location
❖When laptop computers Server (NLS), it must be inside the corporate network.
connect to a network outside of
the organization, DirectAccess o If it cannot, it must be outside of the corporate network.
automatically initiates an IPSec
tunnel that functions like a VPN
❖
to provide remote access to the
organization DMZ.
55/80
/50 56/80
/50
 DIRECTACCESS
❖If the remote access client determines that it is on a network outside of
the organization:
➢It automatically creates an IPSec tunnel to the remote access
server after prompting the user to log into the Active Directory
domain, if necessary.
DIRECTACCESS
❖DirectAccess remote access servers use HTTPS to authenticate users to
Active Directory.
❖After a user enters their Active Directory credentials, the credentials are
cached for use with future remote access connections.

❖Because DirectAccess uses both HTTPS and IPSec, when configuring

firewall exceptions, port forwarding, or reverse proxy, you must specify
the port numbers for SSTP and L2TP/IKEv2 if the configuration tool for
the firewall, NAT router, or NGFW does not allow you to specify the
DirectAccess protocol by name.

57/80
/50 58/80
/50

DIRECTACCESS
❖Remote access clients use IPv6 when contacting a network location
server or authenticating to a remote access server using DirectAccess.
❖These IPv6 packets are automatically enclosed in IPv4 packets when
sent across an IPv4 network.

3 REMOTE DESKTOP

59/80
/50 60
 REMOTE DESKTOP REMOTE DESKTOP
❖Remote desktop uses a different method to achieve remote access ❖After a remote access client obtains a graphical desktop session, they
compared to VPNs and DirectAccess. can run programs on the remote access server and access resources on
the DMZ network to which the remote access server is connected.
❖Remote access clients use a Remote desktop app to log into a remote ❖In other words, Remote Desktop allows remote access clients to access
access server to obtain a graphical desktop session on the remote a graphical desktop running in the organization DMZ to provide access
access server itself (called to organization resources.
session-based desktop
deployment), or a graphical
desktop session from a Hyper-V
virtual machine running on the
remote access server (called
virtual machine-based
desktop deployment).

61/80
/50 62/80
/50

REMOTE DESKTOP REMOTE DESKTOP

❖The Remote Desktop app uses Remote desktop Protocol (RDP) to
transfer desktop graphics, keystrokes, and mouse movements to and
from the remote access server.
❖Programs that are run in a Remote Desktop session are executed on the
remote access server and can access shared folders and printers on the
organization network as well as volumes and printers installed on the
underlying remote access client, if configured.
❖Thus, a remote access user could use File Explorer in their Remote
Desktop session to transfer files from the organization to their local
computer for later use, or print a document in Microsoft Word on the
remote access server to a printer that is installed on their local
computer.
❖There are Remote Desktop apps available for Windows, macOS, Linux,
UNIX, Android, and iOS remote access clients.
➢The Remote Desktop app available by default on Windows systems is
called Remote Desktop Connection.
❖Instead of running a full graphical desktop, remote access clients can
use RemoteApp to access a single program (e.g., Microsoft Outlook)
running on a remote access server using Remote Desktop.
➢This program can also be configured to appear as a shortcut on the
Start menu. When remote access clients click this shortcut, the
program will execute on the remote access server and transfer the
program window, keystrokes, and mouse movements to and from
the remote access client.

63/80
/50 64/80
/50
Services available for the Remote Desktop services server role
65/80
/50
REMOTE DESKTOP
❖If you deploy multiple Remote Desktop Session Host or Remote Desktop
Virtualization Host remote access servers in your DMZ, then you could
install a single server that contains the Remote Desktop Connection
Broker to distribute RDP requests across all of the remote access
servers.
❖In this case, remote access clients will connect to the Remote Desktop
Connection Broker server. Furthermore, the server that hosts the
Remote Desktop Connection Broker can also host the Remote Desktop
Licensing, Remote Desktop Web Access, and Remote Desktop Gateway
role services to provide licensing, RemoteApp, and HTTPS encryption for
all remote access servers in the DMZ.
67/80
/50
Services available for the Remote Desktop services server role
66/80
/50
REMOTE DESKTOP
❖Many server administrators install the Remote Desktop Connection
Broker when there is only one remote access server that contains the
Remote Desktop Session Host or Remote Desktop Virtualization Host
role service.
❖If additional servers are installed with the Remote Desktop Session Host
or Remote Desktop Virtualization Host role service afterwards, they are
automatically linked with the Remote Desktop Connection Broker, and
no additional firewall, port forwarding, or reverse proxy configuration is
necessary.
68/80
/50
THANK YOU FOR YOUR ATTENTION

Nguyen Viet Ha, Ph.D.

Department of Telecommunications and Networks
Faculty of Electronics and Communications
The University of Science, Vietnam National University, Ho Chi Minh City
Email: nvha@hcmus.edu.vn