Lesson 10, “Configuring VPN and Routing”

Lecture Plan
MOAC 70-411


70-411 Exam Objective
Objective 3.3 – Configure VPN and routing. This objective may include but is not limited to: Install and configure the Remote Access role; implement Network Address Translation (NAT); configure VPN settings; configure remote dial-in settings for users; configure routing; configure Web Application proxy in passthrough mode.
Lesson Heading
Exam Objective
The Remote Access Role

    Installing and Configuring Remote Access Role
Install and configure the Remote Access role
    Configuring VPN Settings
Configure VPN settings
    Configuring Remote Dial-In Settings for Users
Configure remote dial-in settings for users
    Troubleshooting Remote Access Problems

    Implementing NAT
Implement Network Address Translation (NAT)
    Disabling Routing and Remote Access

    Configuring Routing
Configure routing
    Configuring Web Application Proxy in Passthrough Mode
Configure Web Application Proxy in Passthrough Mode

Key Terms
Border Gateway Protocol (BGP): A standardized exterior gateway protocol that exchanges information between autonomous systems (AS) over the Internet.
Challenge Handshake Authentication Protocol (CHAP): a challenge-response authentication that uses the industry standard md5 hashing scheme to encrypt the response.
demand-dial routing: a connection to a remote site that is activated when data is sent to the remote site.
Extensible Authentication Protocol (EAP-MS-CHAPv2): a universal authentication framework that allows third-party vendors to develop custom authentication schemes including retinal scans, voice recognition, fingerprint identifications, smart cards, Kerberos, and digital certificates.
IKEv2: a tunneling protocol that uses IPsec Tunnel Mode protocol over UDP port 500.
layer 2 switches: switches that operate at layer 2 of the OSI model and only perform switching.
layer 2 Tunneling Protocol (L2TP): a tunneling protocol that is used with IPsec to provide security.
layer 3 switches: switches that operate at layer 3 of the OSI model can perform switching as well as routing.
Microsoft CHAP version 2 (MS-CHAP v2): an authentication method that provides two-way authentication (mutual authentication).
network address translation (NAT): used to hide an entire IP address space behind a single IP address.
Password Authentication Protocol (PAP): an authentication method that uses plain text (unencrypted passwords). PAP is the least secure authentication and is not recommended.
Point-to-Point Tunneling Protocol (PPTP): a VPN protocol based on the legacy Point-to-Point protocol used with modems.
preauthentication: The process by which users and devices are authenticated before they access an application.
remote access server (RAS): a server that enables users to connect remotely to a network using various protocols and connection types.
reverse proxy: A proxy server that retrieves resources from servers on behalf of a client so that it can hide the existence of the resource server. It has the ability to selectively access the necessary applications on the servers inside the organization.
routers: a device that operates at layer 3 of the OSI model and can provide routing of network traffic. Routers join subnets together to form larger networks and join networks together.
routing: the process of selecting paths in a network where data will be sent.
Routing and Remote Access (RRAS): Microsoft’s implementation of the remote access server.
Routing Information Protocol (RIP): a dynamic route definition protocol, typically used on only very small networks.
routing table: a data table that is stored in a router or networked computer that lists the routes of particular network distances and the associated metrics or distances associated with those routes.
Secure Socket Tunneling Protocol (SSTP): a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and web proxies that might block PPTP and L2TP/IPsec.
split tunnel: routing non-corporate VPN traffic through the user’s own Internet connection, and not to the corporate office where the VPN terminates.
static routes: a manually created route definition.
virtual private networks (VPNs): a logical method to link two computers or network devices through a wide-area network (WAN) such as the Internet in a secure fashion.
Web Application proxy: A Remote Access role service introduced in Windows Server 2012 R2 that provides reverse proxy functionality for web applications inside an organization network so users can access applications externally no matter what device they are using.
Learning Objectives

On completion of this lesson, students will be able to do the following:

  • Install and configure the Remote Access role
  • Configure dial-up settings
  • Configure VPN settings
  • Explain VPN protocols and their benefits and drawbacks
  • Create VPN connections on client computers
  • Configure remote dial-in settings
  • Troubleshoot remote access problems
  • Implement NAT
  • Disable Routing and Remote Access on a server
  • Configure and manage routing
  • Configure demand dial routing
  • Configure the DHCP relay agent

Lecture Notes

The purpose of this lesson is to provide an introduction to configuring and maintaining routing and remote access solutions provided by Windows Server 2012.

The Remote Access Role

Review with students the various functions that Routing and Remote Access (RRAS) can provide in Windows Server 2012 R2:

·         A virtual private network (VPN) gateway where clients can connect to an organization’s private network using the Internet.
·         Connect two private networks using a VPN connection using the Internet.
·         A dial-up remote access server, which enables users to connect to a private network using a modem.
·         Network address translation (NAT), which enables multiple users to share a single public network address.
·         Provide routing functionality, which can connect subnets and control where packets are forwarded based on the destination address.
·         Provide basic firewall functionality and allow or disallow packets based on addresses of source and/or destination and protocols.

Ask students to discuss which of these functions they think are most likely to be useful in their organizations, and also which ones are likely to be least useful (or least likely to be used).

Installing and Configuring Remote Access Role

Instructors should provide a demonstration, and host a discussion, about the steps to follow to install and configure remote access using RRAS:

·         Install the remote access role using Server Manager
·         Disable the Windows Firewall, using Windows Firewall with Advanced Security console, or Server Manager, or,
·         Optionally, use the RRAS Setup Wizard to select a specific option:
o   Remote access (dial-up or VPN)
o   Network address translation (NAT)
o   Virtual private network access and NAT
o   Secure connection between two private networks (demand-dial or persistent)
o   Custom configuration
·         Manually configure the desired options:
o   Navigate to the Routing and Remote Access console
o   Configure the server for remote access

Configuring VPN Settings

Instructors should ask students to describe what protections VPN tunnels provide for data transiting:

·         Encapsulation
·         Authentication
·         Data encryption
·         Data integrity

Instructors should encourage students to describe scenarios where VPNs can be used:

·         Client computer that connects to the corporate network for remote access.
·         Remote sites connected together as if they were on the same LAN.
·         Two different organizations create a tunnel to provide secure communications between them.

Instructors should review with students, and use visual aids to help explain, the following tunneling protocols and their characteristics:

·         Point-to-Point Tunneling Protocol (PPTP)
·         Layer 2 Tunneling Protocol (L2TP)
·         IKEv2
·         Secure Socket Tunneling Protocol (SSTP)

Instructors should review the authentication methods available in Windows Server 2012, including strengths and weaknesses and then ask students to describe which method they think is best/worst and why:

·         Password Authentication Protocol (PAP)
·         Challenge Handshake Authentication Protocol (CHAP)
·         Microsoft CHAP version 2 (MS-CHAP v2)
·         Extensible Authentication Protocol (EAP-MS-CHAPv2)

Instructors should be prepared to discuss and demonstrate the process to configure VPN connections:

·         Start the Routing and Remote Access Server Setup Wizard
·         Specify required options to configure VPN
·         Switch to a client computer and configure the VPN connection

Instructors should discuss, and demonstrate where possible, advanced VPN configuration items:

·         VPN reconnect
·         Split tunneling

Configure Remote Dial-In Settings for Users

When users connect through a dial-in connection or a VPN connection, the remote access connection must be authorized by the server running Network Policy Server (NPS) RRAS role service or another third-party RADIUS server.

Instructors should ask students if they recall where the remote dial-in properties for domain user accounts are configured:

·         On the user account Properties dialog box, on the Dial-in tab (accessed in the Active Directory Users and Computers console).

Troubleshooting Remote Access Problems

Remote access troubleshooting starts off much the same way as basic network connectivity troubleshooting.

You need to rule out basic connectivity as a problem before you can effectively troubleshoot remote access connectivity. Instructors should ask students to review the tools used for basic network connectivity troubleshooting:

·         ipconfig
·         ping
·         tracert
·         nslookup
·         Event Viewer

Instructors should review with students the logging capabilities of RRAS:

·         Open the RRAS console
·         Right-click on the server and select Properties
·         Select the Logging tab to select a logging level:
o   Log Errors Only
o   Log Errors and Warnings
o   Log all events
o   Do not log any events
·         By default, the logs are located in the C:\Windows\Tracing folder.

Instructors should lead a discussion with students regarding VPN troubleshooting methods. Suggestions for VPN troubleshooting should be discussed and collected and then compared to the recommendations from Microsoft.

Implementing NAT

Instructors should query students to have them define NAT, why it would be used, and what the RFC 1918 private IP ranges are to start the discussion on NAT.

·         Hides internal IP addresses
·         Enables multiple internal IP addresses to use a single external IP Address
·         RFC 1918 ranges:
o   10.0.0.0–10.255.255.255
o   172.16.0.0–172.31.255.255
o   192.168.0.0–192.168.255.255

Instructors should complete the discussion on NAT by describing how NAT works, using illustrations or the whiteboard as required.

Disabling Routing and Remote Access

Instructors should be prepared to demonstrate the process to disable Routing and Remote Access on a server.

Configuring Routing

Instructors should start this discussion by leading students through a review of the OSI 7-layer network model. At the end of this discussion, the instructor should display a diagram of the model or draw it on the whiteboard for continued reference.

Instructors should then query students to try to “place” switches and routers in the OSI 7-layer model.

·         Switches: Layer 2 typically, though some also provide routing and operate at layer 2
·         Routers: Layer 3

Instructors should detail the RRAS supported routing protocol, RIPv2, and its features and limitations:

·         Uses multicasts for updates
·         Only supports a hop count of 15
·         Provides authenticated updates
·         Only suitable for the very smallest of networks

Instructors should be prepared to demonstrate, and discuss, the installation and configuration of routing and the DHCP relay agent in Windows Sever 2012:

·         Start the Routing and Remote Access Server Setup Wizard
·         Choose the Custom configuration, then choose LAN routing
·         Demonstrate creation of static routes:
o   Create one or more static routes from the RRAS console
o   Create or modify static routes using the route.exe command
·         Delete all static routes previously created
·         Return to the RRAS console and configure IPv4 routing using RIPv2
·         Demonstrate the demand-dial routing options
·         Explain why a DHCP relay agent (e.g., DHCP helper) may be needed in a routed network
·         Configure the IPv4 DHCP relay agent

Configuring Web Application Proxy in Passthrough Mode

The Web Application proxy is a Remote Access role service introduced in Windows Server 2012 R2 that provides reverse proxy functionality for web applications inside an organization network so users can access applications externally no matter what device they are using. During this time, you will need to explain what a reverse proxy is, and how the Web Application proxy fulfill the roles. You will need to explain that the Web Application proxy configuration is stored ion the AD FS servers in your organization.

Knowledge Assessment
Multiple Choice
Choose the letter that corresponds to the correct answer.
1.       Which of the following can you find in RRAS? (Choose all that apply.)
a.     Routing
b.     OSPF
c.     RIP
d.     NAT
2.       If you want to use VPN Reconnect, which VPN protocol should you use?
a.     PPTP
b.     L2TP
c.     IKEv2
d.     SSTP
3.       You want to make a server running Windows Server 2012 R2 into a VPN server. However, the networking team allows only HTTPS through the firewall. Which VPN protocol should you use?
a.     PPTP
b.     L2TP
c.     IKEv2
d.     SSTP
4.       You want to start using smart cards with the VPN. What authentication protocol should you use?
a.     PAP
b.     CHAP
c.     MS-CHAPv2
d.     EAP
5.       Which authentication protocol should you NOT use because it is the least secure?
a.     PAP
b.     CHAP
c.     MS-CHAPv2
d.     EAP
6.       How do you allow split tunneling?
a.       Open Advanced TCP/IP Settings and select Use default gateway on remote network.
b.       Open Advanced TCP/IP Settings and deselect Use default gateway on remote network.
c.        Open Advanced TCP/IP Settings and select Don’t use default gateway on remote network.
d.       Open Advanced TCP/IP Settings and deselect Don’t use default gateway on remote network.
7.       What is the easiest way to set up a VPN client on a computer for a user that is not technical?
a.     Use PAP.
b.     Type up step-by-step instructions with screenshots to give to the user.
c.     Use a Group Policy to configure the settings.
d.     Use CMAK to create an executable to install.
8.       Which option would you use to make sure that a user can dial in using only his or her home phone?
a.     Verify Caller ID
b.     Always Callback To
c.     No Callback
d.     Set By Caller
9.       Which tab in the RIP properties would you use to prevent routes being received from a router located on 10.10.10.10?
a.     General
b.     Security
c.     Neighbors
d.     RIP Nodes
10.     Which option should you use the route command when creating a static route that will ensure the route is still available if the computer is rebooted?
a.     /consistent
b.     /save
c.     -p
d.     -s  
Answers:
1.     B
2.     C
3.     D
4.     D
5.     A
6.     B
7.     D
8.     B
9.     B
10.  C
Best Answer
Choose the letter that corresponds to the best answer. More than one answer choice may achieve the goal. Select the BEST answer.
1.       You have the main office and 12 branch offices. The users and computers are within a single domain. All servers are Windows Server 2008 R2 and Windows Server 2012 R2. You must make sure that all data is encrypted by using end-to-end encryption. In addition, instead of using usernames and passwords, you need to use computer-level authentication? What should you do?
a.     Configure a PPTP connection and MS-CHAPv2.
b.     Configure L2TP with IPsec and EAP-TSL authentication.
c.     Configure L2TP with IPsec and MS-CHAPv2.
d.     Configure SSTP with IPsec and PAP.
2.       When establishing a VPN connection, which of the following verifies that data has not been modified while in transit?
a.     Encapsulation
b.     Authentication
c.     Data encryption
d.     Data integrity
3.       You have a single DHCP server that services the corporate office and 25 remote sites. How do you install a DHCP relay agent on a remote site so that you can forward DHCP requests to the DHCP server?
a.     Configure DNS with Dynamic Update.
b.     Install RRAS and enable routing.
c.     Install RRAS and enable NAT.
d.     Install NAP.
4.       Which of the following would you use to enable NAT?
a.     Services for Network File System (NFS)
b.     Wireless LAN Service
c.     Network Load Balancing (NLB)
d.     Routing and Remote Access service (RRAS)
e.     Health Registration Authority (HRA)
f.     Simple TCP/IP Services
g.     Connection Manager Administration Kit (CMAK)
h.     Network Policy Server (NPS)
i.      Windows System Resource Manager (WSRM)
5.       You just enabled SSTP on a server called Server1. When a user tries to log in, he receives an error: Error 0x80092013: The revocation function is unable to check revocation because the revocation server was offline. You look at your certificate and it looks fine. What would you do to overcome this problem?
a.     Renew the certificate.
b.     Publish the CRL distribution point to a site that is available over the Internet.
c.     Add the RRAS server to the client personal store.
d.     Upgrade the certificate to V3.          
Answers:
1.     B
2.     C
3.     B
4.     D
5.     B
Matching and Identification
1.        Identify the correct VPN protocol (PPTP, L2TP, SSTP, or IKEv2) for the following items.
_______        a)           Uses MPPE for encryption
_______        b)           Requires UDP port 500, UDP Port 1701, and UDP port 4500
_______        c)            Supports VPN Reconnect
_______        d)           Requires only UDP port 500
_______        e)            Requires port 1723
_______        f)            Uses a certificate or preshared key and is combined with IPsec for encryption
_______        g)            Uses port 443
2.        Identify the correct authentication protocol (PAP, CHAP, MS-CHAPv2, and EAP-MS-CHAPv2) for the following items.
_______        a)           Used in older network devices and uses a challenge-response method with md5 hashing
_______        b)           Allows you to change an expired password during the connection process
_______        c)            Required when using smartcards
_______        d)           Username and password are sent in plaintext
_______        e)            Default authentication used when performing a VPN connection with Windows 8
3.        Identify the routing protocols supported by Windows Server 2012 R2.
_______        a)           RIP v2 for Internet Protocol
_______        b)           IGMP Router and Proxy
_______        c)            OSPF
_______        d)           BGP
_______        e)            NAT

Answers:
1.        Identify the correct VPN protocol (PPTP, L2TP, SSTP, or IKEv2) for the following items.
PPTP     a)   Uses MPPE for encryption.
L2TP     b)   Requires UDP port 500, UDP Port 1701, and UDP port 4500. 
IKEv2   c)    Supports VPN Reconnect.
IKEv2   d)   Requires only UDP port 500.
PPTP     e)    Requires port 1723.
L2TP     f)    Uses a certificate or preshared key and is combined with IPsec for encryption.
SSTP      g)    Uses port 443.
2.        Identify the correct authentication protocol (PAP, CHAP, MS-CHAPv2, and EAP-MS-CHAPv2) for the following items.
CHAP                           a)            Used in older network devices and uses a challenge-response method  with md5 hashing.
MS-CHAPv2                b)           Allows you to change an expired password during the connection process.
EAP-MS-CHAPv2      c)            Required when using smartcards.
PAP                               d)            Username and password are sent in plaintext.
MS-CHAPv2                e)            Default authentication used when performing a VPN connection with Windows 8.
3.        Identify the routing protocols supported by Windows Server 2012.
X     a)   RIP v2 for Internet Protocol
X     b)   IGMP Router and Proxy
         c)    OSPF
         d)   BGP
X     e)    NAT

Build a List
1.       Specify the steps, in order, that are used to configure a VPN server. Not all steps will be used.
_____            Run the Configure and Enable Routing Remote Access Wizard.
_____            Configure VPN parameters using server properties in RRAS.
_____            Create a VPN connection on the client.
_____            Enable VPN Service.
_____            Install RRAS.
_____            Install VPN console.
_____            Install VPN Service    
Answers:
1.       Specify the step number, in order, used to configure a VPN server. Not all steps will be used.
2      Run the Configure and Enable Routing Remote Access Wizard.
3      Configure VPN parameters using server properties in RRAS.
4      Create a VPN connection on the client.
        Enable VPN Service.
1      Install RRAS.
        Install VPN console.
        Install VPN Service.



Answer: Use default gateway on remote network
Business Case Scenarios
Scenario 10-1: Installing a VPN Server
Your manager comes up to you and says that you need to install a VPN server so that users can work while they are doing sales calls with customers. Your manager wants you to make it as secure as possible with the VPN technologies that appear in this lesson. How would you configure the server?
You need to install RRAS and configure one of the following protocols: L2TP with IPsec, IKEv2, or SSTP. Because you need to make it as secure as possible, you should choose IKEv2. Instead of using a username and passwords, you should configure smart cards, which use EAP-MS-CHAPv2.
Scenario 10-2: Configuring Routing
You have a corporate office with 12 remote sites. Each remote site has a site server that also acts as a router. When you look at each of the servers, you realize that the previous administrator used the route command to specify static routes. However, as you have had to do maintenance and move some of the network connections, you find it difficult to modify all of the servers to reflect the changes. In addition, you will be adding 4 more sites over the next 6 months. What do you recommend to your manager so that you don’t have to buy any more network equipment?
It is obvious that you need to use dynamic routes. Therefore, you need to reconfigure RRAS to use RIP. RIP allows up to 15 hops away, which should be no problem if you use the central office as a central point to the other sites. So no site should be more than 2 hops away. With RIP, as you add or remove network connections, the routing tables at all sites will automatically be updated.