Join Ed Liberman for an in-depth discussion in this video Overview of Remote Access, part of Windows Server 2012 R2: Configure a Network Policy Server Infrastructure.
- [Voiceover] Each day it seems as though we have a constantly growing need to provide access to corporate resources, to users who are not physically within the corporate boundaries. Well we do this through remote access solutions. Fortunately the remote access role in Windows Server 2012 R2 provides four remote access options. The first will be DirectAccess, which enables remote users to securely access corporate resources without connecting to a VPN, which stands for Virtual Private Network.
When connecting with DirectAccess, users don't need to perform any action as DirectAccess automatically establishes a connection to the corporate network. Now DirectAccess also provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office. If you have somebody who isn't just a strict telecommuter but they come into the office at some point and then they also work from home on other days, they get the same connectivity experience without seeing any differences using DirectAccess.
One thing to keep in mind is that while this might seem really cool and really efficient and very sensible, there is a lot of overhead, I will say management overhead that goes with DirectAccess especially when it comes to setting it up because it does require management for IPv6 and also for a PKI environment. We still have our traditional VPN, which again stands for Virtual Private Network. These connections enable your users who are offsite, somewhere other than the corporate network, to be able to go ahead and connect to the private network across the Internet but through a secure encryption tunnel.
VPNs have been around for a very, very long time and they have always been a very reliable way and really I should say not just really reliable but secure way for users outside of your corporate network to be able to connect in and access corporate resources. Now it also provides just simple routing. What this means is that your Windows Server 2012 R2 machine can act as a router between networks and along with being a router, it also can perform something called NAT, which stands for Network Address Translation, which it will allow for your internal corporate network computers to have private IP addresses but still communicate out on the Internet.
The fourth component would be Web Application Proxy, which is a new feature in Windows Server 2012 R2. It provides reverse proxy functionality for web applications located in an organization's internal network where users that are located on the Internet can access internal web applications. Web Application Proxy preauthenticates users using ADFS, which stands for Active Directory Federation Services technology, and acts as an ADFS proxy.
These are the four capabilities that are built into Windows Server 2012 R2 in the remote access role. Now when it comes to managing remote access, you primarily have, well, I may have three options listed here, and let me bring them all up, but it's really kind of two options. You have the option of using Microsoft management console, and the Microsoft management console then has two snappings that you could use, one being the Remote Access Management console and the other being the Routing and Remote Access console, and there are some slight differences between them, or like with many other components of Windows Server 2012 R2, you can always manage using Windows PowerShell because all of the tools were built on the foundation of Windows PowerShell.
Now one thing that you're gonna want to consider are PKI considerations, and PKI stands for Public Key Infrastructure. I mentioned PKI earlier as a requirement for direct access but you may decide to use PKI even in a non-direct access environment. What are some of the things you want to take into consideration? Well one is, do you wanna use PKI only for data and traffic? Do you wanna use PKI for encryption only, or do you also wanna use it for potentially for authentication? Now there is a cryptography lesson that I have in this course where I talk about Public Key Encryption which is a component of Public Key Infrastructure and in that lesson I explain how Public Key Encryption can be used for encryption, which makes sense, it's right in the name, but how you can use it kind of backwards for the purposes of authenticating the source user or a computer.
You wanna consider whether that is something that you need to put in place and also you have to decide how your certificates are going to be assigned. Are you going to self-sign your certificates, or are you gonna use an internal CA, are you gonna create your own certification hierarchy, or are you gonna use a public CA, a third party trusted CA? By the way CA stands for Certification Authority, and this is the authority that can issue certificates. Now I do wanna tell you that this may be coming off to you as a foreign language as far as certificates and Certification Authority, and things like that, this is all outside the context of this lesson but once you understand how PKI and certificate services works, these are things that you need to consider.
Then let's talk about the user settings which we primarily would find on the user account properties in the active directory. The first is the network access permissions. We have three choices. We can manually on a user-by-user basis assign them allowed access, meaning this particular user is allowed to connect remotely, or we could manually on a user-by-user basis, we could deny them access.
The default settings and typically how you would wanna leave it, it would be such to control access through NPS network policy. These permissions allow access and deny access. They've been around for a very long time. In the older days of the original Microsoft servers when remote access was just kind of an occasional thought, we mostly had people working at the office and you had an occasional person who might have to work from somewhere else or make a connection from somewhere else, you could manually select individual users and give them permission or take it away.
Now that it's common place, we need to manage it in a more scalable way, and that's done through NPS network policy where we can actually make rules surrounding who can and cannot get in. That's the default setting and it's typically recommended that you leave it that way. Now there are some additional user settings. Most of these are not looked at anymore and they're out of date, but one would be to verify caller ID, and this would have to do with if you were going to be a dial-up remote access server.
Now I didn’t even mention that when I went through the four different options that we have within the Remote Access role, the VPN choice technically is also just being a remote access server, we could say traditional remote access server which is not only VPN but also dial-up. If you actually still have users who are dialing in using an old fashion analog modem, you could verify caller ID so that they can only call in from a certain number, you can also choose an option to call them back where you assign a phone number that you would call them back at.
Again this is pretty much to make sure that a user only calls from a certain place, like maybe they can work from home but that's the only place they're connecting from. You can also assign them static IP addresses and static routes, which again this is all very old school stuff that we really don't do anymore because everything is dynamic in today's world. Again just keep in mind that we are now in a day and age that I would almost say you're part of the majority if you are not working in the actual four walls of your corporate environment, and as a result since the majority people are these days working outside those walls, as a network administrator you have to put a focus on remote access capabilities, and Microsoft gives you some abilities built right into Windows Server 2012 R2.
Note: This course maps to the Configure a Network Policy Server (NPS) Infrastructure domain of Microsoft Certified Solutions Associate (MCSA) Exam 70-411, Administering Windows Server 2012.
- Implementing a VPN
- Installing and configuring NPS
- Configuring RADIUS clients
- Configuring NAP