4.2.1 Configure connection request policies
When receiving an Access-Request message, connection policies are considered.
Overview - Enable policy, Choose Access server type or vendor specific.
Conditions -
to match for this policy to be processed
HCAP Location Groups
User Name
Access Server IPV4 address - (on behalf of client)
Access Server IPv6 address
Framing Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor Name
Called Station ID(of the NAS server)
NAS id
NAS ipv4
NAS ipv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Settings -
Authentication Methods. - Can be used to override the network policy authentication settings
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Authentication - Used to determine whether requests are handled locally, forwarded to radius group, or accepting without credentials.
Accounting - determine if Accounting requests are forwarded to a radius group
Attribute - Manipulate attributes : Called-Station-ID, Calling-Station-ID, User-Name
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
4.2.2 configure network policies for VPN clients (multilink and bandwith allocation, IP filters, encryption, IP addressing)
Overview
Policy name
Enabled
Grant or Deny access.
"Ignore user account dial-in properties"
Access server type or vendor specific
Conditions for processing this policy
Windows Groups
Machine Groups
User Groups
HCAP Location Groups
HCAP User Groups
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
MS-Service Class - Must use a defined DHCP scope
Health Policies - meets a health policy criteria
NAP-Capable Computers
Operating System - OS version, SP, OS role, Architecture, OS Build
Policy Expiration
Access Client IPv4
Access Client IPv6
Authentication Type- Includes CHAP, EAP, Ext, MS-Chap v1/CPW, v2/CPW, PAP, PEAP, unauthenticated.
Allowed EAP types - Smart Card, PEAP-Smart card, PEAP-MSCHAP-V2, EAP-MSCHAP-v2
Framed Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor name
MS-RAS Vendor -
Called Station ID
NAS ID
NAS Ipv4
NAS IPv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Constraints - If these aren't matched, connection is denied.
Authentication Methods - unless overridden by Connection Policy
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2,
MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Idle Timeout
Session Timeout
Called Station ID
Day and time restrictions
NAS Port Type
Settings - Settings applied if Condition and Constraints match
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
NAP Enforcement - Full network, Full network time restricted, limited access (Remediation Group). Enabled auto-remediation for computers that do not meet health requirements
Extended State - Transistional, Infected, Unknown
Multilink BAP - how to handle multilink connections. BAP usage settings - drop connections in the multilink if they use less than percentage over a period of time (ie 50% over 2 mins default). Require BAP for dynamic multilink
IP filters
Encryption - Basic MPPE 40 bit(56 bit DES), MPPE 56(56 bit DES), MPPE 128(168 bit DES), No Encryption
IP Settings - Server must supply IP, Client request IP, Server settings determine IP, Assign static IP.
4.2.3 import and export NPS policies
netsh nps export filename="c:\nps.xml" exportPSK=yes
export-npsconfiguration -path c:\nps.xml
netsh nps import filename="c:\nps.xml"
import-npsconfiguration -path c:\nps.xml
Friday, September 26, 2014
4. Configure a Network Policy Server (NPS) Infrastructure 4.1 Configure Network Policy Server
Radius is used for authentication, authorization, and accounting.
Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services
install-windowsfeature npas-policy-server -includemanagementtools
3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)
You can use one of the standard configuration wizards that will create clients, connection request policies, network policies, and health policies as needed: Network Access Protection, Radius server for dialup/VPN connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:
Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)
Policies
Connection Request Policies - used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect
NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients
Accounting - Auditing using SQL server or text files
Template Management - save or create configurations to reuse locally or import to other NPS servers
Proxy setup:
http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx
Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.
A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.
Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications
Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server
Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.
3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.
Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.
Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.
3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups
Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File
3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.
Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.
SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.
Text logging:
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
Logging failure action: If logging is failing, you can choose to discard connections.
3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx
Certificates can be used for authentication.
Certificates are required when using Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP.
Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services
install-windowsfeature npas-policy-server -includemanagementtools
3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)
You can use one of the standard configuration wizards that will create clients, connection request policies, network policies, and health policies as needed: Network Access Protection, Radius server for dialup/VPN connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:
Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)
Policies
Connection Request Policies - used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect
NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients
Accounting - Auditing using SQL server or text files
Template Management - save or create configurations to reuse locally or import to other NPS servers
Proxy setup:
http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx
Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.
A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.
Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications
Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server
Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.
3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.
Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.
Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.
3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups
Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File
3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.
Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.
SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.
Text logging:
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
Logging failure action: If logging is failing, you can choose to discard connections.
3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx
Certificates can be used for authentication.
Certificates are required when using Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP.
Thursday, September 25, 2014
3. Configure network services and access 3.4 Configure DirectAccess
Directaccess uses IPv6 and IPsec to create direct connections to a company's network via a DirectAccess server. 6to4, Teredo, IP-HTTPS.
http://technet.microsoft.com/en-us/library/dn636118.aspx
3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality
Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)
Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration.
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.
Remote Clients - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.
Remote Access Server - Step 2 Server Configuration
-network settings for the DA server
Infrastructure setup - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.
Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers
Check Operation Status of the DA server is in "Working" state.
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.
3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise, 2008R2,2012, 2012R2
Client must be joined to the domain
Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)
Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.
3.4.3 configure DNS for Direct Access
directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.
There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
- Use local name resolution if name does not exist
- Use local name if name does not exist or DNS servers are unreachable
- Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list
To determine client's dns "location" use
netsh dnsclient show state
Effective NRPT settings:
netsh dnsclient show effectivepolicy
Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy
ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap
3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to Domain Controllers on behalf of the client.
The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.
http://technet.microsoft.com/en-us/library/dn636118.aspx
3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality
Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)
Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration.
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.
Remote Clients - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.
Remote Access Server - Step 2 Server Configuration
-network settings for the DA server
Infrastructure setup - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.
Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers
Check Operation Status of the DA server is in "Working" state.
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.
3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise, 2008R2,2012, 2012R2
Client must be joined to the domain
Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)
Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.
3.4.3 configure DNS for Direct Access
directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.
There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
- Use local name resolution if name does not exist
- Use local name if name does not exist or DNS servers are unreachable
- Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list
To determine client's dns "location" use
netsh dnsclient show state
Effective NRPT settings:
netsh dnsclient show effectivepolicy
Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy
ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap
3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to Domain Controllers on behalf of the client.
The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.
Subscribe to:
Posts (Atom)