Friday, October 24, 2014

4. Configure a Network Policy Server (NPS) Infrastructure 4.3 Configure Network Access Protection (NAP)


NAP components
client-side: NAP-supported version of Windows(XP SP3+) as well as 3rd party NAP clients for MAC and Linux
NAP enforcement points: 80.2.1x device, DHCP server enforcement, HRA, RAS
NAP Health Policy Server - NPS server with Health policies
System Health Agents (SHA) - monitors health of NAP client
Statement of Health (SoH) - produced by SHA to send to NAP agent
NAP agent - maintains health of of NAP client computer and communicates with NAP enforcement and SHA
Health Registration Authority(HRA) - server that obtains health certificates for compliant computers
Health requirements server - such as AV, WSUS, etc, provides current health state to NPS server
Remediation server - can update non-compliant computers

NAP connection process
NAP client connects to NAP network - each SHA validates system health and generates SoH
Nap client combines multiple SoH into SSoH and sends to NAP health policy server defined in the enforcement point
NAP health policy server uses the SHVs and health policies to determine client conformity
NAP HPS combines multiple SoH from the SHVS into SSoHR and sends back to client
If compliant, enforcement point allows connection. Noncompliant may be connected to remediation network
If status change, process repeats.

Note: NAP requires a Health Registration Authority(NPAS-Health) server and configured with Tools/Health Registration Authority in Server Manager.

4.3.1 Configure System Health Validators (SHVs)
 NPS - NAP - System Health Validators - Windows Security Health Validator
Settings:
Windows 8/7/vista: Firewall enabled, AV on/up to date, Spyware on/up to date,  Automatic Updating enabled, Restrict access that do not have all security updates installed based on minimum severity. Minimum number of hours since update has been checked. Force WU and/or WSUS usage.
XP has same settings except spyware

Error Codes:
Select how SHV reacts to certain error scenarios - compliant or noncompliant
SHV unable to contact required services
SHA unable to contact required services
SHA not responding to NAP client
SHV not responding
Vendor specific error code

4.3.2 configure health policies
Since health policies can be configured as network policy conditions, they can be created either for compliance or non-compliance

Select an existing template
Policy Name
Client SHV Checks:
Client passes all SHV Checks
Client fails all SHV Checks
Client passes one of more SHV Checks
Client fails one or more SHV CHecks
Client reported as transitional by one or more SHA
Client reported as infected by one or more SHA
Client report as unknown by one or more SHA

Check which SHVs are considered in this health policy. Default is Windows Security Health Validator.

Extra Note: I had trouble with getting the WSHV to work with a configuration other than using the Default Configuration. Also, it doesn't seem like you can use 2008 or 2012 as a client because of the lack of Security/Action Center.

4.3.3 configure NAP enforcement using DHCP and VPN
DHCP configuration:
If the DHCP server is remote, you must install NPS and configure it to radius proxy to the target NPS server and add the DHCP server as a radius client.
NAP must be enabled on all scopes on the dhcp server or individual scopes.
You then must create Connection/Network/and Health policies using DHCP as source "network access server".
NAP agent must be running and DHCP enforcement client must be enabled on the clients that will be enforced. See 4.3.5

VPN configuration:
Similar to  DHCP config except you must configure the VPN/RRAS as a radius server.
NAP agent must be running and EAP enforcement should be configured on the client for Windows 7+. For XP/Vista you should use the Remote Access enforcement. Security Center/Action Center should be running on the client.
PEAP must be used, which will require setting up certificates(I recommend setting up autoenroll using Workstation authentication for clients and RAS and IAS for servers. The NPS server must also have a certificate). This will require configuration on the client VPN connection for using PEAP to connect and configured for "Network Access Protection" enabled. Also, on the NPS server you must use the Connection Request Policy to override Network policy for Authentication Methods. The PEAP type must be configured for "Network Access Protection" enabled.

4.3.4 configure isolation and remediation of non-compliant computers using DHCP and VPN

 Isolation is configured in your noncompliant Network policies under Settings tab/NAP enforcement. Here you can set "Allow Limited Access" in combination with a Remediation Server group and/or troubleshooting url. The remediation group should contain system resources that would need to be accessed to update components including any dependent dhcp/dns/etc servers that would be needed.

4.3.5 configure NAP client settings
Enforcement clients can be configured with the napclcfg.msc tool or by using GP or netsh:



netsh commands used to troubleshoot:
determind local policy configuration of nap on the client
netsh nap client show config
determine group policy configuration of nap on the client(overrides local policy config):
netsh nap client show group
show state of client:
netsh nap client show state

Friday, September 26, 2014

4. Configure a Network Policy Server (NPS) Infrastructure 4.2 Configure NPS policies

4.2.1 Configure connection request policies

When receiving an Access-Request message, connection policies are considered.

 Overview - Enable policy, Choose Access server type or vendor specific.

Conditions -
to match for this policy to be processed
HCAP Location Groups
User Name
Access Server IPV4 address - (on behalf of client)
Access Server IPv6 address
Framing Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor Name
Called Station ID(of the NAS server)
NAS id
NAS ipv4
NAS ipv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other

Settings -
Authentication Methods. - Can be used to override the network policy authentication settings
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Authentication - Used to determine whether requests are handled locally, forwarded to radius group, or accepting without credentials.
Accounting - determine if Accounting requests are forwarded to a radius group
Attribute - Manipulate attributes : Called-Station-ID, Calling-Station-ID,  User-Name
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes

4.2.2 configure network policies for VPN clients (multilink and bandwith allocation, IP filters, encryption, IP addressing)

Overview
Policy name
Enabled
Grant or Deny access.
"Ignore user account dial-in properties"
Access server type or vendor specific

 Conditions for processing this policy
 Windows Groups
Machine Groups
User Groups
HCAP Location Groups
HCAP User Groups
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
MS-Service Class - Must use a defined DHCP scope
Health Policies - meets a health policy criteria
NAP-Capable Computers
Operating System - OS version, SP, OS role, Architecture, OS Build
Policy Expiration
Access Client IPv4
Access Client IPv6
Authentication Type- Includes CHAP, EAP, Ext, MS-Chap v1/CPW, v2/CPW, PAP, PEAP, unauthenticated.
Allowed EAP types - Smart Card, PEAP-Smart card, PEAP-MSCHAP-V2, EAP-MSCHAP-v2
Framed Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor name
MS-RAS Vendor -
Called Station ID
NAS ID
NAS Ipv4
NAS IPv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other

Constraints - If these aren't matched, connection is denied.
Authentication Methods - unless overridden by Connection Policy
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Idle Timeout
Session Timeout
Called Station ID
Day and time restrictions
NAS Port Type

Settings - Settings applied if Condition and Constraints match
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
NAP Enforcement -  Full network, Full network time restricted, limited access (Remediation Group). Enabled auto-remediation for computers that do not meet health requirements
Extended State - Transistional, Infected, Unknown
Multilink BAP - how to handle multilink connections. BAP usage settings - drop connections in the multilink if they use less than percentage over a period of time (ie 50% over 2 mins default). Require BAP for dynamic multilink
IP filters
Encryption -  Basic MPPE 40 bit(56 bit DES), MPPE 56(56 bit DES), MPPE 128(168 bit DES), No Encryption
IP Settings - Server must supply IP, Client request IP, Server settings determine IP, Assign static IP.

4.2.3 import and export NPS policies
netsh nps export filename="c:\nps.xml" exportPSK=yes
export-npsconfiguration -path c:\nps.xml
netsh nps import filename="c:\nps.xml"
import-npsconfiguration -path c:\nps.xml

4. Configure a Network Policy Server (NPS) Infrastructure 4.1 Configure Network Policy Server

 Radius is used for authentication, authorization, and accounting.

 Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services

install-windowsfeature npas-policy-server -includemanagementtools

3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)




You can use one of the standard configuration wizards that will create clients, connection request policies, network policies, and health policies as needed: Network Access Protection, Radius server for dialup/VPN connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:

Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)

Policies
Connection Request Policies -  used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect

NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients

Accounting - Auditing using SQL server or text files

Template Management - save or create configurations to reuse locally or import to other NPS servers

Proxy setup:

http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx

Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.

A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.

Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications

 Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server

Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.

3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.

Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.

 Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.

3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups

Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File

3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.

Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.

SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.

Text logging:
 Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
 Logging failure action: If logging is failing, you can choose to discard connections.

3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx

Certificates can be used for authentication.
Certificates are required when using  Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP. 

Thursday, September 25, 2014

3. Configure network services and access 3.4 Configure DirectAccess

Directaccess uses IPv6 and IPsec to create direct connections to a company's network via a DirectAccess server. 6to4, Teredo, IP-HTTPS.


http://technet.microsoft.com/en-us/library/dn636118.aspx


3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality

Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)

Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration. 
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.

Remote Clients  - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.

Remote Access Server - Step 2 Server Configuration
-network settings for the DA server

Infrastructure setup  - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.

Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers

Check Operation Status of the DA server is in "Working" state.
 
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.

3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise,  2008R2,2012, 2012R2
Client must be joined to the domain

Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)

Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.

3.4.3 configure DNS for Direct Access
 directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.

There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
   - Use local name resolution if name does not exist
   - Use local name if name does not exist or DNS servers are unreachable
   - Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list

To determine client's dns "location" use  
netsh dnsclient show state

Effective NRPT settings:
netsh dnsclient show effectivepolicy

Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy


ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap

3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to Domain Controllers on behalf of the client.

The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
 it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.

Wednesday, August 13, 2014

3. Configure network services and access 3.3 Configure VPN and routing

3.3.1 Install and configure the Remote Access role
Installing the remote access role provides for multiple Routing and Remote Access(RRAS) options:
VPN: Virtual Private Network - client to server and site to site.
DRAS: Dialup Remote Access Server
NAT: Network Address Translation
Basic router functionality -
Web application proxy (R2)

Install from Add Roles and Features Wizard:
Add server role: Remote Access(RemoteAccess)
Under role services you can specify any of the sub-feature options:
DirectAccess/VPN(DirectAccess-VPN)
Routing(Routing)
Web Application Proxy(Web-Application-Proxy)

Installing Routing will also install DirectAccess-VPN. Installing DirectAccess-VPN does not install Routing.

In addition, installing the Routing and/or DirectAccess-VPN role services on R2 will also install IIS(Web-Server) and a number of it's sub-components, as well as the Windows-Internal-Database(WID). If you include management tools, Web-Mgmt-Console will also be installed.
Including the Management tools with any of the role services will also install Group Policy Management Console(GPMC), Connection Manager Administration Kit(CMAK), RSAT-RemoteAccess, RSAT-RemoteAccess-Mgmt, and RSAT-RemoteAccess-Powershell

After installing a sub-feature(s), you can run the configuration wizard from the server manager or pull up the Remote Access Management Console and run the wizard from there.
Run the Remote Access Console from  Server Manager under "Remote Access Management Console"(RAMgmtUI.exe)

DirectAccess and VPN/Routing - Two wizards are presented:
           Getting Started Wizard - configures with default recommended settings
           Remote Access Setup Wizard - configure with custom settings

With either wizard, you have the option to deploy both DireactAccess, VPN, or both.
Note that to configure VPN/NAT will open the Routing and Remote Access Management MMC snap-in (rrasmgmt.msc)
You can also launch the RRAS Management from the right hand side of the RRAS Management Console under VPN/Open RRAS Management. Or launch from command line using (rrasmgmt.msc)

Web Application Proxy also has it's own configuration wizard.

Powershell:
Install all features:
install-windowsfeature remoteaccess -includeallsubfeature -includemanagementtools
Install routing and directaccess/vpn:
install-windowsfeature routing -includemanagementtools
Install only directaccess/vpn:
install-windowsfeature directaccess-vpn -includemanagementtools




Extra Note: The full set of web-server features that are installed with Routing and DirectAccess-VPN include Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Loggin, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-IP-Security, Web-Mgmt-Tools, Web-Scripting-Tools
Note that this only applies to R2, as 2012 only installed Web-IP-Security and also did not install WID. 

Extra Note: R2 adds router BGP support for multi-tenant deployments. This is configurable via Powershell only.

3.3.2 implement Network Address Translation (NAT)
Requires at least 2 network interfaces. Routing should be installed

In the RRAS Management snap-in, right click the Server and select either of the NAT wizards, or just custom configuration as in the following example.

After clicking customer configuration and Next, choose NAT, then Next. The service will start and click Finish. Note that if Routing is not installed, you can do this step but you will not see NAT in the list of options under IPv4 in the next step.

Expand the tree from the RRAS server in RRAS snap-in, IPv4. Right click NAT and "New Interface" to configure an interface that will participate in NAT.  If the Interface faces the internal network, choose Private Interface. Otherwise, choose the Public interface and if you want to do NAT translation on this interface, choose Enable NAT.

Once you have at least one public interface and one private, any packets that come in on the private will be out the public by translating to the interace IP.

By right clicking on the public interface, you can use "Show mappings" to view current NAT mappings. Or by selecting Properties, you can click on the "Address Pool" tab to add a pool of addresses that can be used by internal computers, and have the option to reserve some of those ips to private computers, as a 1-to-1 mapping, using the "Reservations" button.  You can also setup port redirection from the outside public interface on the "Services and Ports" tab. This allows you to redirect ports on the interface ip or address pool, to an internal private server, such as a web server.
 
The DHCP allocator and DNS Proxy are for simple SOHO deployments. DHCP allocator is a very simple DHCP server for a single scope of addresses. DNS proxy will act as a simple DNS server to forward requests from the internal network.


Extra Note: When an address pool is configured on a public interface, outbound requests will use each public address unless otherwise reserved for 1-to-1 mapping.

Extra Note: On 2012, I have not found a way to add NAT after an RRAS server has been initially configured without it, unless you disable and reconfigure.

Extra Note: In R2, there is a new powershell module, "NetNat", with cmdlets that appear to be for setting up NAT. However, these are for the new multi-tenant VPN feature for setting up NAT with a NVGRE network, and is not related to the RRAS NAT feature. 

3.3.3 configure VPN settings
http://technet.microsoft.com/en-us/library/dd469817%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/dd469733.aspx

Types of VPN scenarios:
Client to Server - Clients connect to RRAS server to get on the network.
Site-to-Site - Two VPN servers create a connection to each other.
 
VPN protocols supported by RRAS:
Point-to-Point Tunneling Protocol (PPTP) - uses TCP for tunnel management and encapsulates PPP datagrams in GRE protocol. Microsoft encrypts via Microsoft Point-to-Point Encryption(MPPE) using MsChapv2 or EAP-TLS. PPTP uses TCP port 1723 and IP protocol 47.

Layer 2 Tunneling Protocol (L2TP) with IPSEC - L2TP encapsulates in a UDP packet over port 1701.  IPSec is first used to set up a secure channel using IKE on UDP port 500 via shared key or certificate, then sets up the tunnel, and encapsulates the L2TP datagrams, using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal Encryption is either AES or 3DES. .

IKEv2 : Encapsulates using IPSec. Ipsec sets up secure channel using IKE on UDP port 500(or 4500) via shared key or certificate, then sets up the tunnel using ESP(IP protocol 50).   UDP port 4500 may be used for IPSec NAT Traversal. Encrypted with one of AES 256, AES 192, AES 128, or 3DES. It supports MOBIKE and VPN Reconnect. Supported on Windows 7, Windows 2008R2, and newer versions.

SSTP : Encapsulates PPP datagrams over SSL(port 443), and encrypted via SSL. Note that SSTP is not configurable for site-to-site vpn connections.

GUI install:
There are multiple ways to configure VPN functionality on the RRAS server. In the RRAS Management snap-in, right click the Server and select one of the VPN options: "Remote access","Virtual private network access and NAT", "Secure connection between two private networks", or just use a custom configuration and select VPN, as well as dialup-access and/or demand-dial as needed.

If you want to disable VPN after using the wizard, right click the server in the RRAS MMC snap-in, selecting properties, and unchecking "IPv4 Remote access server".

Powershell:
Configure only the VPN feature: 
install-remoteaccess -vpntype vpn 

Client-to-Server. Configuring Servers.
For the minimum to configure the RRAS server for clients to connect to your server, you only have to select custom configuration and then VPN.

Using "Remote access(dial-up or VPN) wizard: 
Check VPN.
Select Interface that faces the internet and will be used for incoming VPN connections.
 (Note that configuring this does not specifically prevent other interfaces from being used as VPN endpoints, unless otherwise firewalled/filtered)
If you check "Enable security on the selected interface by setting up static packet filters", then the wizard will setup some filters for the interface and ports allowed for VPN. 
Next, select an interface for a network that VPN clients can use for addresses. 
(Note that this interface will be used to obtain DHCP addresses for the VPN clients, and will not necessarily limit clients to accessing only this interface)
Select whether DHCP will be used to assign IPs to the clients, or add a range of addresses that clients can use. The next option is to decide whether to use RADIUS authentication

Custom configuration:
To create a similar configuration as using the wizard above:
Static packet filters:
In the RRAS MMC snap-in, expand IPv4, General, then right click on the interface.  On the general tab, add applicable filters to the Inbound Filters option.

To configure which interface to use for DHCP or configure static addresses, right click on the RRAS server and select properties. Click IPv4 tab. If you choose DHCP, you can also which interface to use to obtain DHCP addresses from.This setting will assign addresses to both server and client VPN interfaces, unless otherwise the client is otherwise configured with a static IP(for example, through dial-in settings)

View connected clients:
 Under RRAS server, click on Remote Access Clients.
You can also sort the Ports by Active and see ports being used. 

Powershell:
get-remoteaccessconnectionstatistics
get-remoteuseractivity 'rrasserver\clientuser'
disconnect-vpnuser 'rrasserver\clientuser'

Client-to-Server. Configuring Clients.
Then in Windows 8 or 2012, you configure clients by going to "Network and Sharing Center" in Control Panel, choose "Set up a new connection or network"

Split-Tunnel configuration:
By default the client will route all traffic to the vpn connection. You can change this behavior in the client's VPN connection properties - go into the Network and Sharing Center on the client, clicking the VPN connection, click properties, Networking tab, properties for IPv4 or IPv6, Advanced, uncheck "Use default gateway on remote network"


Site-to-Site configuration:
A minimum configuration for a site-to-site vpn connection requires only selecting custom configuration and then VPN and demand-dial.


In the RRAS MMC, click "Network Interfaces". Right click the view and select "New demand-dial interface". 
Enter the remote server name as "Interface Name".
Select "Connect using VPN". Select type of VPN, for example "PPTP".
Enter IP address of remote server.
"Route IP Packets should be checked". If this server will only dial the remote server, and not vice versa, then you do not need to select "Add a user account"(Optional: You can manually setup a user account later).
Add a static route for the remote network. (Optional: you can setup routing later as needed).
Dial-out credentials: You have to put this in, but it is only needed if this server will call the remote server.

Note: If using a local account on the remote server, set the DOMAIN to the remote server name.

From the dialing server - right click the "Network Interface" and Connect.

You can change credentials by right clicking the server and "St Credentials".

Demand-Dial vs. Persistant:
You can configure a connection to only come up and connect when it receives traffic destined for certain networks. In Properties, be sure Options tab is set to Demand-Dial. You can also decide how long the connection is idle before it closes. Right-click on the interface connection and select "Set IP Demand-dial filters". Here you can decide what traffic will start the connection.

For a persistent connection, you only need to select "Persistent connection" in Properties/Options tab. Now the connection will stay up once connected.


Extra Note: Use "netsh ras diag set trace enable" to turn on detailed logging, which is stored in %systemdrive%\tracing. Turn off logging with "netsh ras diag set tracedisable"
Extra Note: The default dial-in setting for a user in 2012 is "Control access through NPS Network Policy". However, if you let the demand-dial interface wizard create a user for you, it will set the dial-in setting to "Allow Access" for that user.

3.3.4 configure remote dial-in settings for users
You can configure some specific dial-in settings for users by using the "Dial-in" tab in the user profile properties. For local users using the Local Users and Groups in computer management, and for domain users by using the ADUC.

Network Access Permission:Determines if this user can remotely connect to this server. Allow, Deny, or Control Access through NPS Network Policy.  Default setting is "Control Access through NPS Network Policy"
Note that NPS can override this setting.

Verify Caller-ID:
Device(s) must support caller-id and caller's id must match this setting if checked and filled out.

Callback Options:
No Callback, Set by Caller (RRAS only), Always callback to ____. Default is No Callback

Assign Static IP Addresses:
Defaults to assigning these IP(v4 and/or v6) addresses to this user's connections

Apply Static Routes:
Can be used to define static routes when using a one-way on-demand dialer.This is not meant to setup routes for a single user/client.

Extra Note: The use of the "Apply Static Routes" setting is fairly confusing. See the following articles for more information: http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc736311%28v=ws.10%29.aspx


3.3.5 configure routing
Viewing route table in RRAS - Right click static routes under IPv4 or IPv6 and select "Show Ip Routing Table".
route print
get-netroute

Static routes:
In RRAS, right click the Static Routes and select "New static route"
Select which interface this route will go out.
Enter the destination, network mask, gateway, and metric.
Note: static routes added through RRAS are persistent by default in that they will be readded to the routing table automatically when the service starts, and removed if it is stopped.

route add -p 192.168.100.0 mask 255.255.255.0 10.0.0.1
new-netroute -destinationprefix '192.168.101.0/24' -interfacealias 'ethernet' -nexthop '10.0.0.1'

route change 192.168.101.0 mask 255.255.255.0 10.0.0.2
set-netroute -destinationprefix '192.168.101.0/24' -nexthop '10.0.0.2'

route delete 192.168.101.0
remove-netroute '192.168.101.0/24'

RIP configuration:
in RRAS mgmt, expand IPv4 under the RAS server.  Choose "New Routing Protocol" , "RIP version 2..."
On RIP menu or in view, right click and select "New Interface". Select an interface that will carry RIP advertisements.

General tab:
Operation mode:
  Auto-static updates are sent when another router requests. Routes are marked as static.
  Peridoic Update Mode -  updates are sent out at intervals set by the "Periodic announcement
     interval" (default 30 seconds)

Outgoing packet protocol:
RIP 1 broadcasts, RIP 2 broadcasts
RIP 2 multicast - sent on 224.0.0.9
Silent RIP - router will not send out advertisements on this interface, but will listen and record routes.

Incoming Packet Protocol - which advertisements to accept on this interface
RIP 1, RIP 2, RIP v1 & 2, Ignore RIP advertisements

Added cost for route - This number is added to a route for path cost purposes. Higher is worse.

Tag for announced routes - can be used to distinguish RIP routes from other routing protocols

Security tab:
This tab can be used to filter outgoing and incoming routes

Neighbors tab -
neighbors can be configured for unicast advertisements. You can configure the interface to advertise using broadcast/multicast, both neighbors and broadcast/multicast, or neighbors(unicast) only.

Advanced tab:
Periodic announcement interval - default 30 seconds
Time before routes expire - default 180 seconds
Time before route is removed - default 120 seconds. after expiration, route remains in routing table for this time so neighbors can be notified that route is no longer valid..
 
Enable split-horizon - To prevent loops, routes learned from Neighbor A are not sent back to neighbor A
Enable poison-reverse - Better prevention of loops at the cost of larger advertisements - routes learned from Neighbor A are sent back to A with infinity metric(16).
Enable triggered updates -  Changes in the routing table are sent immediately
Send clean-up updates when stopped - when stopped, router sends advertisements to let other routers know that it is no longer valid for those routes.

Process host routes - handle incoming host route announcements
Include host routes -
Process default routes - accept default routes (0.0.0.0)
include default routes - include default route
Disable subnet summarization - summarization supernets subnets to make advertisements smaller.

Extra Note: RIP advertisements are sent over UDP port 520.RIPv2 includes optional multicast, including subnet mask in advertisements(CIDR), route tagging, simple password authentication.

3.3.6 (R2) configure web application proxy in passthrough mode 
http://technet.microsoft.com/en-us/library/dn383639.aspx

Web Application Proxy replaces the functionality of ADFS Proxy 2.0.  Installing Web Application Proxy requires having an ADFS server and a certificate for the ADFS server, as well as a certificate for each application that will be published.

Passthrough applications do not require authentication to ADFS, although the application on the back-end may require it's own authentication.

On an already installed web-proxy server, configuring an application in passthrough mode is done in the Remote Access Management Console(ramgmtui.exe), which is accessible from Server Manager. 
Select Configuration, Web Application Proxy.
Click Publish.
Select preauthentication method: Pass-through.
Publishing Settings - enter a name. external URL, external certificate, internal url.

Powershell:
see link above for example.
Add-webapplicationproxyapplication -externalpreauthentication passthrough

Thursday, April 24, 2014

3. Configure network services and access 3.2 Configure DNS records

3.2.1 Create and configure DNS Resource Records (RR) including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records
SOA - Start of Authority - specifies primary name server, e-mail of domain admin, domain serial, timers
NS - identifies an authoritative name server
A - host record
AAAA - ipv6 host record
CNAME - alias
PTR - ip address to domain or host name
MX - mail server host
SRV - service record, used for AD.

fields of an SOA record:
Serial number - version of zone, to determine when to zone transfer
primary authoritative server
responsible person - zone admin
refresh interval - how often secondary servers check for updates
retry interval - how long to wait before a secondary server sends another request
expires after - after zone transferring, secondary server will hold that date until this time if it's not renewed.
minimum TTL - default time an RR remains in a DNS cache after a query. a RR TTL overrides this setting.

MX records - specify a priority when you have multiple records. The lower priority MX records are preferred.

dnscmd /recordadd contoso.com myworkstation A 192.168.134.30
dnscmd /recordadd contoso.com myworkstation AAAA fc00::199:45
dnscmd /recordadd contoso.com myalias CNAME myworkstation.contoso.com
dnscmd /recordadd contoso.com . MX 10 mymailserver.contoso.com
dnscmd /recordadd contoso.com . NS nameserver.contoso.com
dnscmd /recordadd 134.168.192.in-addr.arpa 30 PTR myworkstation.contoso.com

dnscmd /recorddelete contoso.com myworkstation A

Add-DnsServerResourceRecordA -name "myworkstation" -zonename "contoso.com" -IPv4Address "192.168.134.30"
Add-DnsServerResourceRecordAAAA -name "myworkstation" -zonename "contoso.com" -IPv6Address "fc00::199:45"
Add-DnsServerResourceRecordCNAME -name "myalias" -hostnamealias "myworkstation.contoso.com" -zonename "contoso.com"
Add-DnsServerResourceRecordMX -name "." -MailExchange "mymailserver.contoso.com" -Zonename "contoso.com" -preference 20
Add-DnsServerResourceRecordPTR -name "30" -zonename "134.168.192.in-addr.arpa" -ptrdomainname "myworkstation.contoso.com"

Remove-DnsServerResourceRecord -zonename "contoso.com" -RRtype -"A" -name "myworkstation"

Get-DnsServerResourceRecord -zonename "contoso.com" -rrtype "A"

3.2.2 configure zone scavenging
 Zone scavenging removes "stale", old, records. Aging is the process of timing out records.
Scavenging is disabled by default, so it must be enabled to work.
RRs must be added dynamically or manually modified in order to be aged/scavenged.

In order to manually modify scavenging settings on records, go to View and select advanced in the DNS Manager. Now you can right click a record and check "Delete this record when it becomes stale"  Hitting apply adds a timestamp, rounded from the current hour, used in scavenging.

Dynamic records will attempt to update themselves every 24 hours by default. These records are automatically set to scavenge

Scavenging settings on a zone:
right click zone, properties. Hit Aging button.Check the "Scavenge stale resource records".
No-refresh interval & refresh interval - both must expire before record will be scavenged.
No-refresh - record cannot be "refreshed", which is when a dynamic update does not change the host/ip record but tries to change the timestamp.  A client changing the IP address will be exempt from this interval
After a record goes beyond "record timestamp + no-refresh interval", it enters refresh interval. During this time, refreshes to timestamp are allowed. If the timestamp is updated by a client, the no-refresh interval begins again. If it does not get updated, the record is eligible for scavenging.

You can also create a default scavenging settings, for any zone created on this dns server, by right clicking the DNS server and selecting "Set Aging/Scavenging for All Zones". Note that this will not update current zones, only future zones that are created on this specific server. However, there is an option after you click ok, "Apply these settings to the existing AD-integrated zones". This will update current AD-integrated zones with these settings.

The final thing to do to setup scavenging is to set it on the DNS server, under properties/Advanced. Check the "Enable automatic scavenging of stale records". This controls when scavenging will be done. Note that if a record is still in no-refresh/refresh intervals, it will not be scavenged when this process runs. When scavenging is run it creates event id 2501/2502 in event logs.


Set-DnsServerResourceRecordAging -nodename myserver.contoso.com. -zonename contoso.com 
Get-DnsServerResourceRecord -zonename contoso.com -name myserver
Get-DnsServerZoneAging contoso.com
Set-DnsServerZoneAging contoso.com -aging $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)

Set default scavenging settings on a DNS server:

Set-DnsServerScavenging -scavengingstate $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
(Note that -scavengingstate $true will apply to new zones created on this server. You can use -applyonallzones to update all current zones)

Only enable scavenging on a dns server and set the interval between scavengings (this does not affect other default DNS server scavenging settings as the above command.)
Set-DnsServerScavenging -scavenginginterval (New-TimeSpan -days 3)

Get-DnsServerScavenging

3.2.3 configure record options including Time To Live (TTL) and weight
In order to see TTL and change in the gui, you need to go to View/Advanced. Now you can double-click a RR and change the TTL in the properties.

Weight could have multiple meanings. MX records can be set with a priority  to determine which mail server is preferred. Lower is preferred.
SRV records also have a weight in addition to a priority. Lower priorities are preferred. However, if multiple SRV records have equal priority, the weight determines how often(%) a SRV resource will be used in relation to others with the same priority. This is a basic load balance.

Powershell/dnscmd

3.2.4 configure round robin
Round robin is used by DNS by default to return resource records with the same name and same type. Round robin can be disabled on a server by right clicking on the DNS server and properties, clicking the advanced tab, and unselecting "Enable round robin option"

Get-DnsServerSetting -all | select roundrobin | ft -auto


3.2.5 configure secure dynamic updates
Secure dynamic updates are set per zone. Right click the zone and properties. Then on General, you have a dropdown for none, nonsecure and secure, and secure only.  You can also setup secure updates when creating a new zone.

By default in an AD domain, authenticated users and computers can create new dnsNode records in dnsZones. You can alter specific permissions on the Security tab in the properties of a Zone.  You can also set security on individual dnsNode records. ACLs are set on records by name so two records pointing to the same FQDN will have the same ACL.

3. Configure network services and access 3.1 Configure DNS Zones

Review from 70-410 4.3:
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)

Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.

DNS forwarders are set up to do the full recursive queries on behalf of other dns servers

reverse name resolution: resolves a name from an ip address

Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated

RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53

install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe

dnscmd dc.contoso.com /enumzones

PS:
get-dnsserverzone

3.1.1 Configure primary and secondary zones
 Primary Zone:

Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated

dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com

add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com

Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually.  Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
 Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)

dnscmd /zoneadd 10.168.192.in-addr.arpa /primary

add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"

Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)

dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary

add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"

Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)

dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8

add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8

AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD" option(AD-integrated) is available if the DNS server is a read-write Domain Controller. See 3.1.4.


3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.

Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).

If you integrate the stub zone into Active Directory Domain Services(AD DS), you have the option to specify that the DNS server hosting the stub zone uses a local list of master servers when it updates the stub zone's resource records, rather than having the DNS server use the master servers list that is stored in AD DS

Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in the menu, select New Server, and type in the IP address of your computer where you have installed DNS.

dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com

dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel

add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9

3.1.3 configure conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.

Conditional forwarding: You can forward DNS requests for certain domain names.

Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.


dnscmd /zoneadd google.com /forwarder 8.8.8.8 
/timeout /slave

add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8

3.1.4 configure zone and conditional forward storage in Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.

Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy

dnscmd /zonedelete bartledoo.contoso.com /dsdel

PS:
just add -replicationscope domain|forest|legacy|FQDN

add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain

Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain

3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.

Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace

dnscmd /recordadd contoso.com child NS 192.168.10.119

add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119

3.1.6 configure zone transfer settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.

Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed. 
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.

Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers


dnscmd /zoneresetsecondaries contoso.com 
/nonsecure
/securens
/securelist
/noxfr (no transfer)

set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers  -secondaryservers
notransfer

3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers

dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify

set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify