Remote Network Access: Objectives and Architecture

In the this mini-series of posts, I am going to diverge from my usual System Center-only focus to take a fresh look at deploying a Microsoft Remote Network Access solution. First, we'll get you online and working using SSTP, and then extend this base implementation with Network Access protection before finally coming back a little later and elevating these SSTP servers to Direct Access.

Why Remote Network Access?

So why I am doing this? As we build out solutions for System Center, we need a foundation from which to work, and within the latest versions of Configuration Manager we have the ability to integrate with the Windows Network Access Protection and manage our off-site computers with a dial out approach over Direct Access. Also, in the new R2 releases we can integrate both our Certificate Servers (Certificate Authority – CAs) and we finally have the ability to distribute VPN Profiles to our end users. Therefore, I am considering this miniseries as a foundation for illustrating these features and abilities in later posts.

I am building this solution out using the recently published RTM builds of Windows Server 2012 R2, but almost everything I will cover in this series will work from 2008 R2, with some minor adjustments and wizard changes.

Architecture

The environment which we will use for the scenarios is illustrated in the graphic below, showing our client establishing a connection with the RRAS server over TCP443 or what you might better recognize as the HTTPS port. SSTP utilizes this same supporting environment, including the SSL certificates used to protect the tunnel.

I have tagged a number of the components with a  to indicate the initial systems which are engaged in the basic SSTP implementation, including the Network Policy Server (otherwise known as RADIUS), which is used to check the client's authorization to proceed with establishing the requested tunnel.

The remaining servers are added to the scenario as we enable the NAP services, including the Certification Authority, and as an example, a simple Windows Update Server to offer simple remediation to non-compliant clients.

Each of the servers are responsible for different roles in the overall solution. To get a brief understanding of what these are, let's take a quick look at their primary functions.

• NPS Server – This hosts the Network Policy Services and Network Access Protection services. This server can also be referred to as the Radius Server. When we extend the solution with support for Network Access Protection, we will add a second role to this server called Health Replication Authority (HRA), which will connect to our Certificate Server to request and Issue health certificates
• SSTP Server – This server hosts the actual Routing and Remote access installation. It will be configured to primarily offer SSTP-only tunnels, and it will connect to the NPS server for authentication and accounting (storing auditing) information, with the purpose of determining if the clients are indeed permitted to establish the tunnels
• CA Servers – These host PKI certificate templates and issues certificates based on these templates to our systems. It is also responsible for issuing the Health Certificates via the Health Responsibility Authority. We will need to actually create the templates for these Health Certificates as part of the deployment.
• Client Computers – These are domain-joined machines that will subscribe to the new SSTP service that we are implementing. SSTP is supported from Windows 7 and newer versions of the client. Non-domain-joined machines can of course work with SSTP, but for the scope of this mini-series I am focusing on domain-joined systems.

We now have the background and an idea of how the different servers will be used. Our next objective will be to implement this solution. Now would be a great time to get your environment ready and spin up some servers for the jobs we are about to face.

Free Tools from SolarWinds to Help Resolve Network Issues

How to back up the registry in server

How to step by step back up of registry in server 2008, if you are editing in windows registry make sure you have backup of registry. If any problem occurs you can safely restore your registry. You can backup Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 by this method. Before create a backup you should login with administrator.

Follow these steps to backup registry:-

 1.      Click Start, and then click Run.

 2.      In the Open box, type "regedt32", and then click ok.

 3.      On the Registry menu, click Export.

 

4.      In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save.

How to change the listening port for Remote Desktop

Remote desktop listening port 3389 is working by default in server 2008. You can change and define custom listening port for remote desktop. You can define port number between 1025 and 65535.

How to change the Remote Desktop listening port on Windows Server 2008?

You can change remote desktop listening port on server 2003, windows xp and windows 7 by same method.

1. Click on Start and type “regedit” or you can press windows key + R to lunch run and type “regedit”  and press enter  Registry Editor will open.

 

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

3. Select PortNumber and double click on it then click Decimal.
4. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389)
5. Type the new port number, and then click OK.
6. Quit Registry Editor.
7. Restart the computer.

Now you can check form other computer start Remote Desktop Connection form start -> all programs -> accessories -> remote desktop connection.

Now type ip address with port of server (IP address:Custom port).

Troubleshooting 

Note When you try to connect to this computer by using the Remote Desktop connection, you must type the new port. Maybe you have to set the firewall to allow the new port number before you connect to this computer by using the Remote Desktop connection.

If you got this message “The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support”

Daily Technotips: How to Implement Group Policy Security Filtering?

The most misleading thing about Group Policy is its name—Group Policy is simply not a way of applying policies to groups! Instead, Group Policy is applied to individual user accounts and computer accounts by linking Group Policy Objects (GPOs), which are collections of policy settings, to Active Directory containers (usually OUs but also domains and sites) where these user and computer accounts reside. So the newbie’s question concerning Group Policy is usually, “How can I get this GPO to apply to this group?” The answer to this question is: by implementing security filtering.

Understanding Security Filtering

Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities), and you can view the default ACL on a typical GPO as follows:

1. Open the Group Policy Management Console (GPMC)
2. Expand the console tree until you see the Group Policy Objects node.
3. Select a particular GPO under the Group Policy Objects node.
4. Select the Delegation tab in the right-hand pane (see Figure 1).

Figure 1: Viewing the ACL for the Vancouver GPO using the Delegation tab

For a more detailed view of the ACEs in this GPO ACL, click the Advanced button to display the familiar ACL Editor (Figure 2):

Figure 2: Viewing the ACL for the Vancouver GPO using the ACL Editor

An obvious difference between these two views is that the ACL Editor displays the Apply Group Policy permission while the Delegation tab doesn’t. This is because the Delegation tab only displays ACEs for security principles that actually process the GPO, and that implicitly means those security principals have the Apply Group Policy permission set to Allow. More specifically, if you want a GPO to be processed by a security principal in a container linked to the GPO, the security principal requires at a minimum the following permissions:

• Allow Read
• Allow Apply Group Policy

The actual details of the default ACEs for a newly created GPO are somewhat complex if you include advanced permissions, but here are the essentials as far as security filtering is concerned:

Security Principal	Read	Apply Group Policy
Authenticated Users	Allow	Allow
CREATOR OWNER	Allow (implicit)
Domain Admins	Allow
Enterprise Admins	Allow
ENTERPRISE DOMAIN CONTROLLERS	Allow
SYSTEM	Allow

Note that Domain Admins, Enterprise Admins and the SYSTEM built-in identity have additional permissions (Write, Create, Delete) that let these users create and manage the GPO. But since these additional permissions are not relevant as far as security filtering is concerned, we’ll ignore them for now.

The fact that Authenticated Users have both Read and Apply Group Policy permission means that the settings in the GPO are applied to them when the GPO is processed, that is, if they reside in a container to which the GPO is linked. But who exactly are Authenticated Users? The membership of this special identity is all security principals that have been authenticated by Active Directory. In other words, Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.

Using Security Filtering

Let’s now look at a simple scenario where you might use security filtering to resolve an issue in Group Policy design. Figure 3 below shows an OU structure I developed in a previous article. Note that the Vancouver top-level OU has three departments under it defined as second-level OUs, with user and computer accounts stored below these departments in third-level OUs:

Figure 3: Sample OU structure for Vancouver office

Let’s say that of the fifteen users who work in the Sales and Marketing Department in Vancouver, three of them are senior people who have special requirements, for example access to certain software that other people in the department shouldn’t have access to. Such software could be provided to them by publishing it in Add or Remove Programs using a user policy-based software installation GPO. The trouble is, if you link this GPO to the Sales and Marketing Users OU then all fifteen users in the department will have access to it through Add or Remove Programs. But you only want this special group of three users to be able to access the software, so what do you do? 

You could create another OU beneath the Sales and Marketing Users OU and call this new OU the Senior Sales and Marketing Users OU. Then you could move the user accounts for the three senior employees to this new OU and create your software installation GPO and link it to the new OU. While this approach will work, it has several disadvantages:

• It makes your OU structure deeper and more complicated, making it harder to understand.
• It disperses user accounts into more containers making them more difficult to manage.

A better solution is to leave your existing OU structure intact and all fifteen Sales and Marketing users in the Sales and Marketing Users OU, create your software installation GPO and link it to the Sales and Marketing Users OU (see Figure 4), and then use security filtering to configure the ACL on the software installation GPO to ensure that only the three senior users receive the policy.

Figure 4: Senior Sales and Marketing Users Software Installation GPO

To filter the software installation GPO so that only users Bob Smith, Mary Jones, and Tom Lee receive it during policy processing, let’s first use Active Directory Users and Computers to create a global group called Senior Sales and Marketing Users that has only these three users as members (see Figure 5):

Figure 5: Membership of the Senior Sales and Marketing Users global group

Note that you can store this security group in any container in the domain, but for simplicity you’ll probably want to store it in the Sales and Marketing Users GPO since that’s where its members reside.

Now go back to the GPMC with the software installation GPO selected in the left-hand pane, and on the Scope tab of the right-hand pane, remove the Authenticated Users special identity from the Security Filtering section and then add the Senior Sales and Marketing Users global group (Figure 6):

Figure 6: Filtering the GPO so it only targets the Senior Sales and Marketing Users group

That’s it, we’re done! Now when policy is processed for a user account residing in the Sales and Marketing Users OU, the Group Policy engine on the client will first determine which GPOs need to be applied to the user. If the user is a member of the Senior Sales and Marketing Users security group, the following GPOs will be applied in the following order (assuming we haven’t used blocking or enforcement anywhere):

1. Default Domain Policy
2. Vancouver GPO
3. Sales and Marketing GPO
4. Sales and Marketing Users GPO
5. Senior Sales and Marketing Users GPO

The Power of Security Filtering

The power of security filtering is that it allows us to simplify our OU structure while still ensuring that Group Policy is processed as designed. For example, in my original OU structure for Vancouver (see Figure 3 above) I created separate OUs for three departments in that location, namely the IT Department, Management, and Sales and Marketing. In Toronto however I could have taken a different approach and lump all my users and computers together like this (Figure 7):

Figure 7: Toronto has a simpler OU structure than Vancouver

Then I could group user and computer accounts in Toronto into global groups like this:

• IT Department Users
• IT Department Computers
• Management Users
• Management Computers
• Sales and Marketing Users
• Sales and Marketing Computers

I could then create GPOs for each group of users and computers in Toronto, link these GPOs to the appropriate container, and use security filtering to ensure they are applied only to the desired security principals (Figure 8):

Figure 8: Using Group Policy to manage users in Toronto

The main downside of this approach is that as you flatten your OU structure you can end up with lots of GPOs linked to each OU, which can make it harder at first glance to figure out which policies are processed by each user or computer unless you examine in detail the security filtering setup

http://dailytechnotips.blogspot.in/

Daily TechnoTips: How to Upgrade to Windows Server 2008 from 2003

Daily TechnoTips: How to Upgrade to Windows Server 2008 from Windows...: If you haven’t upgraded from Server 2003 to Server 2008 — here’s the how-to you’ve been waiting for. Today I’m going to show you how to p...

Setup Microsoft Windows 2008 R2 Failover Cluster in VMware Workstation - PART1

Here you can see how to setup Microsoft Windows 2008 R2 failover cluster in VMware Workstation.This article contains step by step method on Microsoft windows 2008 R2 failover cluster with freenas iscsi disks in VMware workstation just on your computer.  if you search on internet about setting up Windows 2008 R2 cluster in any desktop virtualization software, you can’t find it in one place.

Installation and setup procedure for MS windows 2003 cluster and earlier versions are available on internet, but not Windows 2008 or R2 failover cluster. Everybody including me stuck in one place while setting up Windows 2008 or R2 cluster in Virtualization environment, which is Cluster disk validation.  This is the main issue on MS windows 2008 R2 cluster in VMware workstation or Sun virtual box desktop virtualization software.

Windows 2008 and R2 failover clusters require SCSI-3 persistent reservation target disks as their cluster disks. Now question is how to setup SCSI-3 persistent reservation cluster disks in VMware workstation? I already wrote an article on setting up SCSI-3 persistent reservation cluster  iSCSI disksin VMware workstation using FreeNAS. Before continue reading this post, please read my previous article and create cluster disks in your VMware workstation according to cluster need.

Let’s start the installation and setup of Windows 2008 or R2 Failover cluster in desktop virtualization software VMware workstation.

Required Software

a)      VMware workstation

b)      Windows 2008 or R2 Operating System

c)       FreeNAS

Read more about Microsoft Windows 2008 R2 Failover cluster in normal environment

Prerequisites setup

a)      Installation of Windows 2008 or R2 Operating System in VMware Workstation ( Three Windows 2008 R2 Server virtual machines required.  One as domain controller and other twos as cluster nodes)

b)      Setup domain on one server and join other two servers with domain. Use domain administrator login for servers. ( in this example, domain name is sysprobs.net and cluster server names are vm-clus1 and vm-clus2)

c)       Install failover cluster feature in two windows 2008 or R2 servers you are going to setup failover cluster in VMware workstation.

d)      Install second network card in both cluster servers. Give two separate IP addresses, so both servers can communicate through this network also. This network will be used as ‘heart beat’ network for both servers. Make sure, this network name is identical in both servers. (in this example, heart beat network named as ‘ internal’ on both servers)

e)      Create cluster disks in your FreeNAS virtual machine.   Read my previous post on creating SCSI-3 persistent reservation target iSCSI disks in FreeNAS.
( in this example,
Qurom disk – 512MB,
Storage disk1- 2GB,
Storage disk 2- 2GB,
Storage disk 3 – 2GB,
and Backup disk 4GB)