Chapter 6

Remote Access

Tran Thanh Dien, PhD

August, 2022
 Content

 Remote Access Options

 VPN
 DirectAccess – automatic VPN!
 The truth about DirectAccess and IPv6
 Prerequisites for DirectAccess
 Remote Access Management Console
 DirectAccess versus VPN
 Web Application Proxy

2
 Mobile Workforce

 Most companies and employees have the expectation that they will be able to get their
work done from wherever they happen to be
181.100.100.2
181.100.100.1
eth0 eth0
180.100.100.1 eth1
eth1 190.100.100.1

172.30.1.10
180.100.100.100

190.100.100.200
172.30.1.5

3
Remote Access

4
 Remote Access
When to use remote access

 Do you allow users to connect to your network resources remotely? If so, how?
 What are your business requirements for using remote access?

5
Remote Access
Remote access Options

6
 Remote Access
Remote access Options

 Historically relied on third-party tools to connect remote users to the network,

such as traditional and SSL VPN
 Windows Server 2016: Two flavors of remote access available:
o Direct Access (DA): for domain-joined client computers (Windows 7, 8, and 10);
o VPN for the rest

7
 Remote Access
Remote access Options

 Direct Access (DA):

o kind of automatic VPN.
o the user don’t needs to do anything in order to be connected to work.
o The computer are connected automatically to the corporate network
 The DA machines are typically the company-owned corporate assets
 The client machines must be joined to the company’s domain
 The DA configuration settings are brought down to the client through a GPO

8
 Remote Access
Remote access Options

 VPN is used for

o down-level clients such as Windows XP
o non-domain-joined Windows 7/8/10
o home and personal devices that want to access the network.
 All regular protocols available such as PPTP, L2TP, and SSTP,
 It can even work to connect devices such as smartphones and tablets to the
corporate network.

9
Virtual private network (VPN)

10
 VPN

VPN: a network uses a public telecommunication infrastructure, such as the Internet, to

provide remote offices or individual users with secure access to their organization's
network

11
 VPN
Four Critical Functions

 Authentication – validates that the data was sent from the sender.
 Access control – limiting unauthorized users from accessing the network.
 Confidentiality – preventing the data to be read or copied as the data is being
transported.
 Data Integrity – ensuring that the data has not been altered

12
 VPN
Tunneling Protocols

Tunneling: A packet based on one protocol is

wrapped, or encapsulated, in a second packet based
on a different protocol
13
 VPN
Tunneling Protocols

 Tunneling:
o a virtual point-to-point connection made through a public network
o the main ingredient to a VPN
o used by VPN to creates its connection
 Packets encapsulated and possibly encrypted
 Two types of end points:
o Remote Access
o Site-to-Site

14
 VPN
Tunneling Protocols

 Three main tunneling protocols used in VPN connections:

o IPSec -- Internet Protocol Security
o PPTP -- Point-to-Point Tunneling Protocol
o L2TP -- Layer 2 Tunneling Protocol

15
 VPN
Internet Protocol Security (IPSec)

 Provides a method of setting up a secure

channel for protected data exchange
between two devices.

 IPSec consists of two basic security protocols:

o Authentication (AH): the authentication
o Encapsulating Security Payload (ESP): provides source
authentication, confidentiality, and message integrity

16
 VPN
IPSec

IP Header Other headers and payload Secret Session Key

HMAC such as MD5

IP Header AH Other headers and payload

 AH provides data integrity and authentication

 Entire IP packet put through one-way hash (also called an HMAC)
 TTL must be “zeroized” to give a “standard header”
 AH may be applied alone, in combination with the IP ESP.

17
 VPN
IPSec

IP Header Other headers and payload Secret Session Key

Cryptography algorithm

IP Header ESP Encrypted data

 ESP is primarily used to provide payload encryption. It also provides

authentication and integrity
 Different algorithms for payload encryption, including: DES; 3DES; AES

18
 VPN
IPSec

 Two modes:
o Transport mode: payload
of the message is protected
o Tunnel mode: payload,
routing and header
information are protected

19
 VPN
IPSec: Transport mode

o Not change the IP packet

header
o Source and destination
addresses of IPsec tunnel
must be the source and
destination addresses in the IP
packet header.

o applicable only to communications between hosts.

20
 VPN
IPSec: Tunnel mode

o The original IP packet is

encapsulated into a new IP packet
o Once the receiving end receives
the packet:
 Removes the new IP header
 Decrypts original header

o Mainly applicable to communications between VPN gateways or between a host and

a VPN gateway.
21
 VPN
Point-to-Point Tunneling Protocol (PPTP)

 PPTP is a Microsoft protocol to allow

remote users to set up a PPP connection
to a local ISP and then create a secure
VPN to their destination
 Designed for client/server connectivity
 Single point-to-point connection
between two computers
 Works at the data link layer
 Transmits over IP networks only

23
 VPN
PPTP

 In PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption

(MPPE) using MS-CHAP or EAP-TLS.

 The keys used in encrypting this data are generated during the authentication
process between the user and the authentication server.
 only work over IP networks
24
 VPN
Layer 2 Tunneling Protocol (L2TP)

 L2TP provides the functionality of PPTP, but work over networks other than just IP

 L2TP does not provide any encryption

or authentication services.
 It needs to be combined with IPSec if
encryption and authentication services
are required.

25
 VPN
L2TP

 Layer 2 Tunneling Protocol (L2TP)

o Sets up a single point-to-point connection between two computers
o Works at the data link layer
o Transmits over multiple types of networks, not just IP
o Combined with IPSec for security

26
 VPN
Install and Configure

 VPN Server Requires 2 NIC: 1 for internal network (LAN) and 1 for external
network (Internet)
181.100.100.2
181.100.100.1
eth0 eth0
180.100.100.1 eth1
eth1 190.100.100.1

172.30.1.10
180.100.100.100

190.100.100.200
172.30.1.5

27
 VPN
Install and Configure: Creating OU & Users for VPN

28
 VPN
Install and Configure: Creating OU & Users for VPN

29
 VPN
Install and Configure: Creating OU & Users for VPN

30
 VPN
Install and Configure: Add Remote Access Role

Rmsvr.clc.com

31
 VPN
Install and Configure: Add Remote Access Role

Rmsvr.clc.com

32
 VPN
Install and Configure: Configure VPN

33
 VPN
Install and Configure: Configure VPN

34
 VPN
Install and Configure: Configure VPN

35
 VPN
Install and Configure: Configure VPN

36
 VPN
Install and Configure: Configure VPN

37
 VPN
Install and Configure: Configure VPN

Verify that 128 ports exist

for SSTP, IKEv2, PPTP,
and L2TP

38
 VPN
Install and Configure: Configure VPN

double-click WAN Miniport

(SSTP) and change
Maximum ports to 5

39
 VPN
Install and Configure: Configure VPN

Repeat to change Maximum ports to 5

for IKEv2, PPTP, and L2TP

40
 VPN
Client Connectivity Testing

41
 VPN
Client Connectivity Testing

42
 VPN
Client Connectivity Testing

43
 VPN
Client Connectivity Testing

44
 VPN
Client Connectivity Testing

45
 VPN
Client Connectivity Testing

46
DirectAccess – automatic VPN
 DirectAccess – automatic VPN

 Considered as an automatic VPN - the user don’t

need to do anything to make DA connection
 As soon as the mobile computer receives an
Internet connection, DA tunnels automatically built
using available connection, without any user input
 Similar to VPN: securely connect remote
computers to the corporate network
 Different from VPN: the method that employees
use to make this connection possible.

48
 DirectAccess
DA components

AD DS
Internet websites DNS server

NRPT Internal clients

IPv6/IPsec

DirectAccess
External clients server Internal network resources
Network location server

PKI deployment

49
 DirectAccess
The truth about and IPv6

 The first version of DA requires the network utilize IPv6

 Fortunately, this requirement gone: you do not need IPv6 to use DA
 However, all of the traffic move over the Internet part of the connection (between
the laptop and the DA) is IPv6 traffic
 The internal network is IPv4, and the DA server only has IPv4 addresses on it, but
the DA tunnel is carrying the traffic using IPv6

50
 DirectAccess
The truth about and IPv6

 As an example: you are sitting at home, working on the company laptop, DA

connects you to the corporate network
 When open Command Prompt and ping one of servers from the laptop, this is
what you see

51
 DirectAccess
The truth about and IPv6

 DA laptop sends IPsec-encrypted IPv6 packets over the Internet to the DA server
 When receiving the packets, DA server has the capability to spin them down into
IPv4 to send them to the destination server
 For example: when opening Outlook:
o It tries to connect to Exchange server: packets flow over the DA tunnel as IPv6
o Once these packets hit DA server: It figures out whether Exchange server is IPv4 or
IPv6.
o If the Exchange server is available via IPv6, the DA server will simply send the IPv6
packets along to the Exchange server
o On the other hand, DA server will manipulate the IPv6 packet, changing it down into
IPv4, and then send it on its way to the Exchange server.
52
 DirectAccess
The truth about and IPv6

 The two technologies that handle this manipulation of the packets are DNS64 and
NAT64
 The purpose of these technologies is
o to change the incoming IPv6 packet stream into IPv4 for the networks where it
is required
o and to spin the return traffic from IPv4 back up into IPv6 so that it can make its
way back to the DA client computer over the IPv6-based IPsec tunnel

53
 DirectAccess
Prerequisites: Domain joined

 The first big requirement is that the systems involved with DA need to be
domain joined
 The DA servers and all of the client computers that you want to be DA
connected need to be joined to a domain
 Domain membership is required for authentication purposes, and also because
the DA client settings applied via Group Policy

54
 DirectAccess
Prerequisites: client operating systems

 Not all of the Windows client operating systems contain the components that are
necessary to make a DA connection work
 The operating systems support DA:
o Windows 10 Enterprise
o Windows 10 Education
o Windows 8.0 or 8.1 Enterprise
o Windows 7 Enterprise
o Windows 7 Ultimate

55
 DirectAccess
Prerequisites: One or two NICs?

 Two methods for implementing DA: 1) Single NIC mode; and 2) Edge mode with
two NICs
 Single NIC mode
o The NIC connected directly into the internal network, so that it had access to all
of the internal resources
o To get traffic from the Internet to DA server, Network Address Translation
(NAT) is used

56
 DirectAccess
Prerequisites: one or two NICs?

 Edge mode with two NICs:

o It is the way that DA works best
o Internal NIC typically gets plugged right into the corporate network
o External NIC's physical placement can vary depending on the organization
o External NIC is always the one that receives the Default Gateway settings.
o Since this server is multihomed, you will likely need to create some route
statements

57
 DirectAccess
Prerequisites: one or two NICs?

 More than two NICs?

o DA configuration itself is only capable of managing two different network
interfaces
o During the setup wizards you will have to define one NIC as External, and the
other as Internal
o Any more NICs that exist in that server will not be used by DA

58
 DirectAccess
Tunneling protocol options

 When DA laptop makes a connection to the DA server, it will use one of the three
IPv6 transition tunneling protocols:
o 6to4: Used by DA clients with a public IP address
o Teredo: Used by DA clients with a private IP address behind a NAT device
o IP-HTTPS: Used by DA clients if they are not able to use 6to4, or Teredo
 When establishing the tunnel, the DA client will automatically choose which of
these protocols is best to use

60
 DirectAccess
Tunneling protocol options

 6to4:
o DA clients only attempt to use 6to4 when the remote laptop has a true public
Internet IP address
o This hardly ever happens these days with the shortage of available Internet
IPv4 addresses
o It is common practice to disable the 6to4 adapter on the client computers as a
DA best practice setting.

61
 DirectAccess
Tunneling protocol options

 Teredo:
o When DA clients are connected to the Internet using a private IP address, they
will attempt to connect using the Teredo protocol
o Teredo uses a UDP stream to encapsulate these packets
o So as long as the user's Internet connection allows outbound UDP 3544, Teredo
will generally connect and be the transition protocol of choice for that DA
connection.

62
 DirectAccess
Tunneling protocol options

 IP-HTTPS (pronounced IP over HTTPS):

o If Teredo fails to connect, e.g., blocks outbound UDP, then the DA connection
will use IP-HTTPS
o Encapsulating the IPv6 packets inside IPv4 headers, but then
wraps that up inside an HTTP header and encrypts it with
TLS/SSL before sending the packet out over the Internet.
o Effectively makes the DA connection an SSL stream, just like
when you browse an HTTPS website.

63
 DirectAccess
Installing on the true edge

 Plug DA server's External NIC directly into the Internet: put true public IP
addresses on that NIC
 All three of the above transition tunneling protocols are enabled: DA client can
choose between them for the best form of connectivity

64
 DirectAccess
Installing behind a NAT

 It is much more common for the networking team to place the external NIC of DA
server behind a firewall
 This typically means creating a NAT in order to bring this traffic into the server
 When you install a DA server behind a NAT, Teredo no longer works
 In fact, the DA configuration wizards will recognize when you have a private IP
address listed on the external NIC and it will not even turn on Teredo.

65
 DirectAccess
Installing behind a NAT

 When Teredo is not available, all of DA clients will connect using IP-
HTTPS.
 Teredo:
o more efficient protocol than IP-HTTPS because it is simply
encapsulating IPv6 inside IPv4
o no need any additional encryption because DA traffic stream is
already and always IPsec encrypted

66
 DirectAccess
Installing behind a NAT

 IP-HTTPS:
o takes the already encrypted IPsec traffic stream and encrypts it a second time
using SSL.
o being subject to additional processing and CPU cycles, and it makes for a slower
connection
o creates additional hardware load on the DA server itself.
 To summarize:
o DA server's external NIC can be behind a NAT
o But the DA client will be connecting using the IP-HTTPS protocol, and it has the side
effects of implementing in this way.
67
 DirectAccess
Network Location Server (NLS)

 A website running inside the corporate network

 This website does not need (should not) to be available for access over the Internet
 Used as part of the inside/outside detection mechanism on the DA client computers.
 Every time a DA client gets a network connection, it starts looking for the NLS
website
o If it can see the site, then it knows that you are inside the corporate network, and
DA is not required, so it turns itself off.

68
 DirectAccess
Network Location Server

 If NLS website cannot be contacted,, i.e., the computer is outside of the corporate
network, and the DA components will start turning themselves on.
 All you need to do is spin up a VM and install IIS on it to host this new website.
 Two things when setting up your NLS website:
o It must be an HTTPS site, and so it requires an SSL certificate
o DNS name you are using in order to contact this website is unique

69
 DirectAccess
Network Location Server

 NLS should not be implemented on the DA server itself.

 Many things that can go wrong when you cohost NLS on the DA server
 Running NLS on your DA server also limits the DA potential in the future
 Some of the advanced DA configurations require to remove NLS from the DA
server anyway

70
 DirectAccess
Network Location Server

DA config wizards to choose the location of NLS

71
 DirectAccess
Install and configure

 Creating DA OU & Group in Active Directory:

77
 DirectAccess
Install and configure

 Creating DA OU & Group in Active Directory:

78
 DirectAccess
Install and configure

 Creating DA OU & Group in Active Directory:

79
 DirectAccess
Install and configure

 Creating DA OU & Group in Active Directory:

80
 DirectAccess
Install and configure

 Creating DA OU & Group in Active Directory:

81
 DirectAccess
Install and configure

 The network model for DA is the same as that of VPN described in previous section
 The Installation progress is also the same!!!
 After finished installing the role, you need additional configuration

 Donot follow the yellow

exclamation mark inside
Server Manager as with
configuring VPN

82
 DirectAccess
Install and configure

 To configure DA: use the Remote Access Management Console

(Server Manager ->Tool)

 Click on the Getting Started Wizard

DirectAccess
Install and configure
DirectAccess
Install and configure
 DirectAccess
Install and configure

IP Address of external interface

DirectAccess
Install and configure
DirectAccess
Install and configure
DirectAccess
Install and configure
DirectAccess
Install and configure
 DirectAccess
Configure the client

 Switch to CLIENT
 Verify that DirectAccessClient
GPO applied to the client
 DirectAccess
Configure the client

 Move the CLIENT to the Internet

 DirectAccess
Configure the client

 Verify connectivity to the DirectAccess server:

Login to DC with an account that not login using this client computer
DirectAccess versus VPN
 DirectAccess versus VPN

 VPN has been around for a very long time and DirectAccess brings the speed
for remote access.
 Which solutions is better for enabling your mobile workforce?
 Each has its pros and cons, and the ways that you use each, or both, will depend
upon:
o Your users, client computers, and organization's individual needs
 DirectAccess versus VPN
Domain-joined versus non-domain-joined

 DirectAccess: client computer must be domain joined.

 Trusting a computer enough to be joined to your domain means that the laptop is
owned by the company
 DA not ideal for situations where employees use their existing home computers to
connect into work remotely
 For home and personally-owned computers, VPN may be better suited to the task
 DirectAccess versus VPN
Domain-joined versus non-domain-joined

 VPN: connected from a non-domain-joined machine, and non-Microsoft devices.

o IOS, Android, Windows Phone have a VPN client built into them.
 DirectAccess: not be able to provide non-domain-joined devices with a
connectivity platform.
 DirectAccess versus VPN
Auto versus manual launch

 With VPN:
o Users have to log in to their computers to unlock them
o Then launch the VPN
o Then log in again to that VPN software
 With DirectAccess:
o All they need to do is log in to the computer to unlock the screen.
 DirectAccess versus VPN
Software versus built-in

 VPN:
o Is a software
o Needs installation, configuration, updates and maintenance
 DirectAccess:
o Is a built-in (inside the operating system)
o no software to install, no software to update, no software to reinstall when it
breaks.
o Everything that DA needs is already in Windows, you just aren't using it.
 DirectAccess versus VPN
Password and login issues with VPN

 VPN needs to login using password

o Sometimes the user forgets their password
 DirectAccess doesn't have these kinds of problems!
o DA is part of OS, it has the capability to be connected anytime that Windows is
online
o As long as we have Internet access we also have a DirectAccess tunnel.
 We can run both DirectAccess and VPN on the same Windows Server 2016 remote
access server.
 Summary

 More and more organizations are hiring a work from home workforce
 Need a secure, stable, and efficient way to provide access of corporate data and
applications to these mobile workers
 Remote Access role provides two ways for remote access to corporate resources:
VPN and DirectAccess
 DirectAccess: a brand new way of looking at remote access: Automatic
connectivity