Windows 7 Resource Kit- P28

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
47
lượt xem
8
download

Windows 7 Resource Kit- P28

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p28', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P28

  1. How Directaccess Works DirectAccess is built on several different technologies as described in the next sections . aCTIVE DIRECTORY DOMaIN SERVICES An Active Directory Domain Services (AD DS) infrastructure is required for DirectAccess, with at least one domain controller in the domain running Windows Server 2008 or later versions . DirectAccess clients and servers must be domain members . WINDOWS 7 aND WINDOWS SERVER 2008 R2 Client computers must be running Windows 7 Enterprise or Ultimate operating systems or Windows Server 2008 R2 to use DirectAccess . In addition, at least one server on the corporate network must be running Windows Server 2008 R2 so it can act as the DirectAccess server . This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic and also an IPsec gateway . Ip V6 DirectAccess uses IPv6 to enable client computers to maintain constant end-to-end connec- tivity with remote intranet resources over a public Internet connection . Because most of the public Internet currently uses IPv4, however, DirectAccess can use IPv6 transition technologies such as Teredo and 6to4 to provide IPv6 connectivity over the IPv4 Internet . The preferred connectivity method for the client computer depends on the type of IP address assigned to the client . Specifically: n If the client is assigned a globally routable IPv6 address, the preferred connectivity method is to use this address . n If the client is assigned a public IPv4 address, the preferred connectivity method is to use 6to4 . n If the client is assigned a private (NAT) IPv4 address, the preferred connectivity method is to use Teredo . n If the client is assigned a private (NAT) IPv4 address and the NAT device also provides 6to4 gateway functionality, 6to4 will be used . If none of these connectivity methods can be used in a particular scenario, DirectAccess can also use IP-HTTPS, a new protocol developed by Microsoft for Windows 7 and Windows Server 2008 R2, which enables hosts located behind a Web proxy server or firewall to estab- lish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session . For more information about IPv6 transition technologies and about IP-HTTPS, see Chapter 28, “Deploy- ing IPv6 .” For remote client computers to use DirectAccess to connect to computers on the internal corporate network, these computers and their applications must be reachable over IPv6 . This means the following: Enhancements for Connecting Remote Users and Networks in Windows 7 CHapTER 27 1303 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. n The internal computers and the applications running on them support IPv6 . Computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2 support IPv6 and have IPv6 enabled by default . n You have deployed native IPv6 connectivity or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet . ISATAP allows your internal servers and applications to be reachable by tunneling IPv6 traffic over your IPv4-only intranet . For computers and applications that do not support IPv6, you can use a Network Address Translation-Protocol Translation (NAT-PT) device to translate IPv6 and IPv4 traffic . Microsoft recommends using IPv6-capable computers and applications and native IPv6 or ISATAP-based connectivity over the use of NAT-PT devices . IpSEC DirectAccess uses IPsec to provide protection for DirectAccess traffic across the Internet . IPsec policies are used for authentication and encryption of all DirectAccess traffic across the Internet . These policies can also be used to provide end-to-end traffic protection between DirectAccess clients and intranet resources . These policies are configured and applied to client computers using Group Policy . For more information on IPsec and how to configure it, see Chapter 26 . pUBLIC KEY INFRaSTRUCTURE A Public Key Infrastructure (PKI) is required to issue computer certificates for authentication, issue health certificates when NAP has been implemented, and providing certificate revoca- tion checking services . These certificates can be issued by a certification authority (CA) on the internal network—they do not need to be issued by a public CA . pERIMETER FIREWaLL EXCEpTIONS If your corporate network has a perimeter firewall, the following traffic to and from the DirectAccess server over the IPv4 Internet must be allowed: n UDP port 3544 for Teredo traffic n IPv4 protocol 41 for 6to4 traffic n TCP port 443 for IP-HTTPS traffic If you need to support client computers that connect over the IPv6 Internet, the following traffic to and from the DirectAccess server must be allowed: n Internet Control Message Protocol version 6 (ICMPv6) n UDP port 500 n IPv4 protocol 50 1304 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. SMaRT CaRDS DirectAccess also supports the optional use of smart cards for authenticating remote users . Implementing Directaccess To implement DirectAccess on the server side, you need a computer running Windows Server 2008 R2 with two physical network adapters and at least two consecutive public IPv4 addresses that can be externally resolved through the Internet DNS . You can add the DirectAccess Management Console feature using Server Manager and then use the DirectAccess Setup Wizard in the DirectAccess Management Console to configure DirectAccess on your network . For more information on setting up the server side of DirectAccess, click the Help links in the DirectAccess Management Console . To implement DirectAccess on the client side, your client computers must be running Windows 7 Enterprise or Ultimate Edition, be domain joined, and be a member of a security group for DirectAccess clients . Initial configuration is done automatically by the DirectAccess Setup Wizard for the members of the specified security groups for DirectAccess clients . Additional client configuration can be done using Group Policy settings or with scripts . MoRe inFo For more information on deploying a Directaccess solution for your organization, see the technical documentation found on the Directaccess page on TechNet at http://technet.microsoft.com/en-us/network/dd420463.aspx. See also the product documentation at http://www.microsoft.com/directaccess/. Understanding BranchCache BranchCache is a new feature of Windows 7 and Windows Server 2008 R2 that allows content from file servers and Web servers at a central office to be cached on computers at a local branch office, thus improving application response time and reducing WAN traffic . This sec- tion provides an overview of the benefits of BranchCache, how it works, and how it can be implemented . Benefits of BranchCache BranchCache can provide the following benefits to enterprises and their users: n Reduces WAN link utilization By enabling branch office clients to use locally cached copies of files instead of having to download them from the central office over the WAN, BranchCache reduces WAN link utilization, thus freeing up bandwidth for other applications that need to use the WAN . n Improves user productivity and reduces application response time Opening a file located on a remote file server from a locally cached version of the file is typi- cally much faster than downloading the file over a slow WAN link . BranchCache thus Enhancements for Connecting Remote Users and Networks in Windows 7 CHapTER 27 1305 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. increases user productivity when accessing content over the WAN for applications that use Server Message Block (SMB; for example, using Microsoft Office Word to open a document stored in a shared folder on a file server) or HTTP/HTTPS (for example, using Windows Internet Explorer to open a page on an intranet Web site or using Windows Media Player [WMP] to play a video embedded in an intranet Web page) . BranchCache adds significant value to Windows 7 and Windows Server 2008 R2 with little overhead by providing significant bandwidth savings and an improved user experience . BranchCache doesn’t require additional equipment in the branch offices, is easy to deploy, supports your existing security requirements, and can be easily managed using Group Policy . How BranchCache Works Depending on how you implement it, BranchCache can function in one of two modes: n Hosted Cache This scenario uses a client/server architecture in which clients running Windows 7 at a branch office site cache the content they’ve downloaded over the WAN from the central office to a Windows Server 2008 R2 computer (called the Hosted Cache) located at the same branch office site . Other clients that need this content can then retrieve it directly from the Hosted Cache without needing to use the WAN link . Hosted Cache mode does not require a dedicated server . The BranchCache feature can be enabled on a server that is running Windows Server 2008 R2, which is located in a branch that is also running other workloads . In addition, BranchCache can be set up as a virtual workload and can run on a server with other workloads, such as File and Print . n Distributed Cache This scenario uses a peer-to-peer architecture in which Windows 7 clients cache content that they retrieve by using the WAN, and then they send that content directly to other authorized Windows 7 clients on request . Distributed Cache mode allows IT professionals to take advantage of BranchCache with minimal hardware deployments in the branch office . However, if the branch has deployed other infrastructure (for example, servers running workloads such as File or Print), using Hosted Cache mode may be beneficial for the following reasons: • Increased cache availability Hosted Cache mode increases the cache efficiency, because content is available even if the client that originally requested the data is offline . • Caching for the entire branch office Distributed Cache mode operates on a single subnet . If a branch office that is using Distributed Cache mode has multiple subnets, a client on each subnet needs to download a separate copy of each requested file . With Hosted Cache mode, all clients in a branch office can access a single cache, even if they are on different subnets . 1306 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. protocols Supported by BranchCache BranchCache supports the SMB 2 and HTTP 1 .1 protocols . Applications do not need to directly communicate with BranchCache, although they can if they need to . However, applications accessing SMB and HTTP interfaces in the Windows 7 and Windows Server 2008 R2 operating systems automatically benefit from BranchCache . Consequently, applications like Windows Explorer, Robocopy CopyFile, WMP, Internet Explorer, and Silverlight automatically benefit . These benefits are also realized when using HTTPS, IPsec, or SMB signing . However, applications that implement SMB or HTTP stacks will not benefit from BranchCache, because BranchCache optimizations are leveraged directly by the SMB and HTTP protocol stack implementations in the Windows 7 and Windows Server 2008 R2 operating systems . Implementing BranchCache To implement BranchCache for a file server located at your central site, the file server must be running Windows Server 2008 R2 and you must install the BranchCache For Network Files role service of the File Services role on the server using the Add Roles Wizard . After doing this, you must also configure the shares on your file server to use BranchCache . Using Group Policy, you can enable or disable BranchCache on all your file server’s shares, or you can mark specific shares to use BranchCache . To implement BranchCache for a Web or application server located at your central site, the Web or application server must be running Windows Server 2008 R2, and you must install the BranchCache feature on the server using the Add Features Wizard . After doing this, you must also start the BranchCache service on your Web or application server by typing netsh BranchCache set service mode=local at an administrative-level command prompt . To configure a computer running Windows Server 2008 R2 located at a branch office as a Hosted Cache server, you must install the BranchCache feature on the server, enable the fea- ture and configure it to use Hosted Cache server mode, and install a certificate that is trusted by your client computers on the server . To configure clients running Windows 7 located at a branch office to use BranchCache, you must enable BranchCache on the computers, configure the computers to use either Distrib- uted Cache mode or Hosted Cache mode as needed, and open the necessary exceptions in Windows Firewall to allow the computers to access the cache on other computers at the site . BranchCache can be enabled and configured on computers running Windows 7 either by using Group Policy or by using the netsh branchcache context of the Netsh command . MoRe inFo For more information on deploying a BranchCache solution for your organi- zation, see the documentation found on the BranchCache section of the Networking and access Technologies TechCenter on Microsoft TechNet at http://technet.microsoft.com /en-us/network/dd425028.aspx. Enhancements for Connecting Remote Users and Networks in Windows 7 CHapTER 27 1307 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. Supported Connection Types Windows 7 supports both outgoing and incoming network connections . For outgoing connections, the computer running Windows 7 acts as a client that connects to a remote computer, server, or network to access remote resources . For incoming connections, Windows 7 acts as a server to allow other computers to connect to the computer and access resources on it . Outgoing Connection Types As Windows Vista did before it, Windows 7 supports a number of different types of outgoing (client-side) network connections: n lAN or high-speed Internet connections Connections to an Ethernet LAN or broadband router providing high-speed access to the Internet . LAN connections are computer-to-network connections that Windows creates automatically when it detects the presence of an installed network interface card (NIC) . Internet connections are computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard to provide Internet access using a broad- band Digital Subscriber Line (DSL) adapter or cable modem, an Integrated Services Digital Network (ISDN) modem, or an analog (dial-up) modem . Broadband Internet connections use Point-to-Point Protocol over Ethernet (PPPoE); dial-up Internet con- nections use Point-to-Point Protocol (PPP) . n Wireless network connections Connections to a WLAN through a wireless access point or wireless router . Wireless network connections are computer-to-network con- nections that you can create and configure manually using the Set Up A Connection Or Network wizard, provided that the computer has a wireless network adapter installed . Wireless network connections may be either secured or unsecured, depending on how the access point has been configured . n Wireless ad hoc connections Connections to another computer that is enabled for wireless networking . Wireless ad hoc connections are temporary computer-to- computer connections that you can use to share files between users . n Wireless routers or access points Devices used to network wireless-enabled computers primarily for Small Office/Home Office (SOHO) environments so that users can share files and printers and connectivity to the Internet . Setting up this type of connection in Windows Vista using the Connect To A Network wizard requires that the computer has a wireless network adapter installed or attached to the computer and the presence of an external wireless router or wireless access point device that can be configured . n Dial-up connections Connections to a remote access server (RAS server) or modem pool at a remote location . Dial-up connections are computer-to-server or computer- to-network connections that you can create and configure manually using the Set Up 1308 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. A Connection Or Network wizard, provided that the computer has an analog or ISDN modem installed or connected to it . Dial-up connections either provide remote access to corporate networks or dial-up access to the Internet using the services of an Inter- net service provider (ISP) . n VPN connections Connections to a remote workplace by tunneling over the Internet . VPN connections work by creating a secure tunnel that encapsulates and encrypts all traffic between the client computer and the remote corporate network . This tunnel creates a secure private link over a shared public infrastructure such as the Internet . After the user is connected, her experience on the client computer is similar to what it would be if her computer were directly attached to the remote LAN (with performance limitations depending on the speed of the remote connection), with the exception of any restrictions imposed on remote connections by the network administrator . VPN connections are computer-to-server or computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard . VPN connections can use Internet connectivity, or they can establish an existing broadband Internet connection or an existing analog or ISDN dial-up connection to obtain the Internet connectivity they require . The rest of this chapter describes how to create and manage VPN and dial-up connections . For information about LAN and wireless connections in Windows 7, see Chapter 25, “Config- uring Windows Networking .” Incoming Connection Types As Windows Vista did before it, Windows 7 supports the following types of incoming (server- side) network connections: n Incoming VPN connections Connections from a remote computer by tunneling over the Internet, using either a broadband Internet connection or a dial-up connec- tion to an ISP n Incoming dial-up connections Connections from a remote computer using an analog or ISDN modem For more information on how to create and configure incoming connections, see the section titled “Configuring Incoming Connections” later in this chapter . Deprecated Connection Types The following connection technologies supported in Windows XP were deprecated in Windows Vista and are no longer available in Windows 7: n X .25 n Microsoft Ethernet permanent virtual circuit (PVC) n Direct cable connection using a serial, parallel, universal serial bus (USB), or IEEE 1394 cable Supported Connection Types CHapTER 27 1309 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. note Most types of network connections available in Windows 7 support Ipv6 out of the box and can be used to establish pure-Ipv6 connectivity with remote servers or networks (provided they support incoming Ipv6 connections). More information concerning Ipv6 support for network connections in Windows 7 is provided throughout this chapter where appropriate. Configuring VPN Connections Windows 7 supports both outgoing and incoming VPN connections . For outgoing connec- tions, Windows 7 is the client and connects to a VPN server on a remote network, usually the corporate intranet . For incoming connections, Windows 7 acts as a server and allows a remote client computer to establish a VPN connection between the two computers . In enterprise environments, outgoing VPN connections are commonly used to allow mobile users to securely access resources on the corporate intranet from remote locations . Incoming VPN connections to client computers are rarely used in enterprise environments, so most of this discussion deals with outbound connections only . For information on how to create and configure an inbound connection on Windows 7, see the section titled “Configuring Incoming Connections” later in this chapter . Supported Tunneling protocols Windows 7 supports four different tunneling protocols for creating secure VPN connections to remote corporate networks: n Internet Key Exchange version 2 New in Windows 7, IKEv2 is an updated version of the IKE protocol that uses the IPsec tunnel mode over UDP port 500 . IKEv2 enables VPN connections to be maintained when the VPN client moves between wireless hotspots or switches from a wireless to a wired connection . Using IKEv2 and IPsec together enables support for strong authentication and encryption methods . IKEv2 is documented in RFC 4306 . n Secure Socket Tunneling Protocol Supported in Windows Vista Service Pack 1 (SP1) and later versions, SSTP encapsulates PPP frames over HTTPS (HTTP over Secure Sockets Layer [SSL]) to facilitate VPN connectivity when a client is behind a firewall, NAT, or Web proxy that allows outgoing TCP connection over port 443 . The SSL layer provides data integrity and encryption while PPP provides user authentication . SSTP was introduced in Windows Vista SP1 and Windows Server 2008 . SSTP was developed by Microsoft and the SSTP protocol specification can be found on MSDN at http://msdn.microsoft.com/en-us/library/cc247338.aspx. n layer Two Tunneling Protocol An industry-standard Internet tunneling protocol designed to run natively over IP networks and which encapsulates PPP frames like 1310 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. PPTP does . Security for L2TP VPN connections is provided by IPsec, which provides the authentication, data integrity, and encryption needed to ensure that L2TP tunnels are protected . The combination of L2TP with IPsec for tunneling purposes is usually referred to as L2TP over IPsec or L2TP/IPsec . L2TP/IPsec is documented in RFC 3193, while L2TP is documented in RFC 2661 . n Point-to-Point Tunneling Protocol An open industry standard developed by Microsoft and others, PPTP provides tunneling over PPP frames (which themselves encapsulate other network protocols such as IP) and uses PPP authentication, compres- sion, and encryption schemes . PPTP was first introduced in Microsoft Windows NT 4 .0 and is simpler to set up than L2TP, but it does not provide the same level of security as L2TP . PPTP is documented in RFC 2637 . Comparing the Different Tunneling protocols Table 27-1 compares the four different tunneling protocols that are available in Windows 7 and Windows Server 2008 R2 . TABlE 27-1 Comparison of VPN Tunneling Protocols Supported by Windows 7 and Windows Server 2008 R2 PROVIDES REQUIRES A PROVIDES DATA DATA PROVIDES DATA PUBlIC KEy SUPPORTED PROTOCOl CONFIDENTIAlITy INTEgRITy AUTHENTICATION INFRASTRUCTURE VERSIONS IKEv2 Yes Yes Yes Yes Windows 7, Windows Server 2008 R2, and later versions SSTP Yes Yes Yes Yes for Windows issuing Vista SP1, computer Windows certificates Server 2008, and later versions L2TP/IPsec Yes Yes Yes Recommended Microsoft for issuing Windows computer 2000 certificates; and later an alternative versions is using a pre-shared key PPTP Yes No No No Windows 2000 and later versions Configuring VPN Connections CHapTER 27 1311 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. Microsoft recommendations for choosing the right tunneling protocol for providing VPN access to your corporate network are as follows: n For client computers running Windows 7 and VPN servers running Windows Server 2008 R2, implement IKEv2 as your tunneling protocol . In addition to providing data confidentiality, data integrity, and data origin authentication (to confirm that the data was sent by the authorized user), IKEv2 provides resiliency to VPN connections using MOBIKE, which enables VPN connections to be maintained when the underlying Layer 2 network connectivity changes . n For client computers running Windows 7 and VPN servers running Windows Server 2008 RTM or SP2, use SSTP as a fallback tunneling protocol . This way, whenever an IKEv2 tunnel connection is blocked due to a firewall configuration or some other issue, the client can use SSTP to achieve VPN connectivity to the corporate network . For more information about the order in which different tunneling protocols are used during a VPN connection attempt, see the section titled “Understanding the VPN Connection Negotiation Process” later in this chapter . n For client computers running Windows 7 that need to connect to VPN servers running older versions of Windows, use L2TP/IPsec if a PKI is available; otherwise use PPTP . note Microsoft may remove support for L2Tp/Ipsec and ppTp in future versions of Windows, so enterprises deploying Windows 7 should implement IKEv2 with SSTp fallback as their VpN solution wherever possible. Understanding Cryptographic Enhancements Beginning with Windows Vista, support for cryptographic algorithms and protocols used for data integrity, encryption, and authentication is now updated to increase VPN security . These updates include: n Addition of support for the Advanced Encryption Standard (AES) . n Removal of support for weak cryptographic algorithms . n Removal of support for less secure authentication protocols . The sections that follow provide more details concerning these security enhancements . Support for aES Support for the AES was first added in Windows Vista . AES is a Federal Information Process- ing Standard (FIPS) encryption standard developed by the National Institute of Standards and Technology (NIST) that supports variable key lengths and that replaces Data Encryption Standard (DES) as the standard encryption algorithm for government and industry . For L2TP/ IPsec–based VPN connections, the following AES encryption levels are supported in Windows Vista and later versions: 1312 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. n Main mode IPsec main mode supports AES 256- and 128-bit encryption using Elliptical Curve Diffie-Hellman (ECDH) with 384- and 256-bit encryption, respectively . n Quick mode IPsec quick mode supports AES 128-bit and 3DES encryption when the encryption setting in the Advanced Security Settings properties of the VPN connection is either Optional Encryption or Require Encryption . IPsec quick mode supports AES 256-bit and 3DES encryption when the encryption setting inside the Advanced Security Settings properties is Maximum Strength Encryption . note Using aES is a requirement for many U.S. government agencies. Weak Cryptography Removal from ppTp/L2Tp Support for weak or nonstandard cryptographic algorithms has been removed beginning with Windows Vista . This initiative was based on a desire by Microsoft to move customers toward stronger crypto algorithms to increase VPN security, based on recommendations by the NIST and the Internet Engineering Task Force (IETF) as well as mandates toward stronger crypto algorithms from different industry standards bodies and regulators . The following crypto algorithms are no longer supported on Windows Vista or later versions: n 40- and 56-bit RC4 encryption, formerly used by the Microsoft Point-to-Point Encryption (MPPE) Protocol for PPTP-based VPN connections n DES encryption, formerly used by IPsec policy within L2TP/IPsec-based VPN connections n MD5 integrity checking, formerly used by IPsec policy within L2TP/IPsec-based VPN connections The removal of support from the default configuration for 40- and 56-bit RC4 encryption means that PPTP-based VPN connections now support only 128-bit RC4 for data encryption and integrity checking . This means the encryption strength remains the same as 128-bit RC4—that is, independent of the encryption settings (Optional Encryption, Require Encryption, or Maximum Strength Encryption) specified by the Advanced Security Settings properties of the VPN connections . This also means that if your existing VPN server does not support 128-bit encryption and supports only incoming PPTP-based VPN connections, clients will not be able to connect . If you are unable to upgrade your existing VPN servers to support 128-bit encryption for PPTP or if 128-bit encryption is unavailable to you because of export restric- tions, you can enable weak crypto for PPTP by editing the following registry value: HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowPPTPWeakCrypto The default value of this DWORD registry value is 0, and by changing it to 1, you can enable 40- and 56-bit RC4 encryption on the computer for both outgoing and incoming PPTP-based VPN connections . You must restart the computer for this registry change to take effect . As an alternative to restarting the computer, you can restart the Remote Access Configuring VPN Connections CHapTER 27 1313 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman . The removal of support for DES encryption and MD5 integrity checking for L2TP/IPsec- based VPN connections means that L2TP/IPsec-based VPN connections now support the following data encryption and data integrity algorithms by default: n 128-bit AES, 256-bit AES, and 3DES for data encryption using IPsec n Secure Hash Algorithm (SHA1) for data integrity using IPsec The removal of support for DES and MD5 from the default configuration means that L2TP/ IPsec-based VPN connections will not work if your existing VPN server supports only DES for data encryption and/or MD5 for data integrity checking . If you are unable to upgrade your existing VPN servers to support AES or 3DES for data encryption and/or SHA1 for integrity checking or if these crypto algorithms are unavailable to you because of export restrictions, you can disable weak crypto for L2TP by editing the following registry value: HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto The default value of this DWORD registry value is 0, and by changing it to 1, you can enable DES encryption and MD5 integrity checking on the computer for both outgoing and incoming L2TP/IPsec-based VPN connections . You must restart the computer for this regis- try change to take effect . As an alternative to restarting the computer, you can restart the Remote Access Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman . note Microsoft recommends that you upgrade your VpN server to support 128-bit RC4 for ppTp and/or aES and SHa1 for L2Tp instead of disabling weak crypto support on your VpN clients. Table 27-2 summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to crypto support for data integrity and encryption for VPN connections . TABlE 27-2 Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista, and Windows XP CRyPTO AlgORITHM USE WINDOWS 7 WINDOWS VISTA WINDOWS XP 40-bit RC4 Data encryption and 3 integrity checking for PPTP only 56-bit RC4 Data encryption and 3 integrity checking for PPTP only 1314 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. CRyPTO AlgORITHM USE WINDOWS 7 WINDOWS VISTA WINDOWS XP 128-bit RC4 Data encryption and 3 3 3 integrity checking for PPTP only DES Data encryption 3 3DES Data encryption 3 3 3 128-bit AES Data encryption 3 * 196-bit AES Data encryption 3 * 256-bit AES Data encryption 3 * MD5 Integrity checking 3 SHA1 Integrity checking 3 3 3 256-bit SHA Integrity checking 3 * (main mode only) 384-bit SHA Integrity checking 3 * (main mode only) An asterisk (*) in Table 27-2 means that configuration is possible, but only by using the Netsh command. Supported authentication protocols The following authentication protocols are supported for logon security for VPN connections in Windows 7: n PAP Stands for Password Authentication Protocol; uses plaintext (unencrypted) passwords . n CHAP Stands for Challenge Handshake Authentication Protocol; uses one-way MD5 hashing with challenge-response authentication . n MSCHAPv2 Stands for Microsoft Challenge Handshake Authentication Protocol version 2; an extension by Microsoft of the CHAP authentication protocol that provides mutual authentication of Windows-based computers and stronger data encryption . MSCHAPv2 is an enhancement of the earlier MS-CHAP protocol that provided only one-way authentication of the client by the server . n EAP Stands for Extensible Authentication Protocol; extends PPP by adding support for additional authentication methods including using smart cards and certificates . n PEAP Stands for Protected Extensible Authentication Protocol, or Protected EAP; enhances the protection provided by EAP by using Transport Layer Security (TLS) to provide a secure channel for EAP negotiation . PEAP is also used in Windows 7 to support NAP scenarios . Configuring VPN Connections CHapTER 27 1315 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. Starting with Windows Vista, the following authentication protocols have been deprecated for use by VPN connections: n SPAP (Shiva Password Authentication Protocol) n MS-CHAP n EAP using MD5 Note that by default PAP and CHAP are not enabled as authentication protocols on new VPN connections you create using the Set Up A Connection Or Network wizard . This is because PAP and CHAP are not considered secure; use them only when connecting to ISPs whose network access devices support only these older authentication schemes . And although PPTP in Windows 7 no longer supports MD5 for data integrity checking using L2TP/IPsec- based VPN connections, support for MD5 usage in CHAP has been maintained because of the continuing popularity of this authentication protocol with many broadband- and dial-up– based ISPs . Table 27-3 summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to user authentication protocols used for VPN connections . note In addition to the user authentication protocols listed in Table 27-3, L2Tp/Ipsec also supports machine-level authentication (using either pre-shared keys or machine certificates), and SSTp supports the client validating the server (using the certificate sent by the server to the client during the SSL negotiation phase). TABlE 27-3 Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP AUTHENTICATION PROTOCOl WINDOWS 7 WINDOWS VISTA WINDOWS XP PAP 3 3 3 SPAP 3 CHAP 3 3 3 MS-CHAP 3 MS-CHAPv2 3 3 3 EAP with MD5 challenge 3 EAP with smart card 3 3 3 EAP with other certificate 3 3 3 PEAP 3 3 1316 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. diReCt FRoM tHe SoURCe VPN Security Enhancements Samir Jain and Santosh Chandwai, Lead program Managers Windows Enterprise Networking B eginning with Windows Vista, many extensions have been made regarding VpN security. First, all the weak crypto algorithms have been removed and new stronger crypto algorithms have been added to VpN tunnels. For ppTp, 40/56-bit RC4 encryption has been removed by default. This means ppTp now supports only 128-bit RC4 encryption by default. So if your VpN server or VpN client doesn’t support 128-bit encryption, your calls may fail. You can still get 40/56-bit RC4 encryption back by changing a registry key, but this is not recommended. It is better to upgrade your client or server to one that supports the more secure 128-bit RC4 encryption method. For L2Tp/Ipsec, DES (for encryption) and MD5 (for integrity check) have been re- moved, but aES support has been added. This means that Windows Vista and later versions support aES 128-bit, aES 256-bit, and 3DES for encryption, and SHa1 for integrity check. (aES is more CpU efficient than 3DES.) So if your VpN server or VpN client doesn’t support either DES or MD5, your connectivity may fail. You can still get DES and MD5 back by changing a registry key, but this is not recommended. It is better to upgrade your client or server to one that supports the more secure aES/3DES and SHa1 encryption methods. Second, many new authentication algorithms have been added; Eap-MD5, Spap, and MSCHapv1 are now deprecated. Windows Vista and later versions support (in increasing order of strength) pap, CHap, MSCHapv2, Eap-MSCHapv2, Eap-smart card/certificate, pEap-MSCHapv2, and pEap-smart card/certificate. Using pap or CHap as an authentication algorithm over a VpN tunnel is not recommended because it is weaker than other authentication algorithms. arguably, it might be safe to use pap/CHap over a L2Tp/Ipsec VpN connection because Ipsec provides a secure session before ppp authentication begins. But always remember this subtle security point: Ipsec provides you with machine-level authentication, whereas ppp authentication provides you with user-level authentication, and both are important. Finally, the L2Tp/Ipsec client in Windows Vista and later versions has added more verification of specific fields inside the server certificate used for Ipsec negotiation to avoid the trusted man-in-the-middle (TMITM) attack. The L2Tp/Ipsec client checks for the Subject alternative Name (SaN) field in the server’s X.509 certificate to verify that the server you are connecting to is the same as the server that was issued the certificate. It also checks for the Extended Key Usage (EKU) field to vali- date that the certificate issued to the server is for the purpose of server authentica- tion. For older deployments, Windows Vista and later versions provide a registry Configuring VPN Connections CHapTER 27 1317 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. key that if enabled will allow the VpN client to override the verification of the SaN and EKU fields of the server’s certificate. However, it is recommended that you not override these checks. Instead, if your VpN server offering L2Tp/Ipsec connectivity is issued X.509 certificates that do not have the DNS name of the server in the SaN field, it is recommended that you reissue appropriately configured certificates to the server. Understanding the VpN Connection Negotiation process When a client running Windows 7 tries to establish a connection with a remote VPN server, the tunneling protocol, authentication protocol, data encryption algorithm, and integrity- checking algorithm used depend on several factors: n The enabled authentication protocols and crypto algorithms on the client side n The remote access policy on the server side n The available network transports (IPv4 and/or IPv6) By default, if Type Of VPN is set to Automatic on the client side, the client running Windows 7 attempts to establish a connection with the remote VPN server in the following order: 1. IKEv2 2. SSTP 3. PPTP 4. L2TP The VPN client typically resolves the name of the VPN server using DNS . If the DNS lookup provides only an IPv4 or IPv6 address to the client, the connection attempts using the various tunneling protocols use only IPv4 or IPv6 . If the DNS lookup provides the client with both the IPv4 and IPv6 addresses of the server, then IPv6 is preferred and the following tunnel connec- tions are attempted, in this order: 1. IKEv2 over IPv6 2. SSTP over IPv6 3. PPTP over IPv4 (because PPTP doesn’t support IPv6) 4. L2TP over IPv6 After a tunneling protocol has been selected for the connection, the authentication and crypto algorithms are then negotiated between the client and the server . note You can reduce connection time by explicitly specifying the tunneling protocol you want your client to use (provided that the remote server also supports this protocol) instead of selecting the automatic type of VpN on the Networking tab of the connection’s properties. Note that doing so means that if the connection attempt using the specified tunneling protocol fails then VpN connectivity cannot be established. 1318 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. HoW it WoRKS VPN Connections and IPv4/IPv6 Samir Jain, Lead program Manager Enterprise Networking (RRAS) F irst, a little background: after you establish VpN connectivity, you have two in- terfaces on your client computer. One is your Internet interface (that is, Ethernet, wireless, pppoE, ppp over dial-up, and so on); the other is your corporate or WaN interface (that is, a VpN tunnel). This really means that you have two sets of Ip addresses, and each of these can be Ipv4 and/or Ipv6. How Do We Support IPv4 and IPv6 for VPN Connections? In Windows 7, we support SSTp, L2Tp, and IKEv2 VpN tunnels over Ipv6 (in other words, when your ISp connectivity is Ipv6) and SSTp/L2Tp/ppTp/IKEv2 VpN tunnels over Ipv4. In all scenarios, Ipv4 and/or Ipv6 packets can be sent on top of a VpN tunnel. (packets going to/from your corporate network can be Ipv4/Ipv6.) n If you are confused about the difference between “over” and ”on top of,” here’s a rule of thumb: Look at the connectivity between the VpN client and the VpN server (your ISp connectivity). This determines how the tunnel packets flow over the Internet and indirectly determines which type of VpN tunnel to be used. n Look at the connectivity between the VpN server and your corporate network (your corporate connectivity). This determines what flows on top of (or inside) the tunnel, and indirectly determines which network inside your corporate network you can access (Ipv4 and/or Ipv6). How Can I Identify This While Configuring a VPN Connection? Open the properties dialog box of your VpN connection and click the General tab. Here is where you specify the Ip address (v4 or v6) or host name of the VpN server—the Ip address that you are going to use to connect to the VpN server or the Ip address over which the VpN tunnel will be established. In other words, this deter- mines your ISp connectivity. If you enter an Ipv6 address here, L2Tp, IKEv2, and SSTp tunnels are supported. If you enter an Ipv4 address, all tunnel types are supported. But if you enter a host name, the type of tunnel selection is deferred until you actu- ally connect and a name lookup is performed. The DNS server could return to you both Ipv4 and Ipv6 addresses. In this scenario, Ipv4 and Ipv6 are tried in the order in which the addresses were returned by the DNS server inside the DNS response. The result also depends on the type of VpN tunnel type selection (ppTp, L2Tp/Ipsec, SSTp, IKEv2, or automatic). Configuring VPN Connections CHapTER 27 1319 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. Switch to the Networking tab and look at This Connection Uses The Following Items. The protocols listed here include both Ipv4 and Ipv6, and this protocol will be the one that gets negotiated “on top of” (or “inside”) the VpN tunnel. In other words, this determines your corporate connectivity—whether you will be sending Ipv4 and/or Ipv6 packets to the corporate network on top of the tunnel. You can typically get both Ipv4 and Ipv6 addresses from your corporate VpN server if your VpN server is configured accordingly. Depending on the name lookups, the appro- priate address will be taken. What Happens When I Select Automatic as My Type of VPN? automatic VpN tunnel logic is very simple: n First try IKEv2, and if that fails, try SSTp. If that fails, try ppTp. and if that fails, try L2Tp. n Let’s say you have configured an Ipv4 address as the destination VpN server. The logic remains the same: first IKEv2, then SSTp, then ppTp, and finally L2Tp. n Let’s say instead that you have configured an Ipv6 address as the destination VpN server. Try IKEv2. If that fails, try SSTp. and if that fails, try L2Tp. n Finally, let’s say that you have configured a host name as the destination VpN server. Now if your DNS server returns only Ipv4 addresses (a records), go to bullet 2 above. If your DNS server returns only Ipv6 addresses (aaaa records), go to bullet 3. If your DNS server returns both Ipv4 and Ipv6 addresses, the logic will be to go through each Ip address returned and then go to either bullet 2 or 3 depending upon the Ip address. What Happens When I Select My Type of VPN Using Connection Manager Administration Kit? Connection Manager administration Kit (CMaK), a tool for network administrators on Windows Server 2008 R2, also supports the following tunnel order strategies: n Use ppTp only. n Try ppTp first, which means ppTp, IKEv2, SSTp, and then L2Tp. n Use L2Tp. n Try L2Tp first, which means L2Tp, IKEv2, ppTp, and then SSTp. n Use SSTp only. n Try SSTp first, which means SSTp, IKEv2, ppTp, and then L2Tp. n Use IKEv2 only. n Try IKEv2 first, which means IKEv2, ppTp, SSTp, and then L2Tp. Note that you must use a computer running a version of Windows with the same processor architecture as the clients on which you want to install the profile. a 32-bit connection profile can be created and installed on a 32-bit version of 1320 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. Windows only. a 64-bit connection profile can be created and installed on a 64-bit version of Windows only. To create 64-bit connection profiles, use the add Features Wizard to install the CMaK feature on a computer running Windows Server 2008 R2. To create 42-bit connection profiles, use the Turn Windows Features On Or Off option to install the RaS CMaK feature on a computer running a 32-bit version of Windows 7. What Will Happen if I Connect a Windows 7 Client to a VPN Server That Doesn’t Support IPv6? You won’t be able to use the VpN server “over” Ipv6 (you can only have Ipv4 connectivity to an ISp), which means your tunnel can be SSTp, L2Tp, IKEv2, or ppTp. Then, “on top of” the VpN tunnel, the client running Windows 7 will try to get an Ipv4 as well as an Ipv6 address from the VpN server, but it will get only an Ipv4 address. Hence the connection will still go through. In other words, the connection fails only if you cannot get both Ipv4 and Ipv6 addresses on top of the VpN tunnel. What Will Happen if I Connect a Windows 7 Client to a VPN Server That Doesn’t Support SSTP? The SSTp connection will fail (and then you should remove SSTp from the preceding tunnel order). Creating and Configuring VpN Connections The Set Up A Connection Or Network wizard simplifies the task of creating VPN connections . The screens displayed when you use this wizard vary depending on the choices you make as you proceed through the wizard . MoRe inFo This chapter covers only configuring client connections for establishing VpN connectivity. For information about configuring Windows Server 2008 VpN servers including Network policy Server (NpS) servers, see the “Windows Server 2008 Networking and Network access protection (Nap)” volume in the “Windows Server 2008 Resource Kit” from Microsoft press at http://www.microsoft.com/learning/en/us/books/11160.aspx. In addition to creating and configuring new connections on clients running Windows 7, administrators can use the new version of the CMAK included with Windows Server 2008 . CMAK is a set of tools that you can use to tailor the appearance and behavior of connections made using Connection Manager, the built-in remote access client dialer included in Windows Vista . Using CMAK, administrators can create and deploy custom connections for client com- puters to simplify the user experience of connecting to remote networks . For instance, you could create a client connection that tries only a single specified tunneling protocol when Configuring VPN Connections CHapTER 27 1321 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. attempting to establish a connection, or you could create a connection that tries each tunnel- ing protocol in a specified order . note You must use the new Windows Server 2008 R2 version of CMaK to create and configure connections for clients running Windows 7. Creating a VpN Connection To create a new VPN connection on a computer if you already have a broadband (PPPoE) or dial-up connection to the Internet, follow these steps: 1. Open Network And Sharing Center either from Control Panel or by clicking the net- working icon in the system notification area followed by clicking Open Network And Sharing Center . 2. After Network And Sharing Center is displayed, click Set Up A New Connection Or Network to start the Set Up A New Connection Or Network wizard . 3. On the Choose A Connection Option page, select Connect To A Workplace and then click Next . 4. If this is the first connection you have created on the computer, proceed to step 5 . Otherwise, select Yes, I’ll Choose An Existing Connection and then select one of the existing connections displayed on the Do You Want To Use A Connection That You Already Have? page . For example, if you want to use an existing dial-up connection (analog or ISDN modem) to provide Internet access for your new VPN connection, select that connection and then click Dial when the Connect dialog box is displayed for that connection . After you’ve used your existing connection to connect to the Internet, you can continue setting up your new VPN connection . 5. Click Use My Internet Connection (VPN) . 6. Specify the IPv4 or IPv6 address or fully qualified domain name (FQDN) of the remote VPN server you want to connect to, as shown here . You can also give the connection a descriptive name to distinguish it from other connections on the computer . Typically, this will be the name of your remote network or remote VPN server . 1322 CHapTER 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản