Lesson 2: Remote Connections CHAPTER 10 533
VPN Authentication Protocols
Windows 7 supports different authentication protocols for both dial-up and VPN
connections. There are two broad categories of authentication protocol: password-based
authentication protocols and certificate-based authentication protocols. Certificate-based
authentication protocols require the deployment of a PKI solution such as Active Directory
Certificate Services. When you use a certificate-based authentication protocol, it is necessary
to deploy certificates tied to user accounts, computer accounts, or both types of account.
The properties of these protocols are as follows:
n
PAP (Password Authentication Protocol) This protocol uses unencrypted passwords
for authentication. This protocol is not enabled by default for Windows 7 VPN
connections and is not supported by remote access servers running Windows Server
2008. You would enable this protocol only to connect to an older third-party VPN
server that does not support other more secure protocols.
n
CHAP (Challenge Authentication Protocol) This is a password-based authentication
protocol. Although remote access servers running Windows Server 2008 do not
support this protocol, it is enabled by default for Windows 7 VPN connections and
it allows you to connect to third-party VPN servers that do not support other more
secure protocols.
n
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol
version 2) MS-CHAPv2 is a password-based authentication protocol. You can
configure a VPN connection that uses this protocol to use the credentials of the
currently logged on user for authentication.
n
PEAP/PEAP-TLS (Protected Extensible Authentication Protocol with Transport
Layer Security) This is a certificate-based authentication protocol where users
authenticate using certificates. Requires the installation of a computer certificate on
the VPN server.

n
EAP-MS-CHAPv2/PEAP-MS-CHAPv2 The most secure password-based
authentication protocols available to VPN clients running Windows 7; requires the
installation of a computer certificate on the VPN server. Does not require a client
certificate.
n
Smart Card or Other Certificate Use this protocol when users are authenticating
VPN connections using a smart card or a certificate installed on this computer.
The properties for this authentication protocol are shown in Figure 10-13.
You can configure which VPN authentication protocols are supported for a connection by
editing a VPN connection’s properties in the Network Connections control panel, as shown
in Figure 10-14. Windows first tries to use the most secure authentication protocol that is
enabled and then falls back to less secure protocols if they are available.
5 3 4 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-13 Smart Card or other Certificate options
FIGURE 10-14 VPN Authentication protocols
Lesson 2: Remote Connections CHAPTER 10 535
VPN Reconnect
VPN Reconnect is a feature new to Windows 7. When you connect to a VPN server using the
PPTP, L2TP/IPsec, or SSTP protocol and you suffer some sort of network disruption, you can
lose your VPN connection and need to restart it. If you were transferring a file, downloading
e-mail, or sending a print job, you need to start over from the beginning. VPN Reconnect
allows clients running Windows 7 to reconnect automatically to a disrupted VPN session
even if the disruption has lasted for 8 hours. VPN Reconnect also works if connecting to
a new Internet access point causes the disruption. For example, a user might be using a VPN
connection to his corporate network while connected to a wireless network at an airport
coffee shop. As the time of his flight’s departure approaches, he moves from the coffee shop
to the airport lounge, which has its own Wi-Fi network. With VPN Reconnect, the user’s VPN
connection is reestablished automatically when he achieves Internet connectivity with the
new network. With a traditional VPN solution, this user would have to reconnect manually

once he connected to the new wireless network in the airport lounge, and any existing
operations occurring across the VPN would be lost. Unlike DirectAccess, which only some
editions of Windows 7 support, all editions of Windows 7 support VPN Reconnect.
VPN Reconnect uses the IKEv2 tunneling protocol with the MOBIKE extension. The MOBIKE
extension allows VPN clients to change their Internet addresses without having to renegotiate
authentication with the VPN server. Only VPN servers running Windows Server 2008 R2
support IKEv2. You cannot use IKEv2 if your organization has a routing and remote access
server running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008.
You can configure VPN Reconnect with a maximum timeout of 8 hours, as shown in
Figure 10-15. After the period specified in the Network Outage Time setting has expired, it is
necessary for the user to reconnect manually. You will create and configure an IKEv2-based
VPN connection in the practice exercise at the end of this lesson.
FIGURE 10-15 IKEv2 Advanced Properties
5 3 6 CHAPTER 10 DirectAccess and VPN Connections
Quick Check
n
Which VPN protocol supports automatic reconnection?
Quick Check Answer
n
IKEv2 supports automatic reconnection.
NAP Remediation
NAP is a technology in Windows Server 2008 that restricts network access based on an
assessment of a client computer’s health. A compliant client that meets the health benchmark
is able to access the network. If the computer does not meet the health benchmark, it is
noncompliant. NAP blocks noncompliant clients from accessing the network. NAP can be used
for clients on the LAN, but also can be used for VPN, RD Gateway, and DirectAccess clients.
Administrators can configure NAP to restrict network access based on the following criteria:
n
Does a client have antivirus software installed and up to date?
n

Does a client have anti-spyware software installed and up to date?
n
Does a client have Windows Firewall enabled?
n
Are automatic update enabled?
n
Have all software updates been installed on the client computer?
Administrators specify these criteria through Security Health Validators (SHVs). Administrators
configure SHVs to specify the components of the system health benchmark. Figure 10-16 shows
the Windows 7 SHV that is included with Windows Server 2008 R2.
FIGURE 10-16 Windows Security Health Validator
Lesson 2: Remote Connections CHAPTER 10 537
Administrators can configure NAP to perform a process of remediation on client
computers that do not meet the specified health benchmarks. When NAP applies to VPN
connections, this often means providing access to a remediation network. A remediation
network is a special network that hosts the services that would allow the client to come back
into compliance. Noncompliant clients can communicate with hosts on the remediation
network but not other hosts on the internal corporate network. A remediation network
could include a Windows Server Update Services (WSUS) server so that the client can get
the most recent software updates and an antivirus update server so that the client can reach
a compliant state and be granted access to the network.
It is possible for a client running Windows 7 to perform some steps automatically
towards remediation when the Security Center service is enabled. This service interacts with
the Windows 7 Action Center. If this service is enabled and the appropriate NAP policies
are configured within the remote access infrastructure, clients might automatically bring
themselves into compliance by switching on items like the Windows Firewall, running
Windows Update, and initiating the process of updating antivirus and anti-spyware software.
In environments without remediation networks, it is necessary for users to bring the
computer into compliance manually before they will be able to establish a successful remote
access connection. If your organization uses NAP with its remote access infrastructure, you

should ensure that users know what steps they need to take to get their clients running
Windows 7 compliant so they will be able to access the internal network.
More Info NAP
To find out more about NAP, consult the Network Access Protection TechCenter at the
following address: />Remote Desktop and Application Publishing
Windows Server 2008 R2 Remote Desktop Services, known as Terminal Services on Windows
Server 2008 and Windows Server 2003, allows people to connect using the Remote Desktop
Connection client to a server on which they can run applications. You learned about making
Remote Desktop connections to clients running Windows 7 in Chapter 7, “Firewall and
Remote Management.”
RD (Remote Desktop) Gateway, formerly known as Terminal Services Gateway, allows users
on the Internet to make Remote Desktop connections to servers on internal networks without
the user having to initiate a VPN connection. Connections can only be made to specially
configured Remote Desktop hosts on the internal network. Users are unable to access all
resources on network, as is the case with a traditional VPN or DirectAccess.
More Info RD GATEWAY
To learn more about RD Gateway, consult the following Microsoft TechNet article:
/> 5 3 8 CHAPTER 10 DirectAccess and VPN Connections
To connect using an RD Gateway server, navigate to the Advanced tab of the Remote
Desktop Connection Properties dialog box and click Settings under Connect From Anywhere.
This opens the RD Gateway Server Settings dialog box. This dialog box allows you to specify
RD Gateway settings, including whether or not you want the RD Gateway to be detected
automatically, whether to use a specific RD Gateway server, as shown in Figure 10-17, or you
can specify Do Not Use an RD Gateway Server, which is the default setting.
FIGURE 10-17 RD Gateway server settings
You can also apply RD Gateway configuration through Group Policy rather than configuring
it manually. The relevant policies are located in the User Configuration\Administrative Templates\
Windows Components\Remote Desktop Services\RD Gateway node, as shown in Figure 10-18.
FIGURE 10-18 RD Gateway policies
Lesson 2: Remote Connections CHAPTER 10 539

These policies work as follows:
n
Set RD Gateway authentication method When the policy is set to Not Configured or
Disabled, the authentication method specified by the user is used. When enabled, the
administrator can choose to allow the user to change the setting, or the administrator
can select among the following options:
•
Ask for credentials, use NTLM protocol
•
Ask for credentials, use Basic protocol
•
Use the locally logged on credentials
•
Use a smart card
n
Enable Connection through RD Gateway When this policy is enabled, Remote
Desktop Client automatically tries to connect through the configured RD Gateway if it
is unable to connect automatically to the target Remote Desktop Services server. This
policy can be enforced only if the Set RD Gateway server address policy is configured.
A policy option allows users to override this setting.
n
Set RD Gateway server address When the policy is set to Not Configured or Disabled,
clients automatically detect whether RD Gateway is required. If required, the RD Gateway
specified by the user is used. When this policy is set to Enabled, the address of the RD
Gateway server specified in the policy is used. The address of the RD Gateway server must
match the name of the SSL certificate installed on the RD Gateway server.
RemoteApp allows applications that reside on Remote Desktop Services servers to have
their display output shown in Remote Desktop clients. This differs from a standard Remote
Desktop Connection window where the user sees the entire remote desktop in a window.
For example, if you publish the Microsoft Office Excel 2007 application through Remote

Desktop Services RemoteApp and the user runs it, the user sees an Excel 2007 application
window just as she would if the application were running locally. Remote Desktop Services
RemoteApp applications appear in the Start menu just like other locally installed applications.
The difference with RemoteApp is that the application runs on the Remote Desktop Services
server, with only the application display appearing on the client.
You can use RemoteApp applications over the Internet if the RemoteApp program
shortcuts or publications include the address of an RD Gateway server. You configure
the RD Gateway server address prior to publishing applications by using the RemoteApp
Deployment Settings dialog box, shown in Figure 10-19. This dialog box is available through
the RemoteApp manager on a computer running Windows Server 2008 R2. If you publish
a RemoteApp application through Group Policy or by distributing a remote desktop shortcut
(.rdp) file prior to configuring an RD Gateway, you have to republish the application and
redistribute the file.
5 4 0 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-19 RD Gateway settings for RemoteApp
More Info REMOTEAPP
To learn more about Remote Desktop Services RemoteApp, consult the following Microsoft
TechNet Web page: />Dialup Connections
A large number of people still access the Internet using dial-up connections to their ISPs.
Windows 7 supports dial-up connections to ISPs so long as a compatible modem is available.
Modems can include land-line and cellular devices, and they can be included as a part of their
portable computer’s hardware or as universal serial bus (USB) attachments.
To set up a dial-up connection, perform the following steps:
1. In Network And Sharing Center click Set Up A New Connection Or Network. On the
Choose A Connection Option page, shown in Figure 10-20, select Set Up A Dial-Up
Connection and then click Next.
2. In the Create A Dial-up Connection dialog box, shown in Figure 10-21, enter the phone
number of the ISP, the ISP user name and password, a connection name, and whether
you want other users of the computer to be able to use this connection.
3. If you need to configure dialing rules, such as country code, carrier code, a specific

number to access an outside line, or switch between pulse and tone dialing, you can
click the Dialing Rules item to specify these settings.
Lesson 2: Remote Connections CHAPTER 10 541
FIGURE 10-20 Set Up Dial-up Connection
FIGURE 10-21 Specifying connection information
Configuring Windows 7 to Accept Incoming Connections
You can configure Windows 7 to accept incoming VPN and dial-up connections. When you
configure Windows 7 to accept incoming VPN and dial-up connections, the client running
Windows 7 is able to function as a VPN and dial-up server. Windows 7 supports incoming
5 4 2 CHAPTER 10 DirectAccess and VPN Connections
VPNs that use the PPTP protocol and allows only one incoming connection at a time.
To configure Windows 7 to support incoming connections, perform the following steps:
1. Open the Network Connections page, which is accessible through the Network And
Sharing Center. Press Alt to bring up the menu bar. Click File and then click New
Incoming Connection.
2. Select which users can access the computer remotely using VPN or dial-up, as shown
in Figure 10-22, and then click Next.
FIGURE 10-22 Selecting remote users
3. On the How Will People Connect? page, shown in Figure 10-23, select the types of
connections that you wish to support. Your options include Through The Internet and
Through A Dial-Up Modem.
FIGURE 10-23 Configuring the incoming connection type