5 2 0 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-3 The Internet and Corporate Access message
As you learned earlier, DirectAccess clients use digital certificates to authenticate with
the DirectAccess server. If a computer does not have a valid computer certificate issued
by a certificate authority (CA) that the DirectAccess server is configured to trust for the
purpose of DirectAccess authentication, it cannot connect successfully. DirectAccess clients
and the DirectAccess server almost always receive their certificates from an Active Directory
Certificate Services Certificate Authority that is integrated into the domain. This ensures that
both client and server trust each other’s certificates. To verify that a computer certificate is
present and valid on a client running Windows 7, perform the following actions:
1. Open a blank Microsoft Management Console by typing mmc into the In The Search
Programs And Files text box.
2. Add the Certificates snap-in for the local Computer account.
3. Navigate to the Certificates (Local Computer)\Personal\Certificates node and verify
that the computer has enrolled a certificate for the intended purposes of Client
Authentication and Server Authentication, as shown in Figure 10-4.
FIGURE 10-4 Verifying the DirectAccess client certificate
You can verify the current DirectAccess configuration using several command-line utilities.
To verify the DirectAccess client’s settings for 6to4, issue the command
Netsh interface 6to4 show relay
When the client is assigned DirectAccess configuration through Group Policy, this
command displays one of the public IPv4 addresses assigned to the Direct Access server as
the relay address. If the relay setting is set to Default, the DirectAccess Group Policy has not
Lesson 1: Managing DirectAccess CHAPTER 10 521
been applied properly. Similarly, when DirectAccess configuration is applied through Group
Policy, you should see one of the two public addresses assigned to the DirectAccess server
when you verify the Teredo configuration. You can verify the Teredo configuration by issuing
the command
Netsh interface ipv6 show teredo
You can also get information about the IP-HTTPS configuration by issuing the command
Netsh interface httpstunnel show interfaces

More Info TROUBLESHOOTING DIRECTACCESS
For more information on troubleshooting DirectAccess, consult the following Microsoft
TechNet document:
Quick Check
n
Which IPv6 transition technology does DirectAccess use if you are in a remote
location and your computer has been assigned a public IPv4 address, but not
a public IPv6 address?
Quick Check Answer
n
DirectAccess uses the 6to4 IPv6 transition technology if the client is assigned
a public IPv4 address but not a public IPv6 address.
Configuring the DirectAccess server
You configure DirectAccess primarily by configuring the DirectAccess server. When you
configure the DirectAccess server, you also end up configuring the necessary Group Policy
Objects (GPOs) that support DirectAccess. Prior to installing DirectAccess, you should ensure
that the DirectAccess server meets the following requirements:
n
The computer needs to have Windows Server 2008 R2 installed and be a member of
a domain.
n
This server must have two network adapters.
n
One of these network adapters needs to a direct connection to the Internet. You must
assign this adapter two consecutive public IPv4 addresses.
n
The second network adapter needs a direct connection to the corporate intranet.
n
The computer needs digital certificates to support server authentication. This includes
having a computer certificate that matches the fully qualified domain name (FQDN)

that is assigned to the IP addresses on the DirectAccess server’s external network
interface.
5 2 2 CHAPTER 10 DirectAccess and VPN Connections
You should also create at least one global security group in AD DS that you use with
DirectAccess. You can give this group any name that you like, though it is easier to keep track
of it if you give it a DirectAccess-related name. It is possible to create and specify multiple
DirectAccess-related security groups if necessary. You create multiple groups when you need
to differentiate access to segments of the corporate intranet.
To install DirectAccess on a server running Windows Server 2008 R2, add the DirectAccess
Management Console feature using the Add Features Wizard, as shown in Figure 10-5. Installing
the DirectAccess Management Console allows you to configure and manage DirectAccess
features. Installing the DirectAccess Management console also requires that you add the Group
Policy Management feature. The Group Policy Management feature is necessary because
the DirectAccess setup wizard creates DirectAccess-related GPOs that configure DirectAccess
clients. You need to run the DirectAccess setup wizard with a user account that has permissions
to create and apply GPOs in the domain.
FIGURE 10-5 Install the DirectAccess feature on Windows Server 2008 R2
After you install the DirectAccess Management console, you can configure the DirectAccess
server. To do this, perform the following steps:
1. Open the DirectAccess Management console from the Administrative Tools menu on the
computer running Windows Server 2008 R2. This opens the DirectAccess Management
console, shown in Figure 10-6.
Lesson 1: Managing DirectAccess CHAPTER 10 523
FIGURE 10-6 DirectAccess console
2. Select the Setup node. In the details pane, in the Remote Clients area, click Configure.
This opens the DirectAccess Client Setup dialog box. Click Add and then specify the
name of the security groups to which you add computer accounts when you want to
grant access to DirectAccess to specific clients running Windows 7. These groups can
have any names. The one in Figure 10-7 is called DA_Clients.
FIGURE 10-7 DirectAccess client groups

5 2 4 CHAPTER 10 DirectAccess and VPN Connections
3. Use the DirectAccess Server Setup item to specify which interface is connected to the
Internet and which interface is connected to the internal network. Performing this
step will enable IPv6 transition technologies on the DirectAccess server, as shown in
Figure 10-8. You use this item to specify the CA that client certificates must ultimately
come from, either directly or through a subordinate CA. You also must specify the
server certificate used to secure IP-HTTPS traffic.
FIGURE 10-8 DirectAccess Server Setup
4. On the Infrastructure Server Setup page, you specify the location of the internal
Web site (known as the Network Location Server) that DirectAccess clients attempt
to contact to determine whether they are connected to the corporate intranet or
a remote location. You must ensure that you secure this Web site with a Web server
certificate, as shown in Figure 10-9. You also use this dialog box to specify which
DNS servers and domain controllers the DirectAccess clients are able to contact for
authentication purposes.
5. The final step involves specifying which resources on the corporate intranet are
accessible to DirectAccess clients. The default setting is to allow access to all resources.
In more secure environments, it is possible to use isolation policies to limit the
contact to the membership of specific security groups. For example, you might create
a security group and add the computer accounts of some file servers and mail servers,
but not others.
6. When you click Finish, DirectAccess interfaces with a domain controller and creates
two new GPOs in the domain. The first of these is targeted at the security groups that
contain the computer accounts of DirectAccess clients. The second GPO is targeted at
the DirectAccess server itself. You can see these GPOs in Figure 10-10.
Lesson 1: Managing DirectAccess CHAPTER 10 525
FIGURE 10-9 Specifying the network location server
FIGURE 10-10 Direct Access GPOs
DirectAccess relies upon several other components in a Windows Server 2008 R2 network
infrastructure. The domain in which you install the DirectAccess server must also have the

following:
n
At least one domain controller running Windows Server 2008 R2 and DNS server on
the internal network.
n
A server running Windows Server 2008 with Active Directory certificates installed,
either as an enterprise root CA or an enterprise subordinate CA.
5 2 6 CHAPTER 10 DirectAccess and VPN Connections
To make internal network resources available to remote DirectAccess clients, you need to
do one of the following:
n
Ensure that all internal resources that will be accessed by DirectAccess support IPv6.
n
Deploy ISATAP on the intranet. ISATAP allows intranet servers and applications to be
reached by tunneling IPv6 traffic over an IPv4 intranet.
n
Deploy an NAT-PT device. NAT-PT devices allow hosts that only support IPv4 addresses
to be accessible to DirectAccess clients using IPv6.
All application servers that DirectAccess clients access need to allow ICMPv6 traffic in
Windows Firewall with Advanced Security (WFAS). You can accomplish this by enabling the
following firewall rules using Group Policy.
n
Echo Request – ICMPv6-in
n
Echo Request – ICMPv6-out
The following ports on an organization’s external firewall must be open to support
DirectAccess:
n
UDP port 3544 Enables Teredo traffic.
n

IPv4 protocol 41 Enables 6to4 traffic.
n
TCP port 443 Allows IP-HTTPS traffic.
n
ICMPv6 and IPv4 Protocol 50 Required when remote clients have IPv6 addresses.
eXaM tIP
Remember which conditions necessitate the use of Teredo, 6to4, and IP-HTTPS on
DirectAccess clients.
Practice Configure DirectAccess with Netsh
DirectAccess requires a Windows Server 2008 R2 network infrastructure, so it is not possible
to simulate DirectAccess on a client running Windows 7 without also having access to several
servers running Windows Server 2008 R2. In this practice, you simulate manually configuring
different IPv6 DirectAccess components using Netsh.
exercise 1 Netsh DirectAccess Configuration
In this exercise, you simulate setting DirectAccess policies using the Netsh command-line
utility. In reality, DirectAccess configuration comes through Group Policy, though there may
be circumstances, such as when a client has been out of the office for some time and when
the DirectAccess server address has changed, where you need to perform this type of manual
configuration.
1. Log on to computer Canberra using the Kim_Akers user account and open an elevated
command prompt.
Lesson 1: Managing DirectAccess CHAPTER 10 527
2. Enter each of the following commands and press Enter:
Netsh interface ipv6 set teredo enterpriseclient 131.107.0.5
Netsh interface 6to4 set relay 131.107.0.5
3. Now enter the following diagnostic commands and press Enter after each one to verify
that the correct configuration was set. The configuration should match the IP address
131.107.0.5:
Netsh interface 6to4 show relay
Netsh interface ipv6 show teredo

Lesson Summary
n
DirectAccess allows a client running Windows 7 Enterprise or Ultimate edition to
connect automatically to a corporate intranet when an active Internet connection is
established without requiring user intervention.
n
If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is
made. If the client has a public IPv4 address, a connection is made using the 6to4
transition technology. If the client has a private IPv4 address, a connection is made
using the Teredo transition technology. If the client has a private IPv4 address and
is behind a firewall that restricts most forms of network traffic, a connection using
IP-HTTPS is made.
n
DirectAccess clients require computer certificates from a CA that is trusted by the
DirectAccess server. The DirectAccess server requires a certificate from a CA trusted by
the DirectAccess client.
n
DirectAccess clients must be members of an AD DS domain. DirectAccess clients must
be members of a special domain security group which has been configured during the
setup of the DirectAccess server.
n
A DirectAccess server must run Windows Server 2008 R2. A domain controller running
Windows Server 2008 R2 and a DNS server must also be present on the internal
network to support DirectAccess.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing DirectAccess.” The questions are also available on the companion DVD if you
prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect

are located in the “Answers” section at the end of the book.
5 2 8 CHAPTER 10 DirectAccess and VPN Connections
1. A client running Windows 7 is connecting to a hotel network. Clients on the hotel
network are assigned IP addresses in the 10.0.10.0 /24 range. The hotel firewall blocks
all traffic except that on ports 25, 80, and 443. Which DirectAccess connectivity
method does the client use to make the connection?
a. Teredo
B. 6to4
c. Globally routable IPv6 address
D. IP-HTTPS
2. You have 10 stand-alone laptop computers running Windows 7 Professional. You
want to configure these computers so that they can use DirectAccess to access the
internal network when users connect to remote networks. Your internal network has
a Windows Server 2008 R2 functional level domain. Which of the following steps must
you take before you can accomplish this goal? (Choose all that apply.)
a. Upgrade the computers to Windows 7 Ultimate.
B. Join the computers to the domain.
c. Configure AppLocker policies.
D. Configure BranchCache policies.
3. Which of the following computers can you configure as a DirectAccess server?
a. A server running Windows Server 2008 R2 with two network adapters that has
been assigned two consecutive public IPv4 addresses
B. A server running Windows Server 2008 R2 with one network adapter that has been
assigned two consecutive public IPv4 addresses
c. A server running Windows Server 2008 R2 with two network adapters that has
been assigned one public IPv4 address
D. A server running Windows Server 2008 R2 with one network adapter that has been
assigned one public IPv4 address
4. Kim Akers, who uses the Kim_Akers user account, has been using a computer running
Windows 7 Enterprise named laptop-122 with DirectAccess to access the internal

corporate network when working remotely. Laptop-122 is a member of the Direct_Access
domain security group. Laptop-122 has developed a fault and Kim has been given
Laptop-123, which also runs Windows 7 Enterprise and is joined to the Contoso.internal
domain. When Kim is working remotely, she is unable to connect to the internal network.
Which of the following steps should you take to resolve this problem?
a. Add the computer account for Laptop-123 to the Direct_Access group in the domain.
B. Add the computer account for Laptop-123 to the Direct_Access group on
Laptop-123.
c. Add the Kim_Akers user account to the Direct_Access group in the domain.
D. Add the Kim_Akers user account to the Direct_Access local group on Laptop-123.
Lesson 1: Managing DirectAccess CHAPTER 10 529
5. Your client running Windows 7 is connected to a hotel network, has an address on the
192.168.10.0 /24 network, and is located behind a Network Address Translation (NAT)
device. The network blocks all outbound traffic except that on ports 80 and 443. You
want the address of the DirectAccess IP-HTTPS server to be set correctly. Which of the
following commands could you use?
a. ipconfig
B. netsh interface 6to4 show relay
c. netsh interface ipv6 show teredo
D. netsh interface httpstunnel show interfaces
5 3 0 CHAPTER 10 DirectAccess and VPN Connections
Lesson 2: Remote Connections
Although not every edition of Windows 7 supports DirectAccess, every edition of Windows 7
supports VPN using the PPTP, L2TP/IPsec, SSTP, and IKEv2 protocols. Traditional VPN technology
is important because, except for IKEv2, these technologies are compatible with existing remote
access infrastructures and do not require an organization to upgrade any servers to Windows
Server 2008 R2. PPTP and L2TP/IPsec VPNS are also compatible with third-party remote
access solutions. This is important if your organization does not rely upon a Windows Server
remote access infrastructure. In this lesson, you learn about how to deal with clients that have
been restricted to NAP quarantine and how to configure the Remote Desktop Client to access

Remote Desktop Services servers on protected internal network without having to configure
a VPN connection.
After this lesson, you will be able to:
n
Establishing VPN connections.
n
Configuring VPN authentication.
n
Setting up VPN Reconnect.
n
Manage VPN security auditing.
n
Configure NAP quarantine remediation.
Estimated lesson time: 40 minutes
Virtual Private Networks
VPNs allow people to make connections to remote networks over the Internet. VPN users can
access resources on the LAN such as e-mail, shared folders, printers, databases, and calendars
when they are using their computers in an out-of-office location. All they need to access
a VPN is to have an active Internet connection and for the relevant VPN infrastructure to be
set up on the corporate network to which they are connecting. Configuring VPNs means that
resources on protected corporate networks can be made available to authorized users on the
Internet through the VPN without making those resources directly available to users on the
Internet. VPNs are like tunnels that allow specific authorized users from the Internet access
to a configured list of internal network resources. Users without administrative privileges are
able to create remote access connections. It is possible to limit user rights to create or modify
remote access connections by configuring policies in the User Configuration\Administrative
Templates\Network\Network Connections node of Group Policy.
When you create a VPN connection, you need to specify the address of the VPN server
that you are connecting to and your authentication credentials. You can create a new
VPN connection in the Network And Sharing Center by clicking Set Up A New Connection

Or Network and then Connect to a Workplace. When you create a new VPN connection,
Lesson 2: Remote Connections CHAPTER 10 531
Windows 7 sets the VPN type to Automatic. You can configure a connection to use a specific
VPN protocol, but if you do this, Windows 7 does not try to use other VPN protocols if
the protocol you select is not available. You will create a VPN connection and then edit its
properties to use a specific VPN protocol in the practice at the end of this lesson.
When a VPN connection type is set to Automatic, Windows 7 attempts to make
a connection using the most secure protocol. Clients running Windows 7 can use four
different VPN protocols, which differ in the types of encryption and data protection they
offer. The most secure protocols support:
n
Data confidentiality The protocol encrypts your data so that third parties cannot
read it as it crosses public networks.
n
Data integrity You will know if a third party tampers with your data in transit.
n
Replay protection Ensures that the same data cannot be sent more than once. In
a replay attack, an attacker captures and then resends data.
n
Data origin authentication The sender and receiver can be sure of the origin of
transmitted and received data.
The VPN protocols supported by Windows 7, listed from least to most secure, are:
n
PPTP PPTP VPNs are the least secure form of VPN. Because PPTP VPNs do not
require access to a public key infrastructure (PKI), they are also the most commonly
deployed type of VPN. PPTP connections can use the MS-CHAP, MS-CHAPv2, EAP,
and PEAP authentication protocols. PPTP connections use MPPE to encrypt PPTP data.
PPTP connections provide data confidentiality but do not provide data integrity or
data origin authentication. Some older NAT devices do not support PPTP. Windows 7
uses PPTP to support incoming VPN connections. You will learn about configuring

Windows 7 to support incoming VPN connections later in this lesson.
n
L2TP/IPsec L2TP/IPsec VPN connections are more secure than PPTP. L2TP/IPsec
provides per-packet data origin authentication, data integrity, replay protection,
and data confidentiality. L2TP/IPsec uses digital certificates, so it requires access to
a certificate services infrastructure. Most third-party VPN solutions support
L2TP/IPsec. L2TP/IPsec cannot be used behind NAT unless the client and server
support IPsec NAT Traversal (NAT-T). Windows 7, Windows Server 2003, and Windows
Server 2008 support NAT-T. You can configure L2TP to use either certificate-based
authentication or a pre-shared key by configuring the advanced properties, as shown
in Figure 10-11.
n
SSTP SSTP VPN tunnels use port 443, meaning that SSTP VPN traffic can pass across
almost all firewalls that allow Internet access, something that is not true of the PPTP,
L2TP/IPsec, and IKEv2 VPN protocols. SSTP works by encapsulating PPP traffic over
the SSL channel of the HTTPS protocol. SSTP supports data origin authentication, data
integrity, replay protection, and data confidentiality. You cannot use SSTP through
a Web proxy that requires authentication.
5 3 2 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-11 L2TP Advanced Properties
n
IKEv2 IKEv2 is a VPN protocol new to Windows 7 and is not present in previous
versions of Windows. IKEv2 supports IPv6 and the new VPN Reconnect feature. IKEv2
supports Extensible Application Protocol (EAP) and computer certificates for client-
side authentication. This includes Microsoft Protected EAP (PEAP), Microsoft Secured
Password (EAP-MSCHAP v2), and Microsoft Smart Card or Other Certificate, as shown
in Figure 10-12. IKEv2 does not support POP, CHAP, or MS-CHAPv2 (without EAP) as
authentication protocols. IKEv2 supports data origin authentication, data integrity,
replay protection, and data confidentiality. IKEv2 uses UDP port 500. When you
configure a new Windows 7 VPN connection with the default settings, Windows 7

attempts to make an IKEv2 connection first.
FIGURE 10-12 Authentication protocols supported by IKEv2
Lesson 2: Remote Connections CHAPTER 10 533
VPN Authentication Protocols
Windows 7 supports different authentication protocols for both dial-up and VPN
connections. There are two broad categories of authentication protocol: password-based
authentication protocols and certificate-based authentication protocols. Certificate-based
authentication protocols require the deployment of a PKI solution such as Active Directory
Certificate Services. When you use a certificate-based authentication protocol, it is necessary
to deploy certificates tied to user accounts, computer accounts, or both types of account.
The properties of these protocols are as follows:
n
PAP (Password Authentication Protocol) This protocol uses unencrypted passwords
for authentication. This protocol is not enabled by default for Windows 7 VPN
connections and is not supported by remote access servers running Windows Server
2008. You would enable this protocol only to connect to an older third-party VPN
server that does not support other more secure protocols.
n
CHAP (Challenge Authentication Protocol) This is a password-based authentication
protocol. Although remote access servers running Windows Server 2008 do not
support this protocol, it is enabled by default for Windows 7 VPN connections and
it allows you to connect to third-party VPN servers that do not support other more
secure protocols.
n
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol
version 2) MS-CHAPv2 is a password-based authentication protocol. You can
configure a VPN connection that uses this protocol to use the credentials of the
currently logged on user for authentication.
n
PEAP/PEAP-TLS (Protected Extensible Authentication Protocol with Transport

Layer Security) This is a certificate-based authentication protocol where users
authenticate using certificates. Requires the installation of a computer certificate on
the VPN server.
n
EAP-MS-CHAPv2/PEAP-MS-CHAPv2 The most secure password-based
authentication protocols available to VPN clients running Windows 7; requires the
installation of a computer certificate on the VPN server. Does not require a client
certificate.
n
Smart Card or Other Certificate Use this protocol when users are authenticating
VPN connections using a smart card or a certificate installed on this computer.
The properties for this authentication protocol are shown in Figure 10-13.
You can configure which VPN authentication protocols are supported for a connection by
editing a VPN connection’s properties in the Network Connections control panel, as shown
in Figure 10-14. Windows first tries to use the most secure authentication protocol that is
enabled and then falls back to less secure protocols if they are available.
5 3 4 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-13 Smart Card or other Certificate options
FIGURE 10-14 VPN Authentication protocols
Lesson 2: Remote Connections CHAPTER 10 535
VPN Reconnect
VPN Reconnect is a feature new to Windows 7. When you connect to a VPN server using the
PPTP, L2TP/IPsec, or SSTP protocol and you suffer some sort of network disruption, you can
lose your VPN connection and need to restart it. If you were transferring a file, downloading
e-mail, or sending a print job, you need to start over from the beginning. VPN Reconnect
allows clients running Windows 7 to reconnect automatically to a disrupted VPN session
even if the disruption has lasted for 8 hours. VPN Reconnect also works if connecting to
a new Internet access point causes the disruption. For example, a user might be using a VPN
connection to his corporate network while connected to a wireless network at an airport
coffee shop. As the time of his flight’s departure approaches, he moves from the coffee shop

to the airport lounge, which has its own Wi-Fi network. With VPN Reconnect, the user’s VPN
connection is reestablished automatically when he achieves Internet connectivity with the
new network. With a traditional VPN solution, this user would have to reconnect manually
once he connected to the new wireless network in the airport lounge, and any existing
operations occurring across the VPN would be lost. Unlike DirectAccess, which only some
editions of Windows 7 support, all editions of Windows 7 support VPN Reconnect.
VPN Reconnect uses the IKEv2 tunneling protocol with the MOBIKE extension. The MOBIKE
extension allows VPN clients to change their Internet addresses without having to renegotiate
authentication with the VPN server. Only VPN servers running Windows Server 2008 R2
support IKEv2. You cannot use IKEv2 if your organization has a routing and remote access
server running Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008.
You can configure VPN Reconnect with a maximum timeout of 8 hours, as shown in
Figure 10-15. After the period specified in the Network Outage Time setting has expired, it is
necessary for the user to reconnect manually. You will create and configure an IKEv2-based
VPN connection in the practice exercise at the end of this lesson.
FIGURE 10-15 IKEv2 Advanced Properties
5 3 6 CHAPTER 10 DirectAccess and VPN Connections
Quick Check
n
Which VPN protocol supports automatic reconnection?
Quick Check Answer
n
IKEv2 supports automatic reconnection.
NAP Remediation
NAP is a technology in Windows Server 2008 that restricts network access based on an
assessment of a client computer’s health. A compliant client that meets the health benchmark
is able to access the network. If the computer does not meet the health benchmark, it is
noncompliant. NAP blocks noncompliant clients from accessing the network. NAP can be used
for clients on the LAN, but also can be used for VPN, RD Gateway, and DirectAccess clients.
Administrators can configure NAP to restrict network access based on the following criteria:

n
Does a client have antivirus software installed and up to date?
n
Does a client have anti-spyware software installed and up to date?
n
Does a client have Windows Firewall enabled?
n
Are automatic update enabled?
n
Have all software updates been installed on the client computer?
Administrators specify these criteria through Security Health Validators (SHVs). Administrators
configure SHVs to specify the components of the system health benchmark. Figure 10-16 shows
the Windows 7 SHV that is included with Windows Server 2008 R2.
FIGURE 10-16 Windows Security Health Validator
Lesson 2: Remote Connections CHAPTER 10 537
Administrators can configure NAP to perform a process of remediation on client
computers that do not meet the specified health benchmarks. When NAP applies to VPN
connections, this often means providing access to a remediation network. A remediation
network is a special network that hosts the services that would allow the client to come back
into compliance. Noncompliant clients can communicate with hosts on the remediation
network but not other hosts on the internal corporate network. A remediation network
could include a Windows Server Update Services (WSUS) server so that the client can get
the most recent software updates and an antivirus update server so that the client can reach
a compliant state and be granted access to the network.
It is possible for a client running Windows 7 to perform some steps automatically
towards remediation when the Security Center service is enabled. This service interacts with
the Windows 7 Action Center. If this service is enabled and the appropriate NAP policies
are configured within the remote access infrastructure, clients might automatically bring
themselves into compliance by switching on items like the Windows Firewall, running
Windows Update, and initiating the process of updating antivirus and anti-spyware software.

In environments without remediation networks, it is necessary for users to bring the
computer into compliance manually before they will be able to establish a successful remote
access connection. If your organization uses NAP with its remote access infrastructure, you
should ensure that users know what steps they need to take to get their clients running
Windows 7 compliant so they will be able to access the internal network.
More Info NAP
To find out more about NAP, consult the Network Access Protection TechCenter at the
following address: />Remote Desktop and Application Publishing
Windows Server 2008 R2 Remote Desktop Services, known as Terminal Services on Windows
Server 2008 and Windows Server 2003, allows people to connect using the Remote Desktop
Connection client to a server on which they can run applications. You learned about making
Remote Desktop connections to clients running Windows 7 in Chapter 7, “Firewall and
Remote Management.”
RD (Remote Desktop) Gateway, formerly known as Terminal Services Gateway, allows users
on the Internet to make Remote Desktop connections to servers on internal networks without
the user having to initiate a VPN connection. Connections can only be made to specially
configured Remote Desktop hosts on the internal network. Users are unable to access all
resources on network, as is the case with a traditional VPN or DirectAccess.
More Info RD GATEWAY
To learn more about RD Gateway, consult the following Microsoft TechNet article:
/> 5 3 8 CHAPTER 10 DirectAccess and VPN Connections
To connect using an RD Gateway server, navigate to the Advanced tab of the Remote
Desktop Connection Properties dialog box and click Settings under Connect From Anywhere.
This opens the RD Gateway Server Settings dialog box. This dialog box allows you to specify
RD Gateway settings, including whether or not you want the RD Gateway to be detected
automatically, whether to use a specific RD Gateway server, as shown in Figure 10-17, or you
can specify Do Not Use an RD Gateway Server, which is the default setting.
FIGURE 10-17 RD Gateway server settings
You can also apply RD Gateway configuration through Group Policy rather than configuring
it manually. The relevant policies are located in the User Configuration\Administrative Templates\

Windows Components\Remote Desktop Services\RD Gateway node, as shown in Figure 10-18.
FIGURE 10-18 RD Gateway policies
Lesson 2: Remote Connections CHAPTER 10 539
These policies work as follows:
n
Set RD Gateway authentication method When the policy is set to Not Configured or
Disabled, the authentication method specified by the user is used. When enabled, the
administrator can choose to allow the user to change the setting, or the administrator
can select among the following options:
•
Ask for credentials, use NTLM protocol
•
Ask for credentials, use Basic protocol
•
Use the locally logged on credentials
•
Use a smart card
n
Enable Connection through RD Gateway When this policy is enabled, Remote
Desktop Client automatically tries to connect through the configured RD Gateway if it
is unable to connect automatically to the target Remote Desktop Services server. This
policy can be enforced only if the Set RD Gateway server address policy is configured.
A policy option allows users to override this setting.
n
Set RD Gateway server address When the policy is set to Not Configured or Disabled,
clients automatically detect whether RD Gateway is required. If required, the RD Gateway
specified by the user is used. When this policy is set to Enabled, the address of the RD
Gateway server specified in the policy is used. The address of the RD Gateway server must
match the name of the SSL certificate installed on the RD Gateway server.
RemoteApp allows applications that reside on Remote Desktop Services servers to have

their display output shown in Remote Desktop clients. This differs from a standard Remote
Desktop Connection window where the user sees the entire remote desktop in a window.
For example, if you publish the Microsoft Office Excel 2007 application through Remote
Desktop Services RemoteApp and the user runs it, the user sees an Excel 2007 application
window just as she would if the application were running locally. Remote Desktop Services
RemoteApp applications appear in the Start menu just like other locally installed applications.
The difference with RemoteApp is that the application runs on the Remote Desktop Services
server, with only the application display appearing on the client.
You can use RemoteApp applications over the Internet if the RemoteApp program
shortcuts or publications include the address of an RD Gateway server. You configure
the RD Gateway server address prior to publishing applications by using the RemoteApp
Deployment Settings dialog box, shown in Figure 10-19. This dialog box is available through
the RemoteApp manager on a computer running Windows Server 2008 R2. If you publish
a RemoteApp application through Group Policy or by distributing a remote desktop shortcut
(.rdp) file prior to configuring an RD Gateway, you have to republish the application and
redistribute the file.
5 4 0 CHAPTER 10 DirectAccess and VPN Connections
FIGURE 10-19 RD Gateway settings for RemoteApp
More Info REMOTEAPP
To learn more about Remote Desktop Services RemoteApp, consult the following Microsoft
TechNet Web page: />Dialup Connections
A large number of people still access the Internet using dial-up connections to their ISPs.
Windows 7 supports dial-up connections to ISPs so long as a compatible modem is available.
Modems can include land-line and cellular devices, and they can be included as a part of their
portable computer’s hardware or as universal serial bus (USB) attachments.
To set up a dial-up connection, perform the following steps:
1. In Network And Sharing Center click Set Up A New Connection Or Network. On the
Choose A Connection Option page, shown in Figure 10-20, select Set Up A Dial-Up
Connection and then click Next.
2. In the Create A Dial-up Connection dialog box, shown in Figure 10-21, enter the phone

number of the ISP, the ISP user name and password, a connection name, and whether
you want other users of the computer to be able to use this connection.
3. If you need to configure dialing rules, such as country code, carrier code, a specific
number to access an outside line, or switch between pulse and tone dialing, you can
click the Dialing Rules item to specify these settings.
Lesson 2: Remote Connections CHAPTER 10 541
FIGURE 10-20 Set Up Dial-up Connection
FIGURE 10-21 Specifying connection information
Configuring Windows 7 to Accept Incoming Connections
You can configure Windows 7 to accept incoming VPN and dial-up connections. When you
configure Windows 7 to accept incoming VPN and dial-up connections, the client running
Windows 7 is able to function as a VPN and dial-up server. Windows 7 supports incoming
5 4 2 CHAPTER 10 DirectAccess and VPN Connections
VPNs that use the PPTP protocol and allows only one incoming connection at a time.
To configure Windows 7 to support incoming connections, perform the following steps:
1. Open the Network Connections page, which is accessible through the Network And
Sharing Center. Press Alt to bring up the menu bar. Click File and then click New
Incoming Connection.
2. Select which users can access the computer remotely using VPN or dial-up, as shown
in Figure 10-22, and then click Next.
FIGURE 10-22 Selecting remote users
3. On the How Will People Connect? page, shown in Figure 10-23, select the types of
connections that you wish to support. Your options include Through The Internet and
Through A Dial-Up Modem.
FIGURE 10-23 Configuring the incoming connection type
Lesson 2: Remote Connections CHAPTER 10 543
4. On the Networking Software Allows This Computer To Accept Connections From Other
Kinds Of Computers page, select which networking components will be enabled for
the incoming connections. The default settings have IPv4 and File And Printer Sharing
enabled. IPv6 is disabled by default.

5. By clicking the Properties for each network component type, you can decide whether
a remote user can have access to the LAN that the computer running Windows 7
is connected to. As Figure 10-24 shows, you can also specify how the client gets its
address, either through Dynamic Host Configuration Protocol (DHCP), through an IP
address pool, or by allowing the incoming client to specify its own IP address.
FIGURE 10-24 Incoming IP address properties
6. Click Allow to allow the connections. The Network Connections control panel contains
a new item called Incoming Connections, as shown in Figure 10-25. You can modify the
properties of incoming connections and specify which users you will permit to initiate
incoming connections by right-clicking the Incoming Connections item and selecting
Properties.
FIGURE 10-25 Incoming connection configured
5 4 4 CHAPTER 10 DirectAccess and VPN Connections
Auditing Remote Connections
If you configure Windows 7 to support incoming VPN or dial-up connections, you may want
to audit those connections. Auditing incoming connections provides you with a record of
which users have connected to the client running Windows 7 remotely. If you are using basic
auditing, you should enable the Computer Configuration\Windows Settings\Security Settings\
Local Policies\Audit Policy\Audit Logon Events policy. This policy records all attempts to log
on and off the computer to which the policy applies.
If you enable the Computer Configuration\Windows Settings\Security Settings\Local Policies\
Security Options\Audit: Force Audit Policy Subcategory Settings policy, you can use the more
detailed auditing policies that are available in the Computer Configuration\Windows Settings\
Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon\Logoff
node. This node contains the Audit Logon and Audit Logoff policies. Auditing these specific
policies reduces the amount of account logon and logoff activity that is audited when compared
to the more general account auditing setting mentioned earlier. You can view audited account
logon and logoff events in the Security log in Event Viewer, as shown in Figure 10-26.
FIGURE 10-26 Audit account logon event
eXaM tIP

Remember what protocol is required for VPN Reconnect.