Remote Access Servers

Glenn Weadock MDAA, MCAAA, MCT, MCSE, MCSA, MCITP, A+ [email protected] www.i-sw.com Remote Remote Desktop Access Services

Routing RD Session Host

Web Application Proxy RD Virtualization Host

VPN + DirectAccess RD Web Access

RD Connection Broker

RD Gateway

RD Licensing This bullet list with animations

To p i c s i n Th i s

Module The Remote Access role Virtual Private Networks The Remote Desktop Services role Remote administration tools The Remote Access Role Role services in Remote Access: Routing Web Application Proxy VPN and DirectAccess

Router A router is a device that moves packets of data between networks. It operates at layer 3 of the OSI model. Routers can also manage network traffic, e.g. by blocking broadcast messages. This slide is with animations Routers Can Take Many Forms

Dedicated or multipurpose - Firewall - VPN Hardware-based or software-based Dynamic or static This slide is with animations Routers Can Have Different Purposes

Connect two private networks - e.g. site-to-site VPN Connect a private network to the Internet - e.g. NAT Connect between ISPs Provide remote access (VPN, DirectAccess) Why Use Windows Server as a Router?

Cheap Familiar Consoles Coexistence You don’t have to buy You already know how You can install other co- anything extra MMC consoles work resident roles If you’re interested in learning more about routing in Windows Server, check out my course:

Implementing Windows Server 2016 Connectivity and Remote Access

Virtual Private Networks Types of Windows Server VPNs: Site-to-site Point-to-site - Traditional VPNs - DirectAccess - Always On

Virtual Private Network (VPN) A network connection created within another network (“virtual”) using encryption for security (“private”). A “remote access VPN” securely joins a remote computer to a corporate network via a public network. This slide is with animations Three Elements of a VPN

Tunneling/encapsulation - Repackage data in different format - Outer wrapping has routing info - Work around firewall/port issues Authentication - Verify one or more parties Encryption - For safe passage over unsafe networks Tunneling (a.k.a. Encapsulation)

Encrypted Encrypted Data Data Data

New “wrapper” with routing information to navigate the intervening network This slide is with animations Tunneling Protocols in Windows 10

PPTP - Point-to-Point Tunneling Protocol L2TP/IPsec - Layer 2 Tunneling Protocol SSTP - Secure Socket Tunneling Protocol IKEv2 - Internet Key Exchange version 2 This slide is with animations Client Authentication

VPN server - With Network Policy Server installed RADIUS server - For centralizing authentication & accounting This slide is with animations IP Addressing

Automatic - Use internal DHCP server to assign IPs to remote clients

a.b.c.d Specific pool - Create designated pool of IPs This slide is with animations DirectAccess: Like a VPN but Better

No need for user to create connection Windows knows if it’s local or not Always on (when Internet available) Bidirectional by default - Client gets updates, GPOs More detailed access controls DirectAccess Components

Public Internet DirectAccess Windows 10 Server Corporate Connected to Internet (S2012R2+) Network This slide is with animations New and Improved: “Always On” VPNs

Successor to DirectAccess - No IPv6 requirement - Implement via MDM (e.g. Intune) Requirements: - Windows 10 only - Certification Authority - NPS (RADIUS) server - Remote Access server - AD user accounts The Remote Desktop Services Role Remote Desktop Services: Used to be called “Terminal Services” Has its own special wizard in Server Manager Role services perform: - Hosting - Communications - Licensing

This slide is with animations Remote Desktop Communications

RDS Virtualization Host RDS Session I/O Host I/O

I/O Remotely Administered I/O Server Windows 10 PC Remote Desktop Client

Windows 10 PC This slide is with animations Virtualization vs. Session Hosts

Session host - Shared desktops and/or applications - Applications must be multiuser-friendly - Install applications on session host I/O Virtualization host I/O - Users connect to a Hyper-V VM - Applications need not be multiuser - Install applications on VMs - Requires more disk space This slide is with animations Why VDI?

Administrative configuration control Lighter demands on client hardware I/O Easier client reconfiguration I/O Run Windows on non-Windows systems No need to modify personal machines This slide is with animations Multiple Ways to Connect

Directly via RDC on internal network By browser & Remote Desktop Web Access on internal network By browser, Remote Desktop Gateway, & Remote Desktop Web Access on external network By “RemoteApp and Desktop Connections” client-side control panel This slide is with animations Remote Desktop Security

Disabled by default Encryption foils eavesdropping Only local admins have access - Domain admins are local admins by default Group Policy control Firewall control (TCP 3389) Gateway You need to purchase licenses for Remote Desktop users. (The licensing server is one of the role services.)

These are called TSCALs (for Terminal Services Client Access Licenses). RemoteApp

Imagine Remote Desktop without the desktop! Users don’t necessarily even know that their app is running remotely. Remote Administration Tools Remote administration tools include: Console remoting PowerShell remoting Remote Assistance To b e c l e a r : these are not server roles!

But they can help you manage server roles, and assist role users remotely. This slide is with animations Many Consoles Have Native Remoting

R-click topmost node, “Connect to Another Computer” Examples: - Event Viewer - Computer management - Hyper-V Manager - Performance Monitor - Services - Tas k S c he dule r - Most of the RSAT tools

Notable exceptions: Device Manager Disk Management Ta s k M a n a g e r Resource Monitor BUT… building a new console, you may be able to edit the focus via MMC.EXE (e.g. devmgr, diskmgmt). This slide is with animations Potential Issues with Console Remoting

Remote system may need certain services - WinRM - .Net Framework - Remote Registry - etc. Firewall may need configuration to pass traffic User may need to belong to special groups - Event Log Readers, e.g. This slide is with animations Three Ways to Run PowerShell Remotely

1: Native support in the PowerShell cmdlet - Usually a “Computer” or “ComputerName” parameter 2: Embed the cmdlet in “Invoke-Command” - …which always has a “ComputerName” parameter 3: Create a Remote Session - Useful if you want to run multiple cmdlets This slide is with animations Method 1: Native Cmdlet Support

Not all cmdlets have this but some do Easiest way to go; no configuration or session required Examples: - Get-EventLog - Invoke-GPUpdate - Get-Process - Get-Service - Restart-Computer

This slide is with animations Method 2: Invoke-Command

Put your desired cmdlet into the “Invoke- Command” envelope Example: - Invoke-Command -ComputerName GM-WS1 –ScriptBlock {start-service -name eventlog} - Invoke-Command –ComputerName GM-WS1 –FilePath c:\scripts\script.ps1 You can specify multiple computer names separated by commas if desired This slide is with animations Method 3: Remote Session

When you need to run multiple commands Example: - Enter-PSSession DC - Get-Service | Sort-Object status - Get-Service W3SVC - - Exit-PSSession This slide is with animations Remote Assistance Scenario

Classic help desk interaction - User needs support - User and technician on phone - Both on user’s computer simultaneously Functionality - View/control remote desktop - Chat facility This slide is with animations Differences Between Remote Assistance & Remote Desktop

Session does not kick user off system Mouse & keyboard may be controlled by both user & support tech Invoke with: - MSRA.EXE - Control Panel > System and Security > Launch Remote Assistance (or just search “invite”) This slide is with animations Solicited Remote Assistance

User sends invitation to support technician - Save invitation to a file - Use email to send an invitation - Use Easy Connect (temp password) Configure via Group Policy - “Configure Solicited Remote Assistance” - Invitation method - Maximum ticket lifetime - Whether helpers can use remote control or just view

“Easy Connect” often fails. “Can’t connect to the global peer- to-peer network.” Usual reason: Router doesn’t support PNRP (Peer Network Resolution Protocol). This slide is with animations Unsolicited Remote Assistance

Technician sends offer of assistance to user Configure via Group Policy - “Configure Offer Remote Assistance” - Who can be a “helper” (e.g. groups) - Whether helpers can use remote control or just view This slide is with animations Quick Assist

App included with recent builds of Windows 10 Requires support provider to have a Microsoft account or Azure AD account Requires Internet connectivity Only works with Windows 10 systems Similar functionality to Remote Assistance Good work! Up Next: Virtualization Servers