Remote Access Servers
Glenn Weadock MDAA, MCAAA, MCT, MCSE, MCSA, MCITP, A+ [email protected] www.i-sw.com Remote Remote Desktop Access Services
Routing RD Session Host
Web Application Proxy RD Virtualization Host
VPN + DirectAccess RD Web Access
RD Connection Broker
RD Gateway
RD Licensing This bullet list with animations
To p i c s i n Th i s
Module The Remote Access role Virtual Private Networks The Remote Desktop Services role Remote administration tools The Remote Access Role Role services in Remote Access: Routing Web Application Proxy VPN and DirectAccess
Router A router is a device that moves packets of data between networks. It operates at layer 3 of the OSI model. Routers can also manage network traffic, e.g. by blocking broadcast messages. This slide is with animations Routers Can Take Many Forms
Dedicated or multipurpose - Firewall - VPN Hardware-based or software-based Dynamic or static This slide is with animations Routers Can Have Different Purposes
Connect two private networks - e.g. site-to-site VPN Connect a private network to the Internet - e.g. NAT Connect between ISPs Provide remote access (VPN, DirectAccess) Why Use Windows Server as a Router?
Cheap Familiar Consoles Coexistence You don’t have to buy You already know how You can install other co- anything extra MMC consoles work resident roles If you’re interested in learning more about routing in Windows Server, check out my course:
Implementing Windows Server 2016 Connectivity and Remote Access
Virtual Private Networks Types of Windows Server VPNs: Site-to-site Point-to-site - Traditional VPNs - DirectAccess - Always On
Virtual Private Network (VPN) A network connection created within another network (“virtual”) using encryption for security (“private”). A “remote access VPN” securely joins a remote computer to a corporate network via a public network. This slide is with animations Three Elements of a VPN
Tunneling/encapsulation - Repackage data in different format - Outer wrapping has routing info - Work around firewall/port issues Authentication - Verify one or more parties Encryption - For safe passage over unsafe networks Tunneling (a.k.a. Encapsulation)
Encrypted Encrypted Data Data Data
New “wrapper” with routing information to navigate the intervening network This slide is with animations Tunneling Protocols in Windows 10
PPTP - Point-to-Point Tunneling Protocol L2TP/IPsec - Layer 2 Tunneling Protocol SSTP - Secure Socket Tunneling Protocol IKEv2 - Internet Key Exchange version 2 This slide is with animations Client Authentication
VPN server - With Network Policy Server installed RADIUS server - For centralizing authentication & accounting This slide is with animations IP Addressing
Automatic - Use internal DHCP server to assign IPs to remote clients
a.b.c.d Specific pool - Create designated pool of IPs This slide is with animations DirectAccess: Like a VPN but Better
No need for user to create connection Windows knows if it’s local or not Always on (when Internet available) Bidirectional by default - Client gets updates, GPOs More detailed access controls DirectAccess Components
Public Internet DirectAccess Windows 10 Server Corporate Connected to Internet (S2012R2+) Network This slide is with animations New and Improved: “Always On” VPNs
Successor to DirectAccess - No IPv6 requirement - Implement via MDM (e.g. Intune) Requirements: - Windows 10 only - Certification Authority - NPS (RADIUS) server - Remote Access server - AD user accounts The Remote Desktop Services Role Remote Desktop Services: Used to be called “Terminal Services” Has its own special wizard in Server Manager Role services perform: - Hosting - Communications - Licensing
This slide is with animations Remote Desktop Communications
RDS Virtualization Host RDS Session I/O Host I/O
I/O Remotely Administered I/O Server Windows 10 PC Remote Desktop Client
Windows 10 PC This slide is with animations Virtualization vs. Session Hosts
Session host - Shared desktops and/or applications - Applications must be multiuser-friendly - Install applications on session host I/O Virtualization host I/O - Users connect to a Hyper-V VM - Applications need not be multiuser - Install applications on VMs - Requires more disk space This slide is with animations Why VDI?
Administrative configuration control Lighter demands on client hardware I/O Easier client reconfiguration I/O Run Windows on non-Windows systems No need to modify personal machines This slide is with animations Multiple Ways to Connect
Directly via RDC on internal network By browser & Remote Desktop Web Access on internal network By browser, Remote Desktop Gateway, & Remote Desktop Web Access on external network By “RemoteApp and Desktop Connections” client-side control panel This slide is with animations Remote Desktop Security
Disabled by default Encryption foils eavesdropping Only local admins have access - Domain admins are local admins by default Group Policy control Firewall control (TCP 3389) Gateway You need to purchase licenses for Remote Desktop users. (The licensing server is one of the role services.)
These are called TSCALs (for Terminal Services Client Access Licenses). RemoteApp
Imagine Remote Desktop without the desktop! Users don’t necessarily even know that their app is running remotely. Remote Administration Tools Remote administration tools include: Console remoting PowerShell remoting Remote Assistance To b e c l e a r : these are not server roles!
But they can help you manage server roles, and assist role users remotely. This slide is with animations Many Consoles Have Native Remoting
R-click topmost node, “Connect to Another Computer” Examples: - Event Viewer - Computer management - Hyper-V Manager - Performance Monitor - Services - Tas k S c he dule r - Most of the RSAT tools
Notable exceptions: Device Manager Disk Management Ta s k M a n a g e r Resource Monitor BUT… building a new console, you may be able to edit the focus via MMC.EXE (e.g. devmgr, diskmgmt). This slide is with animations Potential Issues with Console Remoting
Remote system may need certain services - WinRM - .Net Framework - Remote Registry - etc. Firewall may need configuration to pass traffic User may need to belong to special groups - Event Log Readers, e.g. This slide is with animations Three Ways to Run PowerShell Remotely
1: Native support in the PowerShell cmdlet - Usually a “Computer” or “ComputerName” parameter 2: Embed the cmdlet in “Invoke-Command” - …which always has a “ComputerName” parameter 3: Create a Remote Session - Useful if you want to run multiple cmdlets This slide is with animations Method 1: Native Cmdlet Support
Not all cmdlets have this but some do Easiest way to go; no configuration or session required Examples: - Get-EventLog - Invoke-GPUpdate - Get-Process - Get-Service - Restart-Computer
This slide is with animations Method 2: Invoke-Command
Put your desired cmdlet into the “Invoke- Command” envelope Example: - Invoke-Command -ComputerName GM-WS1 –ScriptBlock {start-service -name eventlog} - Invoke-Command –ComputerName GM-WS1 –FilePath c:\scripts\script.ps1 You can specify multiple computer names separated by commas if desired This slide is with animations Method 3: Remote Session
When you need to run multiple commands Example: - Enter-PSSession DC - Get-Service | Sort-Object status - Get-Service W3SVC -
Classic help desk interaction - User needs support - User and technician on phone - Both on user’s computer simultaneously Functionality - View/control remote desktop - Chat facility This slide is with animations Differences Between Remote Assistance & Remote Desktop
Session does not kick user off system Mouse & keyboard may be controlled by both user & support tech Invoke with: - MSRA.EXE - Control Panel > System and Security > Launch Remote Assistance (or just search “invite”) This slide is with animations Solicited Remote Assistance
User sends invitation to support technician - Save invitation to a file - Use email to send an invitation - Use Easy Connect (temp password) Configure via Group Policy - “Configure Solicited Remote Assistance” - Invitation method - Maximum ticket lifetime - Whether helpers can use remote control or just view
“Easy Connect” often fails. “Can’t connect to the global peer- to-peer network.” Usual reason: Router doesn’t support PNRP (Peer Network Resolution Protocol). This slide is with animations Unsolicited Remote Assistance
Technician sends offer of assistance to user Configure via Group Policy - “Configure Offer Remote Assistance” - Who can be a “helper” (e.g. groups) - Whether helpers can use remote control or just view This slide is with animations Quick Assist
App included with recent builds of Windows 10 Requires support provider to have a Microsoft account or Azure AD account Requires Internet connectivity Only works with Windows 10 systems Similar functionality to Remote Assistance Good work! Up Next: Virtualization Servers