20411D D Enayat Meer

Similar documents
Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

INF204x Module 1, Lab 3 - Configure Windows 10 VPN

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

Publication date: December 17, 2012, updated Feb. 10, Product version: Windows Server 2003, Windows Server 2008, Windows Server 2012

Module 4 Network Controller Estimated Time: 90 minutes

Module 9. Configuring IPsec. Contents:

Lab: Configuring and Troubleshooting DNS

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

This course comes with a virtual lab environment where you can practice what you learn.

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

INF204x Module 1 Lab 1: Configuring and Troubleshooting Networking Part 1

INF204x Module 1 Lab 2: Configuring and Troubleshooting Networking Part 2

Using the Terminal Services Gateway Lesson 10

Course CLD221x: Enabling Office 365 Clients

Test Lab Guide: Windows Server 2012 Base Configuration

Installation and Configuration Guide

Privileged Access Agent on a Remote Desktop Services Gateway

Student Lab Manual MS100.1x: Office 365 Management

App Orchestration 2.6

Troubleshooting smart card logon authentication on active directory

Lab - System Utilities in Windows

VMware AirWatch Certificate Authentication for EAS with ADCS

Implementing Messaging Security for Exchange Server Clients

Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series

LAB 5 IMPLEMENTING WINDOWS IN AN ENTERPRISE ENVIRONMENT

Supporting Networked Computers

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Lab - Remote Desktop in Windows 8

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Exam Questions Demo Microsoft. Exam Questions

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

INF204x Module 2 Lab 2: Using Encrypting File System (EFS) on Windows 10 Clients

DNSSEC Deployment Guide

Workshop on Windows Server 2012

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

PEAP under Cisco Unified Wireless Networks with ACS 4.0 and Windows 2003

Installation and Configuration Guide

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Configure DHCP for Failover Step-by-Step.

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

Expert Reference Series of White Papers. DirectAccess: The New VPN

Copyright and Trademarks

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

etoken Integration Guide etoken and ISA Server 2006

SCCM Plug-in User Guide. Version 3.0

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

BitLocker: How to enable Network Unlock

Enabling Secure Sockets Layer for a Microsoft SQL Server JDBC Connection

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Lab - Remote Desktop in Windows 7 and Vista

Implementing Security in Windows 2003 Network (70-299)

PRAGATHI TECHNOLOGIES BTM Marathahalli Ph:

SEVENMENTOR TRAINING PVT.LTD

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

RPC Over HTTP Install Windows Server 2003 Configure your Exchange 2003 front-end server as an RPC Proxy server

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide v Copyright Loadbalancer.org, Inc

70-742: Identity in Windows Server Course Overview

VMware AirWatch Integration with SecureAuth PKI Guide

Implementing Cross- Domain Kerberos Constrained Delegation Authentication. VMware Workspace ONE UEM 1810

List of Virtual Machines Used in This Lab

Course CLD209.1x Microsoft Exchange Server 2016 Hybrid Topologies

The information in this document is based on these software and hardware versions:

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

INF214x Basic Networking Practical Exercises

How to Set Up External CA VPN Certificates

VMware AirWatch Integration with RSA PKI Guide

MCSA Windows Server 2012

AirWatch Mobile Device Management

Practical Network Defense Labs

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

LAB MANUAL. Craig Zacker.

Exam Questions

Using SSL to Secure Client/Server Connections

Course Outline 20742B

Integrating AirWatch and VMware Identity Manager

Monitoring Windows Systems with WMI

How to Configure IPSec Tunneling in Windows 2000

Course Content of MCSA ( Microsoft Certified Solutions Associate )

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

MCSA Guide to Networking with Windows Server 2016, Exam

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

AutomaTech Application Note July 2015

edp 8.2 Info Sheet - Integrating the ediscovery Platform 8.2 & Enterprise Vault

Microsoft Certified Solutions Associate (MCSA)

Identity with Windows Server 2016 (742)

MOC 20411B: Administering Windows Server Course Overview

5.5.3 Lab: Managing Administrative Settings and Snap-ins in Windows XP

MCSA Windows Server 2012

Technical Overview: Always On VPN

This course comes with a virtual lab environment where you can practice what you learn.

Configuring EAP for Wireless Network Connectivity By Victor Zapata

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Identity with Windows Server 2016

Transcription:

Lab A Module 8: Implementing Direct Access by Using the Getting Started Wizard Scenario: Recommended lab time is 240 Minutes {a complete class session is dedicated for this lab} Many users at A. Datum Corporation work from outside the organization. This includes mobile users as well as people who work from home. These users currently connect to the internal network by using a third-party VPN solution. The security department is concerned about the security of the external connections and wants to ensure that the connections are as secure as possible. The support team wants to minimize the number of support calls related to remote access, and would like to have more options for managing remote computers. Information Technology (IT) management at A. Datum is considering deploying DirectAccess as the remote access solution for the organization. As an initial proof-of-concept deployment, management has requested that you configure a simple DirectAccess environment that can be used with client computers running Windows 8. Exercise 1: Verifying Readiness for a DirectAccess Deployment Task 1: Document the network configuration Verify the IP Address on LON-DC1 1. Switch to LON-DC1. 2. Right-click the Start button, and then click Control Panel. 3. Under the Network and Internet section, click View network status and tasks. 4. In the Network and Sharing Center window, from the menu on the left, click Change adapter settings. 5. In the Network Connections window, right-click the Ethernet icon, and then click Properties. 6. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 7. Document the current IP address, subnet mask, default gateway, and Domain Name System (DNS) configuration. 8. Click Cancel twice, and then click Close to close the Network Connections window. Verify Network Configuration on LON-RTR 1. Switch to LON-RTR. 2. On the Start screen, click on Server Manager. 3. In the Server Manager window, on the upper right side, click on Tools, and then click Routing and Remote Access. 4. In the Routing and Remote Access console, in the left pane, right-click LON-RTR (local), and then click Disable Routing and Remote Access. 5. Click Yes in the Routing and Remote Access dialog box. This step is necessary to disable the Routing and Remote Access that was preconfigured for this lab. 6. Right-click the Start button, and then click Control Panel. 7. Under the Network and Internet section, click View network status and tasks. 8. In the Network and Sharing Center window, click Change adapter settings. 9. In the Network Connections window, verify that there are three network adapters: Ethernet, Ethernet 2, and Internet. 10. In the Network Connections window, right-click Ethernet adapter, and then click Disable. 11. In the Network Connections window, right-click Ethernet adapter and then click Enable. 12. Repeat steps 10 and 11 for Internet network connection. 13. Verify that Ethernet adapter is connected to the domain network Adatum.com. 14. Right-click the Ethernet adapter, and then click Properties. 15. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 16. Verify that the IP address corresponds with the subnet used in domain network (the IP address should be 172.16.0.1), and then click Cancel twice. 17. Right-click the Internet adapter, and then click Properties. 18. In the Internet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. ------------------- EnayatMeer02@yahoo.com 1

19. Verify that the IP address corresponds with the subnet used to simulate Internet connectivity. The IP address should be 131.107.0.10. 20. Click Cancel twice, and then close the Network Connections window. Note: If you notice that the Internet network adapter is connected to Adatum.com, disable Routing and Remote Access service (RRAS). This is because, for DirectAccess, you will need at least one adapter to be on the external network. Verify Network Configuration on LON-CL1 1. Switch to LON-CL1. 2. Right-click the Start button, and then click Control Panel. 3. In the Control Panel window, click Network and Internet, click View Network Status and Tasks, and then click Change adapter settings. 4. Verify that the Ethernet adapter is connected to the domain network Adatum.com. 5. Right-click the Ethernet adapter, and then click Properties. 6. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 7. Document the current IP address, subnet mask, default gateway, and DNS configuration. 8. Click Cancel twice, and then click Close. Verify Network Configuration on LON-SVR1 1. Switch to LON-SVR1. 2. Right-click the Start button, and then click Control Panel. 3. Under the Network and Internet section, click View network status and tasks. 4. In the Network and Sharing Center window, from the menu on the left, click Change adapter settings. 5. Verify that the Ethernet adapter is connected to the domain network Adatum.com. 6. Right-click the Ethernet adapter, and then click Properties. 7. In Ethernet Properties, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 8. Document the current IP address, subnet mask, default gateway, and DNS configuration. 9. Click Cancel twice, and then click Close. Verify Network Configuration on INET1 1. Switch to INET1. 2. Right-click the Start button, and then click Control Panel. 3. Under the Network and Internet section, click View network status and tasks, and then click Change adapter settings. 4. In the Network Connections window, right-click the Ethernet adapter, and in then click Properties. 5. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 6. Document the current IP address, subnet mask, and DNS configuration. 7. Click Cancel twice, and then close all open windows. Note: The INET1 server role in this module is to simulate the Internet DNS server. Task 2: Verify the server readiness for DirectAccess 1. On LON-DC1, from the taskbar, click the Server Manager console. 2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory Users and Computers. 3. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and then click Organizational Unit. 4. In the New Object Organizational Unit dialog box, in the Name box, type DA_Clients OU, and then click OK. 5. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click DA_Clients OU, click New, and then click Group. 6. In the New Object - Group dialog box, in the Group name box, type DA_Clients. 7. Under Group scope, ensure that Global is selected, under Group type, ensure that Security is selected, and then click OK. 8. In the details pane, right-click DA_Clients, and then click Properties. ------------------- EnayatMeer02@yahoo.com 2

9. In the DA_Clients Properties dialog box, click the Members tab, and then click Add. 10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK. 11. In the Enter the object names to select (examples) box, type LON-CL1, and then click OK. 12. Verify that LON-CL1 is displayed under Members, and then click OK. 13. Close the Active Directory Users and Computers console. Exercise 2: Configuring DirectAccess Task 1: Configure DirectAccess by using the Getting Started Wizard 1. Switch to LON-RTR. 2. In Server Manager, click Tools, and then select Remote Access Management. 3. In the Remote Access Management console, under Configuration, click DirectAccess and VPN. 4. Click Run the Getting Started Wizard. 5. On the Configure Remote Access page, click Deploy DirectAccess only. 6. Verify that Edge is selected, and in Type the public name or IPv4 address used by clients to connect to the Remote Access server box, type 131.107.0.10, and then click Next. 7. In the Configure Remote Access page, click the here link. Note: Ensure that you click the here link to display an additional window for configuring GPO settings and Active Directory security groups, which will contain the computers that will be affected by the DirectAccess settings. 8. On the Remote Access Review page, verify that two GPOs are created, DirectAccess Server Settings and DirectAccess Client settings. 9. Next to Remote Clients, click the Change. 10. Select Domain Computers (Adatum\Domain Computers), and then click Remove. 11. Click Add, type DA_Clients, and then click OK. 12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next. 13. On the DirectAccess Client Setup page, click Finish. 14. On the Remote Access Review page, click OK. 15. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard. 16. In the Applying Getting Started Wizard Settings dialog box, click Close. Exercise 3: Validating the DirectAccess Deployment Task 1: Verify the GPO deployment 1. Switch to LON-CL1. 2. When you configured the DirectAccess server, the wizard created two Group Policies and linked them to the domain. To apply them, restart LON-CL1, sign in as Adatum\Administrator by using the password Pa$$w0rd and, on LON-CL1, on the Start screen, type cmd and then press Enter to open the Command Prompt. 3. At the command prompt, type the following command, and then press Enter: gpupdate /force 4. At the command prompt, type the following command, and then press Enter: gpresult /R 5. Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied. 6. At the command prompt, type the following command, and then press Enter: netsh name show effectivepolicy 7. Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings Note: DirectAccess settings are inactive when this computer is inside a corporate network. 8. To move the client from the intranet to the public network, on LON-CL1, to open Control Panel, at the command prompt, type control, and then press Enter. 9. In Control Panel, click Network and Sharing Center. 10. In the Network and Sharing Center window, click Change adapter settings. 11. Right-click Ethernet, and then click Disable. 12. Right-click Ethernet 2, and then click Enable. ------------------- EnayatMeer02@yahoo.com 3

13. Right-click Ethernet 2, and then click Properties. 14. In the Ethernet 2 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 15. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, ensure that the following is displayed, and then click OK: o IP address: 131.107.0.20 o Subnet mask: 255.255.0.0 o Preferred DNS server: 131.107.0.100 16. In the Ethernet 2 Properties dialog box, click Close. 17. Close all open windows. Task 2: Test DirectAccess connectivity Verify Connectivity to the Internal Network Resources 1. Switch to LON-CL1. 2. On the taskbar, click the Internet Explorer icon. 3. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default Internet Information Services (IIS) 8.0 web page for LON-SVR1 appears. Note: If the default Internet Information Services (IIS) 8.0 web page for LON-SVR1 doesn t appear, restart LON-CL1. After LON-CL1 restarts, sign in as Adatum\Administrator and repeat steps 2 and 3 again. 4. Leave the Windows Internet Explorer window open. 5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access the folder content. 6. Close all open windows. 7. Click the Start button, on the Start screen type cmd, and then press Enter. 8. At the command prompt, type ipconfig, and then press Enter. Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS address. Verify Connectivity to the DirectAccess Server 1. At the command prompt, type the following, and then press Enter. Netsh name show effectivepolicy 2. Verify that DNS Effective Name Resolution Policy Table Settings presents two entries for adatum.com and Directaccess-NLS.Adatum.com. 3. At the command prompt, type the following command, and then press Enter: Powershell 4. At the Windows PowerShell command prompt, type the following command, and then press Enter: Get-DAClientExperienceConfiguration Notice the DirectAccess client settings. Verify Client Connectivity on DirectAccess Server 1. Switch to LON-RTR. 2. Switch to the Remote Access Management console. 3. In the Console pane, click Remote Client Status. Notice that the client is connected via IPHttps. In the Connection Details pane, in the bottom-right of the screen, note the use of Kerberos for the Machine and the User. 4. Close all open windows. Note: After completing the lab, do not revert the virtual machines. Note: This section Part B is time consuming: ------------------- EnayatMeer02@yahoo.com 4

Lab B Module 08: Deploying an Advanced DirectAccess Solution Scenario The proof-of-concept deployment of DirectAccess was a success, so IT management has decided to enable DirectAccess for all mobile clients, including computers running Windows 7. IT management also wants to ensure that the DirectAccess deployment is scalable and provides redundancy. You need to modify the proof-of-concept deployment to meet the new requirements. Exercise 1: Preparing the Environment for DirectAccess Task 1: Configure the AD DS and DNS requirements Edit the Security Group for DirectAccess Client Computers 1. Switch to LON-DC1. 2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory Users and Computers. 3. In the Active Directory Users and Computers console tree, click DA_Clients OU, and then in the details pane double-click DA_Clients group. 4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add. 5. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK. 6. In the Enter the object names to select (examples) box, type LON-CL3, click Check Names, and then press OK. 7. Verify that LON-CL3 and LON-CL1 are displayed below the Members list, and then click OK. 8. Close the Active Directory Users and Computers console. Create Required DNS Records 1. In the Server Manager console, click Tools, and then click DNS. 2. In the console tree of DNS Manager, expand LON-DC1\Forward Lookup Zones\Adatum.com. 3. Right-click Adatum.com, and then click New Host (A or AAAA). 4. In the Name box, type nls. In the IP address box, type 172.16.0.21. Click Add Host, and then click OK. Note: The NLS record will be used by the client to determine the network location. 5. In the New Host dialog box, in the Name box, type CRL. In the IP address box, type 172.16.0.1, and then click Add Host. 6. In the DNS dialog box, which confirms that the record was created, click OK. 7. In the New Host dialog box, click Done. 8. Close the DNS Manager console. Note: The CRL record will be used by the internal clients to check the revocation status on the certificates that are used in DirectAccess. Remove ISATAP from the DNS Global Query Block 1. On the Start screen, type cmd.exe, and then press Enter to launch the Command Prompt window. 2. In the Command Prompt window, type the following command, and then press Enter: dnscmd /config /globalqueryblocklist wpad 3. Ensure that the Command completed successfully message displays. 4. Close the Command Prompt window. Configure the DNS Suffix on LON-RTR 1. Switch to LON-RTR. 2. On the Start screen, type Control Panel, and then press Enter. 3. In Control Panel, click View network status and tasks. 4. In the Network and Sharing Center window, click Change adapter settings. 5. In the Network Connection window, right-click Internet, and then click Properties. 6. In the Internet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Advanced. 8. On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click OK. 9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click OK. 10. In the Internet Properties dialog box, click Close. 11. Close the Network Connections window. ------------------- EnayatMeer02@yahoo.com 5

Note: The Internet client needs this suffix when resolving names for internal resources. Task 2: Configure CRL distribution Configure Certificate Requirements Note: The following steps will be performed to prepare the CA with proper extensions for the CRL distribution point, which will be included in the future certificates that will be used by the CA. 1. On LON-DC1, in Server Manager, on the Tools menu, click Certification Authority. 2. In the details pane, right-click AdatumCA, and then click Properties. 3. In the AdatumCA Properties dialog box, click the Extensions tab. 4. On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/ 5. Under Variable, click <CAName>, and then click Insert. 6. Under Variable, click <CRLNameSuffix>, and then click Insert. 7. Under Variable, click <DeltaCRLAllowed>, and then click Insert. 8. In the Location box, type.crl at the end of the Location string, and then click OK. 9. Select Include in CRLs, Clients use this to find Delta CRL locations, and Include in the CDP extension of issued certificates checkboxes, and then click Apply. 10. Click No in the dialog box that displays prompting you to restart Active Directory Certificate Services (AD CS). 11. Click Add. 12. In the Location box, type \\LON-RTR\crldist$\ 13. Under Variable, click <CaName>, and then click Insert. 14. Under Variable, click <CRLNameSuffix>, and then click Insert. 15. Under Variable, click <DeltaCRLAllowed>, and then click Insert. 16. In the Location box, type.crl at the end of the string, and then click OK. 17. Select Publish CRLs to this location and select Publish Delta CRLs to this location, and then click OK. 18. Click Yes to restart AD CS. Export Root Certificate Note: In following steps you will export the root certificate because it will be required in Labs C and D for configuring virtual private network (VPN) and Web Application Proxy. 1. In Certification Authority, right-click AdatumCA, and then select Properties. 2. On the General tab, click View Certificate. 3. In the Certificate window, click the Details tab, and then click Copy to File. 4. In the Certificate Export Wizard, click Next. 5. Select DER encoded binary x.509 (.CER), and then click Next. 6. In the File Name box, type c:\root.cer, and then click Next. 7. Click Finish to close the Certificate Export Wizard. 8. Click OK three times and then close the Certification Authority console. Task 3: Configure client certificate distribution Configure Computer Certificate Autoenrollment 1. On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and then click Group Policy Management. 2. In the console tree, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com. 3. In the console tree, right-click Default Domain Policy, and then click Edit. 4. In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. 5. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. 6. In the Automatic Certificate Request Setup Wizard, click Next. 7. On the Certificate Template page, click Computer, click Next, and then click Finish. 8. Close the Group Policy Management Editor and close the Group Policy Management console. Task 4: Configure the network location server and DirectAccess server certificates Request a Certificate for LON-SVR1 1. On LON-SVR1, on the Start screen, type cmd, and then press Enter to open a command prompt. 2. At the command prompt, type the following command, and then press Enter: ------------------- EnayatMeer02@yahoo.com 6

gpupdate /force 3. At the command prompt, type the following command, and then press Enter: mmc 4. Click File, and click Add/Remove Snap-in. 5. In the Available snap-ins list, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. Select Local computer, click Finish, and then click OK. 8. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates. 9. Right-click Certificates, point to All Tasks, and then click Request New Certificate. 10. Click Next twice. 11. On the Request Certificates page, click Adatum Web Certificate, and then click More information is required to enroll for this certificate. 12. On the Subject tab in the Certificate Properties dialog box, under Subject name, under Type, select Common name. 13. In the Value box, type nls.adatum.com, and then click Add. 14. Click OK, click Enroll, and then click Finish. 15. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.adatum.com is enrolled with Intended Purposes of Server Authentication. 16. Close the console window. When you are prompted to save settings, click No. Change the HTTPS Bindings Note: In following steps you will configure the https bindings for the host name nls.adatatum.com that will be used by the clients to determine their network location. 1. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. 2. In the Internet Information Services (IIS) Manager message box, expand LON-SVR1 (ADATUM\Administrator), and then if the Internet Information Service Manager message box appears, click No to close the message box. 3. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site. 4. In the Actions pane, click Bindings, and then click Add. 5. In the Add Site Bindings dialog box, click https, in the Host name box type nls.adatum.com, in the SSL Certificate list, click the certificate with the name nls.adatum.com, click OK, and then click Close. 6. Close the Internet Information Services (IIS) Manager console. Configure DirectAccess Server with the Appropriate Certificate 1. Switch to LON-RTR. 2. On the Start screen, type cmd, and then press Enter. 3. At the command prompt, type the following command, and then press Enter: gpupdate /force 4. At the command prompt, type mmc, open a Microsoft Management Console, and then press Enter. 5. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in. 6. In the Available snap-ins list, click Certificates, and then click Add. 7. In the Certificates snap-in dialog box, select Computer account, and then click Next. 8. Select Local computer, click Finish, and then click OK. 9. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates. 10. Right-click Certificates, point to All Tasks, and then click Request New Certificate. 11. Click Next twice. 12. On the Request Certificates page, click Adatum Web Certificate, and then click More information is required to enroll for this certificate. 13. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type, select Common name. 14. In the Value box, type 131.107.0.10, and then click Add. 15. Click OK, click Enroll, and then click Finish. ------------------- EnayatMeer02@yahoo.com 7

16. In the details pane of the Certificates snap-in, verify that a new certificate with the name 131.107.0.10 is issued with Intended Purposes of Server Authentication. 17. Right-click the certificate, and click Properties. 18. In the Friendly Name box, type IP-HTTPS Certificate, and then click OK. 19. Close the console window. If you are prompted to save settings, click No. Note: Instead of issuing a certificate with the IP address in the subject name, in a real-world environment, you can use the FQDN of the Internet facing server that will be reachable by the external client. Create a CRL Distribution Point on LON-RTR 1. Switch to Server Manager. 2. Click Tools, and then click Internet Information Services (IIS) Manager. 3. In the Internet Information Services (IIS) Manager console, in the left pane, click LON-RTR (Adatum\Administrator). 4. If the Internet Information Service Manager message box appears, click No to close the message box. 5. In the console tree, browse to LON-RTR\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory. 6. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the ellipsis ( ) button. 7. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder. 8. Type CRLDist, and then press Enter. 9. In the Browse for Folder dialog box, click OK. 10. In the Add Virtual Directory dialog box, click OK. 11. In the middle pane of the console, double-click Directory Browsing, and then in the Actions pane, click Enable. 12. In the left pane, click the CRLD folder. 13. In the middle pane of the console, under the Management section, double-click the Configuration Editor icon. 14. Click the down-arrow of the Section drop-down list, and then navigate to system.webserver\security\requestfiltering. 15. In the middle pane of the console, double-click the allowdoubleescaping entry to change the value from False to True. 16. In the Actions pane, click Apply. 17. Close Internet Information Services (IIS) Manager. Note: You need to modify the value of allowdoubleescaping to allow clients to access CRL deltas that will have a plus sign (+) appended to the filename. Share and Secure the CRL Distribution Point 1. On the taskbar, click File Explorer. 2. Double-click Local Disk (C:). 3. In the details pane of File Explorer, right-click the CRLDist folder, and then click Properties. 4. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing. 5. In the Advanced Sharing dialog box, select Share this folder. 6. In the Share name box, type a dollar sign ($) at the end so that the share name is CRLDist$. 7. In the Advanced Sharing dialog box, click Permissions. 8. In the Permissions for CRLDist$ dialog box, click Add. 9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 10. In the Object Types dialog box, select Computers, and then click OK. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type LON-DC1, and then click Check Names. Click OK. 12. In the Permissions for CRLDist$ dialog box, in the Group or user names list, select LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, select Allow. Click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the CRLDist Properties dialog box, click the Security tab. 15. On the Security tab, click Edit. 16. In the Permissions for CRLDist dialog box, click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. ------------------- EnayatMeer02@yahoo.com 8

18. In the Object Types dialog box, select Computers. Click OK. 19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type LON-DC1, click Check Names, and then click OK. 20. In the Permissions for CRLDist dialog box, in the Group or user names list, select LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, select Allow, and then click OK. 21. In the CRLDist Properties dialog box, click Close. 22. Close the File Explorer window. Publish the CRL to LON-RTR This step makes the CRL available on the edge server for Internet-based DirectAccess clients. 1. Switch to LON-DC1. 2. In Server Manager, click Tools, and then click Certification Authority. 3. In the console tree, expand AdatumCA, right-click Revoked Certificates, point to All Tasks, and then click Publish. 4. In the Publish CRL dialog box, click New CRL, and then click OK. 5. On the taskbar, click File Explorer, type \\LON-RTR\CRLDist$ and then press Enter. 6. In the File Explorer window, notice the AdatumCA files. 7. Close the File Explorer window. Exercise 2: Implementing the Advanced DirectAccess Infrastructure Task 1: Modify the DirectAccess deployment Configure the Remote Access Role 1. On LON-RTR, in Server Manager, on the Tools menu, click Remote Access Management. 2. In the Remote Access Management console, click DirectAccess and VPN. 3. To select which clients will use DirectAccess, in the central pane, under step 1, click Edit. 4. On the Deployment Scenario page, click Next. 5. On the Select Groups page, verify that DA_Clients (ADATUM\DA_Clients) group is listed, and then click Next. 6. On the Network Connectivity Assistant page, under the Resource column, delete the existing record by rightclicking on the arrow and selecting Delete. 7. Double-click the empty row under the Resource column. 8. In the Configure Corporate Resources for NCA page, verify that HTTP is selected, and then type https://nls.adatum.com. Click Validate, and then click Add. 9. In the Network Connectivity Assistant page, click Finish to close configuration for step 1. 10. On Step 2, click Edit. 11. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.10. 12. Click Next. 13. On the Network Adapters page, clear selection for Use a self-signed certificate created automatically by DirectAccess, and then click Browse. 14. On Select Certificate dialog box, notice that there are two certificates named 131.107.0.10, one that is selfsigned and the second one that is issued by Adatum.com. Ensure that you choose the certificate 131.107.0.10 that is issued by AdatumCA and is used as a certificate to authenticate IP-HTTPS connections, click OK, and then click Next. 15. On the Authentication page, select Use computer certificates, click Browse, select AdatumCA, and then click OK. 16. Select Enable Windows 7 client computers to connect via DirectAccess, and then click Finish. Note: You need to enable certificate authentication with certificates issued from a trusted CA to support Windows 7 clients. 17. In the Remote Access Setup pane, under Step 3, click Edit. 18. On the Network Location Server page, select The network location server is deployed on a remote web server (recommended); in the Type in the URL of the network location server box, type https://nls.adatum.com, and then click Validate. 19. Ensure that the URL is validated, and then click Next. ------------------- EnayatMeer02@yahoo.com 9

20. On the DNS page, double-click an empty row below nls.adatum.com. 21. In the DNS suffix box, type crl.adatum.com, click Apply to add the entry in the Name Resolution Policy Table (NRPT) table, and then click Next. 22. In the DNS Suffix Search List page, click Next. 23. On the Management page, click Finish to close configuration for Step 3. 24. Under step 4, click Edit. 25. On the DirectAccess Application Server Setup page, click Finish. 26. In the central pane, click Finish to apply the changes. 27. In the Remote Access Review window, click Apply. 28. In the Applying Remote Access Setup Wizard Settings dialog box, click Close. Task 2: Verify the server and GPO configuration 1. On the Start screen, type cmd, and then press Enter. 2. At the command prompt, type the following commands, and then press Enter: gpupdate /force Ipconfig 3. Verify that LON-RTR has an IPv6 address for Tunnel adapter IP-HTTPS Interface starting with 2002. Exercise 3: Validating the DirectAccess Deployment Task 1: Verify Windows 8 client connectivity Verify DirectAccess Group Policy Configuration Settings for Windows 8 Clients 1. To move the client from the public network back to the intranet, on LON-CL1, to open Control Panel, at the command prompt, type control, and then press Enter. 2. In Control Panel, click Network and Sharing Center. 3. In the Network and Sharing Center window, click Change adapter settings. 4. Right-click Ethernet 2, and then click Disable. 5. Right-click Ethernet, and then click Enable. 6. At the command prompt, type the following command and then press Enter: gpupdate /force Note: If an error message appears, restart LON-CL1, and perform step 2 again. 7. If you are still not able to connect, perform following steps: On LON-CL1, on the Start screen, type cmd, and then press Enter. In the Command Prompt window, type regedit, press Enter, and then in the User Account Control dialog box, click Yes. In the Registry Editor window, in the navigation pane, navigate to HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig, and notice the three entries starting with DA. In the Registry Editor window, in the navigation pane, right-click each of the entries starting with DA, click Delete, and then in the Confirm Key Delete dialog box, click Yes. Close the Registry Editor window. Note: These registry settings you just deleted are from the previous labs and they might cause problems for verifying Windows 8 client connectivity. This is why you are deleting them. Restart LON-CL1 and perform steps from 2 through 4 to verify connectivity to the default IIS 8.0 web page on LON-SVR1. 8. At the command prompt, type the following command, and then press Enter: gpresult /R 9. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings. 10. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart the computer. After the computer restarts, sign in as Adatum\Administrator and run the Gpresult /R command again. Verify Client Computer Certificate Distribution ------------------- EnayatMeer02@yahoo.com 10

1. On LON-CL1, in the command prompt, type mmc.exe, and then press Enter. 2. Click File, and then click Add/Remove Snap-in. 3. In the Available snap-ins list, click Certificates, and then click Add. 4. In the Certificates snap-in dialog box, select Computer account, and then click Next. 5. Select Local computer, click Finish, and then click OK. 6. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer) \Personal\Certificates. 7. In the details pane, verify that a certificate with the name LON-CL1.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication. If there is no certificate issued, restart LON-CL1. After LON-CL1 restarts, sign in as Adatum\Administrator and at the command prompt run the gpupdate /force command again. 8. Close the console window. When you are prompted to save settings, click No. Verify IP Address Configuration 1. On LON-CL1, on the Start screen, click the Desktop tile. 2. On the taskbar, click the Internet Explorer icon. 3. In the Address bar, type http://lon-svr1.adatum.com/, and then press Enter. If a notification appears to indicate whether to enable private network access, click Turn on. The default IIS 8.0 web page for LON-SVR1 displays. 4. In the Address bar, type https://nls.adatum.com/, and then press Enter. The default IIS 8.0 web page for LON- SVR1 displays. 5. Leave the Internet Explorer window open. 6. On the Start screen, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder displays. 7. Close all open windows. Move the Client Computer to the Internet Virtual Network 1. To move the client from the intranet to the public network, on LON-CL1, to open Control Panel, at the command prompt, type control, and then press Enter. 2. In Control Panel, click Network and Sharing Center. 3. In the Network and Sharing Center window, click Change adapter settings. 4. Right-click Ethernet, and then click Disable. 5. Right-click Ethernet 2, and then click Enable. 6. Close the Network Connections window. Verify Connectivity to the DirectAccess Server 1. On LON-CL1, at the command prompt, type the following command, and then press Enter: ipconfig 2. Notice the IP address for Tunnel adapter is iphttpsinterface which starts with 2002. This is an IP-HTTPS address. 3. If you notice that there is no IP address for iphttpsinterface, type the following commands, restart the computer, and then repeat steps 1 and 2: Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled Note: In this lab setup, IP-HTTPS connectivity on the firewall is enabled and other connectivity methods from the client, such as the Teredo or 6to4 tunneling protocol, are disabled. If you are planning to use the Teredo or 6to4 tunneling protocol in the production environment, you do not have to disable them. 4. At the command prompt, type the following command, and then press Enter: Netsh name show effectivepolicy Verify that DNS Effective Name Resolution Policy Table Settings is present in the three entries for adatum.com, crl.adatum.com, and nls.adatum.com. 5. At the command prompt, type the following command, and then press Enter: powershell ------------------- EnayatMeer02@yahoo.com 11

6. At the Windows PowerShell command prompt, type the following command, and then press Enter: Get-DAClientExperienceConfiguration Notice the DirectAccess client settings. Verify Connectivity to the Internal Network Resources 1. On the taskbar, click the Internet Explorer icon. 2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 displays. 3. Leave the Internet Explorer window open. 4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears. 5. Switch to the Command Prompt window. 6. At the command prompt, type the following command and then press Enter: ping lon-dc1.adatum.com 7. Verify that you are receiving replies from lon-dc1.adatum.com. 8. At the command prompt, type the following command, and then press Enter: gpupdate /force 9. Close all open windows. 10. Switch to LON-RTR. 11. On the taskbar, click the Remote Access Management icon. 12. In the Console pane, click Remote Client Status. Notice that LON-CL1 is connected via IP-HTTPS. In the Connection Details pane, in the bottom-right of the screen, note the use of Machine Certificate, and User Kerberos. Note: When establishing the infrastructure tunnel, NTLMv2 authentication is used to authenticate the computer account that connects to the DirectAccess server. When establishing the intranet tunnel, Kerberos authentication is used for authenticating the user. 13. Close all open windows. Task 2: Verify Windows 7 client connectivity Verify DirectAccess Group Policy Configuration Settings for Windows 7 Clients 1. Switch to LON-CL3. 2. Restart LON-CL3, and then sign in as Adatum\Administrator with the password Pa$$w0rd. This is to ensure that the LON-CL3 computer connects to the domain as a member of the DA_Clients security group. 3. If a dialog box displays with information that Windows needs to be restarted for the second time, restart LON- CL3 again, and then sign in as Adatum\Administrator with the password Pa$$w0rd. 4. Click the Start button, type cmd, and then press Enter to open the Command Prompt window. 5. At the command prompt, type the following command, and then press Enter: gpupdate /force 6. At the command prompt, type the following command, and then press Enter: gpresult /R 7. Verify that the DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings. 8. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart the computer. After the computer restarts, sign in as Adatum\Administrator and run the Gpresult /R command again. Verify Client Computer Certificate Distribution 1. On LON-CL3, click the Start button, type mmc.exe, and then press Enter. 2. Click File, and then click Add/Remove Snap-in. 3. In the Available snap-ins list, click Certificates, and then click Add. 4. In the Certificates snap-in dialog box, select Computer account, and then click Next. 5. Select Local computer, click Finish, and then click OK. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates. ------------------- EnayatMeer02@yahoo.com 12

6. In the details pane, verify that a certificate with the name LON-CL3.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication. 7. Close the console window. When you are prompted to save settings, click No. Verify IP Address Configuration 1. On LON-CL3, on the taskbar, click the Internet Explorer icon. 2. In the Address bar, type http://lon-svr1.adatum.com/, and then press Enter. If a notification appears to indicate whether to enable private network access, click Turn on. The default IIS 8.0 web page for LON-SVR1 appears. In the Address bar, type https://nls.adatum.com/, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears. 3. Leave the Internet Explorer window open. 4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears. 5. Close all open windows. Move the Client Computer to the Internet Virtual Network 1. To move the client from the intranet to the public network, on LON-CL3, to open Control Panel, at the command prompt, type control, and then press Enter. 2. In Control Panel, click Network and Sharing Center. 3. In the Network and Sharing Center window, click Change adapter settings. 4. Right-click Internal, and then click Disable. 5. Right-click Internet, and then click Enable. 6. Close the Network Connections window. Verify Connectivity to the DirectAccess Server 1. On LON-CL3, click Start, type cmd, and then press Enter to open the command prompt. 2. At the command prompt, type the following command, and then press Enter: ipconfig 3. Notice the IP address for Tunnel adapter iphttpsinterface, which starts with 2002. This is an IP-HTTPS address. Note: If you notice that there is no IP address for iphttpsinterface, type the following commands, and then repeat step 2: Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled Verify the IP address for Tunnel adapter iphttpsinterface, which starts with 2002. This is an IP-HTTPS address. 4. At the command prompt, type the following command, and then press Enter: Netsh name show effectivepolicy Verify that DNS Effective Name Resolution Policy Table Settings is present in the three entries for adatum.com, crl.adatum.com, and nls.adatum.com. Verify Connectivity to the Internal Network Resources 1. On the taskbar, click the Internet Explorer icon. 2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 displays. 3. Leave the Internet Explorer window open. 4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears. 5. Switch to the Command Prompt window. 6. At the command prompt, type the following command, and then press Enter: ping lon-dc1.adatum.com 7. Verify that you are receiving replies from lon-dc1.adatum.com, and notice that the IPv6 address of LON-DC1 is resolved. This is because DirectAccess configures a GPO with firewall settings that allow IPv6 Internet Control Message Protocol (ICMP) echo replies and not IPv4 ICMP echo replies. 8. At the command prompt, type the following command, and then press Enter: gpupdate /force 9. Close all open windows. 10. Switch to LON-RTR. 11. On the taskbar, click the Remote Access Management icon. ------------------- EnayatMeer02@yahoo.com 13

12. In the Console pane, click Remote Client Status, and then, from the Tasks pane, click Refresh. In the central pane, notice that LON-CL3 is connected via IP-HTTPS. If there is still information in the central pane that LON-CL3 is connected with 6to4, from the Task pane click Refresh once again. 6to4 information should disappear because 6to4 was disabled in step 4 of the previous section in this task. 13. Close all open windows. Task 3: Monitor client connectivity 1. Switch to LON-RTR. 2. Open the Remote Access Management console, and then in the left pane, click Dashboard. 3. Review the information in the central pane under DirectAccess and VPN Client Status. 4. In the left pane, click Remote Client Status, and then in the central pane, review the information under the Connected Clients list. 5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting. 6. In the Configure Accounting window, under Select Accounting Method, click Use inbox accounting, click Apply, and then click Close. 7. In the central pane, under Remote Access Reporting, review the options for monitoring historical data. Note: After completing the lab, do not revert the virtual machines. This is a lab Section C: Lab C Module 08: Implementing VPN Scenario The DirectAccess deployment is working very well, but a number of computers at A. Datum cannot connect by using DirectAccess. For example, some home users are using computers that are not members of the A.Datum.com domain. Other users are running operating system versions that do not support DirectAccess. To enable remote access for these computers, you must deploy a VPN solution. Exercise 1: Implementing VPN Task 1: Review the default VPN configuration 1. Switch to LON-RTR. 2. In the Remote Access Management Console, click DirectAccess and VPN, and from the Actions pane, under the VPN section, select Enable VPN. 3. In the Enable VPN dialog box, click OK. 4. Click Close to finish the wizard. 5. In Server Manager, on the Tools menu, click Routing and Remote Access. 6. Expand LON-RTR, right-click ports, click Properties, and then verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP. 7. Double-click WAN Miniport (SSTP). In the Maximum ports box, type 5, and then click OK. In the Routing and Remote Access message box, click Yes. 8. Repeat step 7 for IKEv2, PPTP, and L2TP. 9. To close the Ports Properties dialog box, click OK. 10. Right-click LON-RTR (local), click Properties, and in the General tab, verify that IPv4 Remote access server is selected. 11. Click Security, and then verify that Certificate 131.107.0.10 is selected for SSL Certificate Binding. 12. Click Authentication Methods, and then verify that EAP is selected as the authentication protocol and then click OK. ------------------- EnayatMeer02@yahoo.com 14

13. Click the IPv4 tab, and then verify that the VPN server is configured to assign IPv4 addressing by using Dynamic Host Configuration Protocol (DHCP). 14. To close the LON-RTR (local) Properties dialog box, click OK. Task 2: Verify certificate requirements for IKEv2 and SSTP 1. Switch to LON-RTR. 2. On the Start screen, type mmc, and then press Enter. 3. On the File menu, select Add/Remove Snap-in. 4. Select Certificates, click Add, select Computer account, and then click Next. 5. Verify that Local computer is selected, and then click Finish. 6. To close the Add or Remove Snap-in, click OK. 7. Expand Certificates (Local Computer), expand Personal, and then click Certificates. 8. Notice that certificate 131.107.0.10 has been issued by AdatumCA with Intended Purpose for Server Authentication (this is required for Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) VPN connectivity). 9. Close the console without saving the changes. Task 3: Configure the remote access server 1. On LON-RTR, in Server Manager, on the Tools menu, click Network Policy Server. 2. In the Network Policy Server console, in the navigation pane, expand Policies, and then click Network Policies. 3. In the details pane, right-click the policy at the top of the list, and then click Disable. 4. In the details pane, right-click the policy at the bottom of the list, and then click Disable. 5. In the navigation pane, right-click Network Policies, and then click New. 6. In the New Network Policy wizard, in the Policy name box, type VPN Policy. 7. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next. 8. On the Specify Conditions page, click Add. 9. In the Select condition dialog box, click Windows Groups, and then click Add. 10. In the Windows Groups dialog box, click Add Groups. 11. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT, and then click OK. 12. Click OK again, click Next, on the Specify Access Permission page, click Access granted, and then click Next. 13. On the Configure Authentication Methods page, clear the Microsoft Encrypted Authentication (MS- CHAP) check box. 14. To add EAP Types, click Add. 15. On the Add EAP Types page, select Microsoft Secured password (EAP-MSCHAP v2), and then click OK. 16. To add EAP Types, click Add. 17. On the Add EAP Types page, select Microsoft: Smart Card or other certificate, and then click OK. 18. Click Next. 19. On the Configure Constraints page, click Next. 20. On the Configure Settings page, click Next. 21. On the Completing New Network Policy page, click Finish. Exercise 2: Validating the VPN Deployment Task 1: Remove the client computer from the domain 1. Switch to LON-CL1. 2. On the Start screen, type control, and then press Enter to open Control Panel. 3. In Control Panel, click System. 4. In the System window, under Computer name, domain and workgroup settings, click Change settings. 5. In the System Properties dialog box, click Change. 6. In the Computer Name/Domain Changes dialog box, select Workgroup, type WORKGROUP, click OK, and then in the Computer Name/Domain Changes dialog box click OK. 7. If a Windows Security dialog box appears, for username type Administrator, for password type Pa$$w0rd, and then click OK. ------------------- EnayatMeer02@yahoo.com 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback