WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 10:
Remote access and web
services in Windows Server
Module overview

 Lessons:
o Lesson 1: Overview of RAS in Windows Server
o Lesson 2: Implementing VPNs
o Lesson 3: Implementing NPS
o Lesson 4: Implementing Always on VPN
o Lesson 5: Implementing Web Server in Windows Server
Lesson 1: Overview of RAS
in Windows Server
Lesson 1 overview

 Topics:
o Remote access features in Windows Server
o Overview of remote application access
o Manage remote access in Windows Server
o When to deploy a public key infrastructure for remote access
o What is Web Application Proxy?
o Authentication options for Web Application Proxy
o Publish applications with Web Application Proxy
o Discussion: Remote access options usage scenarios
Remote Access features in Windows Server

DirectAccess:
 Provides always on connectivity to office resources over public networks
 Requires Windows 10 Enterprise or Education editions
VPN:
 Provides connection-based connectivity to office resources over public networks
Routing:
 Routes IP packets between two networks
 Can perform network address translation (NAT) and DHCP Relay
Web Application Proxy:
 Secures access to web-based applications
 Works as a reverse proxy with multiple preauthentication options
Overview of remote application access

Remote access to data files works well when using DirectAccess and VPN
Remote access to desktop apps:
 Performance suffers with high latency
 Works best with Remote Desktop Services
Remote access to web-based apps:
 Web-based apps work well over slow connections with higher latency
 Web Application Proxy is a simple solution for users
 DirectAccess and VPN also work well
Manage remote access in Windows Server

Remote Access Management console:

 Used to perform configuration of DirectAccess, VPN, and Web Application Proxy
Routing and Remote Access console:
 Used to configure VPN and routing
Windows PowerShell commands:
 Used to manage all aspects of the Remote Access role
When to deploy a public key infrastructure for remote access

Digital certificates are used for encryption and authentication

Certificates can be:
 Self-signed
 Obtained from a CA

CA type Advantages Disadvantages

Private CA • Control over certificate • Not trusted by external clients
management • Requires greater administration
• No cost per certificate
• Customized templates
• Automatic enrollment
Public CA • Trusted by external clients • Higher cost
• Requires minimal administration • Cost is per certificate
• Slower certificate procurement
What is Web Application Proxy?

Web Application Proxy:

 Provides reverse web proxy functionality
 Requires AD FS
 Is located in a perimeter network

Web-based
Client devices AD FS applications
Firewall Web Application Firewall
Proxy
Internet Corporate network
Authentication options for Web Application Proxy

You can configure a published application to use:

 AD FS preauthentication
 Pass-through preauthentication
Benefits of AD FS preauthentication include:
 Workplace join
 SSO
 Multifactor authentication
 Multifactor access control
Publish applications with Web Application Proxy

Initial configuration of Web Application Proxy requires:

 AD FS name
 Credentials of a local administrator account for AD FS
 AD FS Proxy certificate (includes AD FS name)
Information required when publishing a web-based app:
 Type of preauthentication
 Application name
 External URL
 A certificate that includes the external URL name
 URL of the backend server
Discussion: Remote access options usage scenarios

Remote access technologies provide various solutions that allow secure access to an organization’s
infrastructure from different locations. While organizations usually own and protect local area networks
(LANs) entirely by themselves, remote connections to servers, shares, and apps must often travel across
unprotected and unmanaged networking infrastructure, such as the Internet. Any method of using public
networks for the transit of organizational data must include a way to protect the integrity and confidentiality
of that data.
 Do you allow users to connect to your network resources remotely? If so, how?
 What are your business requirements for using remote access?
Lesson 1: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Implementing
VPNs
Lesson 2 overview

 Topics:
o VPN scenarios
o Site-to-site VPN
o Options for VPN tunneling protocols
o VPN authentication options
o What is VPN Reconnect?
o Configure a VPN by using the Getting Started Wizard
o Demonstration: Configure VPN
VPN scenarios
A VPN provides a point-to-point connection between a private network’s components by using a public
network, such as the Internet.
Site-to site VPN

• Connects two portions of a private network

• The calling router (the VPN client) authenticates itself to the answering router (the VPN server)
• Requires that you create a demand-dial interface
• You can create three types of site-to-site VPNs
o PPTP

o L2TP

o IKEv2

• Can be persistent or on-demand

• You can control traffic by using either IP demand-dial filters or dial-out filters
Options for VPN tunneling protocols
Windows Server supports four VPN tunneling protocols.
Tunneling protocol Firewall access Description
PPTP TCP port 1723 Provides data confidentiality, but not data integrity or
data authentication

L2TP/IPsec UDP port 500, UDP port Uses either certificates or preshared keys for
1701, UDP port 4500, and authentication; certificate authentication is recommended.
IP protocol ID 50

SSTP TCP port 443 Uses SSL to provide data confidentiality, data integrity,
and data authentication

IKEv2 UDP port 500 Supports the latest IPsec encryption algorithms to provide
data confidentiality, data integrity, and data
authentication
VPN authentication options
Protocol Description Security level

PAP Uses plaintext passwords. Typically used if the remote access The least secure authentication protocol. Does
client and remote access server cannot negotiate a more not protect against replay attacks, remote
secure form of validation. client impersonation, or remote server
impersonation.

CHAP A challenge-response authentication protocol that uses the An improvement over PAP in that the
industry-standard MD5 hashing scheme. password is not sent over the PPP link.
Requires a plaintext version of the password to
validate the challenge response. Does not
protect against remote server impersonation.

MS-CHAPv2 An upgrade of MS-CHAP. Provides two-way authentication, Provides stronger security than CHAP.
also known as mutual authentication. The remote access
client receives verification that the remote access server to
which it is dialing in to has access to the user’s password.

EAP Allows for arbitrary authentication of a remote access Offers the strongest security by providing the
connection through the use of authentication schemes, most flexibility in authentication variations.
known as EAP types.
What is VPN Reconnect?

VPN Reconnect:
 Provides seamless and consistent VPN connectivity
 Uses the IKEv2 technology
 Automatically re-establishes VPN connections when connectivity is available
 Maintains the connection if users move between different networks
 Provides transparent connection status to users
 Maintains connectivity across network outages
Configure a VPN by using the Getting Started Wizard (1 of 2)

 Configure VPN by using the Getting Started Wizard in the Remote Access Management console
 Requirements for VPN server configuration include:
o Two network interfaces (public and private)
• Using only one network interface is supported as well
o IP Address allocation (static pool or DHCP)
o Authentication provider (NPS/RADIUS or the
VPN server)
o DHCP relay agent considerations
o Membership in the local Administrators group
or equivalent
Configure a VPN by using the Getting Started Wizard (2 of 2)

To configure your VPN solution, you might need to:

 Configure static packet filters
 Configure services and ports
 Adjust logging levels for routing protocols
 Configure the number of available VPN ports
 Create a Connection Manager profile for users
 Add AD CS
 Increase remote access security
 Increase VPN security
 Implement VPN Reconnect
Demonstration:
Configure VPN
 Install Routing and Remote Access Server
(VPN) using PowerShell
 Configure and enable VPN configuration
 Review the default VPN configuration
Lesson 2: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: Implementing NPS
Lesson 3 overview

 Topics:
o Overview of NPS
o Plan NPS deployment
o Overview of connection request processing
o Configure policies on NPS
o Implement RADIUS with NPS
o Demonstration: Manage NPS
Overview of NPS

 NPS is the Microsoft implementation of a RADIUS server

 NPS provides the following functions:
o RADIUS server
o RADIUS proxy
o RADIUS accounting
Plan NPS deployment (1 of 2)

 Once NPS is installed, you will have support for central authentication and authorization for RADIUS
clients. You must decide which polices to create and if you want to use RADIUS accounting.
 The following tools can be used to manage NPS:
o NPS management console

o Netsh NPS commands

o Windows PowerShell
Plan NPS deployment (2 of 2)

 Authentication methods for an NPS server identified here from most to least secure:
o EAP
• Most secure and recommended
• Requires certificates for users, clients’ computers, and NPS server
o MS-CHAP v2
o MS-CHAP
o Challenge Handshake Authentication Protocol (CHAP)

o Shiva Password Authentication Protocol (SPAP)

o Password Authentication Protocol (PAP)

 PAP, SPAP, CHAP or MS-CHAP should not be used in a production environment as they are considered
highly insecure
Overview of connection request processing

Configuration Description
Local authentication takes place against the local security account
Local vs. RADIUS authentication database or Active Directory Domain Services.
RADIUS authentication forwards the connection request to a RADIUS
server for authentication.
Used where one or more RADIUS servers are capable of handling
RADIUS server groups
connection requests. The connection requests are load-balanced on
specified criteria.
Default ports for accounting and The ports required for accounting and authentication requests being
authentication by using RADIUS forwarded to a RADIUS server are
UDP 1812/1645 and UDP 1813/1646, respectively.
Configure policies on NPS (1 of 2)

NPS supports Connection Request Policies and Network Policies.

 Connection Request Policies:
o Connection Request Policies are sets of conditions and settings that designate which RADIUS
servers perform the authentication and authorization of connection requests that NPS receives
from RADIUS clients

 Network Policies:
o Allow you to designate which users are authorized to connect to your network and the
circumstances under which they can or cannot connect.
o A Network Policy contains a set of conditions, constraints, and settings.
Configure policies on NPS (2 of 2)
Implement RADIUS with NPS (1 of 2)

RADIUS is an industry-standard authentication protocol that supports the exchange of authentication

information between elements of a remote-access solution. It is typically used to centralize your
organization’s remote-authentication needs.
 RADIUS clients are usually :
o VPN servers

o Wireless access points

o Remote Desktop (RD) Gateway servers

 Client computers that use VPN servers are not RADIUS clients. Only devices that support the RADIUS
protocol are RADIUS clients.
Implement RADIUS with NPS (2 of 2)

 A RADIUS proxy receives connection attempts from RADIUS clients, and then forwards them to the
appropriate RADIUS server or another RADIUS proxy for further routing

 A RADIUS proxy is required for:

o Offering outsourced dial-up, VPN, or wireless network-access services by service providers
o Providing authentication and authorization for user
accounts that are not Active Directory members
o Performing authentication and authorization by using
a database that is not a Windows account database
o Load-balancing connection requests among
multiple RADIUS servers
o Providing RADIUS for outsourced service providers
and limiting traffic types through the firewall
Demonstration:
Manage NPS
 Configure the Remote Access policies
 Create a VPN profile on a Windows client
 Connect to the VPN using a Windows client
Lesson 3: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 4: Implementing
Always On VPN
Lesson 4 overview

 Topics:
o What is Always On VPN?
o Prerequisites for Always On VPN deployment
o Always On VPN features and functionalities
o Why choose Always On VPN over Windows VPN?
o Deploy Always On VPN
What is Always On VPN?

Always On VPN:
 Enables remote users running Windows 10 to securely access corporate resources
 Was designed to be the successor of DirectAccess
 Connects securely to the VPN server without any user intervention
o Client detects whether it needs to trigger the VPN connection or not
Prerequisites for Always On VPN deployment

To deploy and configure Always On VPN, your organization must support the following infrastructure
components:
o Always On VPN Gateway (VPN Server)

o Always On VPN Clients

o Network Policy Server (NPS)

o An Active Directory domain
o Group Policy
o Firewall configuration
o Public key infrastructure (PKI)
o Domain Name System (DNS) server
Always On VPN features and functionalities

Always On VPN offers many features and enhancements when compared to traditional VPN solutions such
as:
o Automatic triggering

• Application triggering and name triggering

o Tunnel mode

• User Tunnel
• Device Tunnel
o Security
• Supports the latest RSA algorithms and EAP
o Supports all Windows 10 editions
• Both domain-joined and workgroup
o Works equally well with both IPv4 and IPv6
Why choose Always on VPN over Windows VPN?

Feature Always On VPN Traditional VPN Direct Access

Domain join required Not required for user Not required Required for all clients
tunnel, but required for
device tunnel
Client built-in Built-in and 3. party Built-in and 3. party Only built-in
Manual or auto connect Always automatic Manual Always automatic
Firewall requirements Depends on the Depends on the Only port 443 with IP-
protocols used, but protocols used, but HTTPS
normal VPN ports are normal VPN ports are
typically blocked from typically blocked from
hotels etc. hotels etc.
Manual disconnect Yes Yes No
Os support Only Windows 10 Support for every Os and Only Windows 10 and 7
device
Deploy Always On VPN

In order to properly implement and support Always On VPN in your environment, it is best to understand
how to plan, configure, and scope your Always On VPN implementation.
Follow these steps:
1. Always On VPN deployment planning
2. Always On VPN server infrastructure configuration
3. Remote Access Server configuration for Always On VPN
4. NPS Server installation and Configuration
5. Firewall and DNS configuration
6. Windows 10 Client configuration for Always On VPN
Lesson 4: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 5: Implementing
Web Server in Windows
Server
Lesson 5 overview

 Topics:
o IIS in Windows Server
o What´s new in IIS 10.0?
o Overview of IIS architecture
o Overview of the Web Server server role
o Install and configure Web Server
o Demonstration: Create and configure a new site in IIS
IIS in Windows Server

 IIS is an HTTP web server

o HTTP is an application-level protocol that runs over TCP
o A kernel-mode http.sys driver accepts incoming requests and passes them to user-mode worker
processes
 Supports HTTPS when combined with a digital certificate
o All websites should be protected using HTTPS
 Hosts both static and dynamic content
o Static: usually web pages

o Dynamic: content created by running code or web applications.

 Web requests and responses are essentially stateless

What´s new in IIS 10.0?

IIS 10.0 is the version of the Web Server included in the Windows Server 2016 and later.
 In IIS 10.0, the following new functionality were introduced:
o IIS on Nano Server

o IIS in Containers

o Wildcard Host Headers

o Managing IIS
o HTTP/2
o IIS Thread Pool Ideal CPU Optimization for NUMA hardware
o Bullet point
Overview of IIS architecture (1 of 2)

IIS 7 and later uses a request-processing architecture which includes:

 The Windows Process Activation Service (WAS)
 A customizable web server engine. Add or remove modules depending on what functionality is needed.
 Integrated request-processing pipelines from IIS and ASP.NET

IIS consists of various components that each perform functions for the web server and application such as
reading configuration files and listening for requests made by IIS
These components are either services or protocol listeners and include the following:
o Protocol listeners

• HTTP.sys
o Services

• World Wide Web Publishing Service (WWW service)

• Windows Process Activation Service (WAS)
Overview of IIS architecture (2 of 2)

Application pools have the following features:

 Provide memory and CPU isolation between different websites
 Is serviced by one or more worker processes
 Each worker process is assigned its own area of memory by the operating system
 Can be configured to support different behaviors
 Can be assigned to a different application pool

Worker processes:
 An application pool can be configured to use multiple worker processes
 Additional overhead is required for each worker process
 Worker process recycling terminates the process and returns all memory to the operating system
Overview of the Web Server server role

IIS is installed as an optional server role named Web Server (IIS) on Windows Server
 Numerous optional role services provide additional functionality
o Static content

o Dynamic content

o Logging

 Web Platform Installer (Web PI) can download and install additional free components
 Many of the IIS components installed by Server Manager or by Windows PowerShell are called modules
o A module is a binary component that is installed on the server
o It can provide functionality to all websites on the server
o A module can consist of native dynamic link library (DLL) files, or .NET assemblies
o A module must be enabled to access its functionality
Install and configure Web Server (1 of 2)

IIS is available in Windows Server 2019 and in Windows 10.

 IIS 10 has specific hardware and software requirements:
o 2 GHz minimum processor speed

o 2 GB minimum RAM

o 10 GB minimum disk space

o Plus additional resources as needed for the server workload

Install and configure Web Server (2 of 2)

 Web clients require the IP address of a web server to send requests

 For public websites, the IP address needs to be a registered, public IP address
 Firewalls are configured to allow incoming traffic
o Port 80 for HTTP
o Port 443 for HTTPS
 For public/private access, a DNS record is configured for the web server’s host computer
o Create a record in DNS
 IIS can be managed using the following tools:
o IIS Manager, part of RSAT

o Windows PowerShell

o Using the Microsoft IIS Web Manager extension for Windows Admin Center (currently in
preview)
Demonstration:
Create and
configure a new site
in IIS
 Install the Web Server role using PowerShell.
 Verify the installation of the web server role
 Configure a website in IIS and verify it
Lesson 5: Test your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led labs:
Deploying network
workloads
 Implementing Web Application Proxy
 Implementing VPN in Windows Server
 Deploying and configuring web server
Lab: Deploying network workloads

 Exercise 1: Implementing Web Application Proxy

 Exercise 2: Implementing VPN in Windows Server
 Exercise 3: Deploying and configuring web server

Sign-in information for the exercise(s):

 Virtual machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-ADM1
o WS-011T00A-SEA-SVR1

o WS-011T00A-SEA-SVR3

o WS-011T00A-SEA-CL1

 Username: Contoso\Administrator
 Password: Pa55w.rd
Lab scenario

The employees in the IT department at Contoso need to be able to access server systems outside of
business hours in order to correct issues that arise during weekends or holidays. Some of the employees are
using computers that are not members of the contoso.com domain. Other users are running non-Windows
operating systems on their computers. To enable remote access for these users, you will provide remote
access to Windows Admin Center and secure it with Web Application Proxy and deploy a secure VPN
solution using the SSTP VPN protocol.
You are a web server administrator for Contoso and your company is preparing to deploy a new intranet
web application on an internal web server. You need to verify the server configuration and install IIS. The
website must be accessible using a friendly DNS name and all web connections to and from the server must
be encrypted.
Lab-review questions

 Why did you disable the PPTP authentication protocol when you configured the ports of the VPN
Server?
Lab-review answers

 Why did you disable the PPTP authentication protocol when you configured the ports of the VPN
Server?
o The PPTP protocol is considered highly insecure and should not be used at all.
Module-review questions (1 of 2)

1. What are the requirements for the Windows 10 client using a Device Tunnel with Always On VPN? Choose
 all that apply.
a. Windows 10 Enterprise edition
b. Domain membership
c. Group Policy
d. Windows 10 Professional edition
e. A computer authentication certificate
2. Why should you use only the IKEv2 (Internet Key Exchange version 2) or SSTP (Secure Socket Tunneling
Protocol) VPN protocols with Always On VPN?
Module-review questions (2 of 2)

3. What is the name of the script you can use to create the two configuration files for the Always On VPN
client profile?
a. VPN_Profile.ps1
b. MakeProfile.ps1
c. AlwaysOnVPNProfile.ps1
d. VPN_Profile.xml files
4. Does Always On VPN require IPv6 as was the case with DirectAccess?
Module-review answers

1. What are the requirements for the Windows 10 client using a Device Tunnel with Always On VPN? 
a. Windows 10 Enterprise edition
b. Domain membership
e. A computer authentication certificate
2. Why should you use only the IKEv2 (Internet Key Exchange version 2) or SSTP (Secure Socket Tunneling
Protocol) VPN protocols with Always On VPN?
 Because they are modern VPN protocols and considered secure. IKEv2 is designed for mobility and
considered the most secure but could be blocked in firewalls. SSTP is also considered quite secure and
is usually not blocked in firewalls because it uses port 443.
3. What is the name of the script you can use to create the two configuration files for the Always On VPN
client profile?
b. MakeProfile.ps1
4. Does Always On VPN require IPv6 as was the case with DirectAccess?
 Always On VPN works equally well with both IPv4 and IPv6, but is not dependent on IPv6 like
DirectAccess.
References

For more information, refer to the following links:

 RemoteAccess
 Publishing Applications with SharePoint, Exchange and RDG
 Netsh Commands for Network Policy Server in Windows Server 2008
 Network Policy Server (NPS) Cmdlets in Windows PowerShell
 Interpret NPS Database Format Log Files
 Remote Access Always On VPN
 Always On VPN features and functionalities
 Configure Windows 10 client Always On VPN connections
 IISAdministration PowerShell Cmdlets
Thank you.

© Copyright Microsoft Corporation. All rights reserved.