Microsoft Azure AZ-800 — Section 16: Implementing on-premises and hybrid network connectivity
120. Visualizing Microsoft RAS
Now, one of the features that we have had in the Microsoft world now for well over 20 some odd years, even going back into the 1990s is a feature called R&S, which stands for remote access services.
Now in the year 2000, Microsoft actually changed the name to routing and remote access services or auras. Almost everybody does continue to call it R&S for the most part, but some people did call it auras. Ultimately, though, R&S is a server that you can set up in your environment and you can support. Originally, it was dial up, but then in the year 2000, they really started pushing the concept of VPNs. And ever since then, VPN has really been the big thing that it does. When Windows seven came out, they did introduce a concept known as direct access, which was sort of going to replace the idea of a VPN well with another VPN scenario. And then eventually they’ve kind of gotten away from direct access and gone back to just using standard VPNs with a protocol known as IEEE Internet Key Exchange Version two, which has a lot of really cool VPN related features.
So. Ultimately, though, with RaaS, it’s basically a server that you can set up as opposed to getting a VPN concentrator now. Most people will tell you if you’re wanting to connect Azure with your on-premise network, you’re going to want to get an actual VPN gateway server device and put that here.
OK. And you can you can connect your VPN gateway to Azure.
Now you could also have what’s called Express Route, which is a in connection into your environment. But all of that to the side, if you don’t want to have an actual, you don’t want to pay for an actual hardware device and you want to use a server to allow telecommuters like this guy right here to get into your internal network here. You can do that with RaaS.
So what you can do is you can set up a server. Ideally, you’d want to set that up in your DMs.
OK? And you are going to install the remote access services role on that server. From there, you can configure VPNs.
OK, RaaS servers can be a router that can be VPN. They can support NAT, which is network address translation. You know, you can put the direct access feature on there. Like I said, they’re kind of getting away from that, and RaaS supports a number of protocols that make all this work. They have an older protocol called PGP 2.1 tunneling protocol that again, everybody’s kind of gotten away from. Because though it does provide encryption, it doesn’t provide any integrity for your data, which means that’s kind of a vulnerable protocol to use then. And that was that protocol came out in the 90s. It was created by Cisco and Microsoft working together. And then in the year 2000, they came up with L2TP Layer two tunneling protocol, which supports IP encryption, which gives you good encryption and integrity. It’s a little bit sluggish, a little bit slow compared to what we have now, but it’s still a very good protocol that you can use, and it supports Windows 2000 and higher. We also have STP. This came out in the year 2010, when Windows eight Sorry Vista Vista came out in the year 2008, and that’s when this was really secure.
Sockets suddenly protocol uses SSL, or it can use TLS for encryption. It’s probably the fastest of the protocols, but the one Microsoft is really kind of shining on now is IKB version two. This the one that came out in the year 2010 when Windows seven came out.
So, I can version two has a bunch of really, really great features that we don’t get with the other protocols. Number one, we get a feature called VPN Reconnect, OK, and VPN Reconnect makes it where if you lose your connection just briefly, it’ll just re-esTablish that connection. The other thing we got is we got what’s called the always on VPN, which is cool, always on VPN makes it were a laptop that’s using the VPN, can always be connected to the VPN, and it can detect whether it’s on the network or whether it’s outside. Because if it’s on the network, you normally don’t want it to go through the VPN to connect to servers that are that are right there on the network with it. But if it’s outside the network, you would want it to know I’m outside the network. I need to connected to the VPN.
So this what the always on VPN is. Ikee version two uses IPsec just like L2TP does, but it’s it’s it’s faster than L2TP, usually on average.
So this the protocol that when you’re dealing with VPN, this the one Microsoft kind of shines, OK? All right.
So ultimately, that is the I the concept of arrest server, the idea of arrest server and will now jump in and take a look at some of this.
121. Implement & manage the Remote Access role & virtual private network(VPN) support
Now to set up remote access on a Windows server, the first thing we’re going to do is go to server manager. We’re going to go to manage admirals and features. And we’re going to go to the roles page here. All right. And from there, we’ll go and click on remote access. All right.
So once we click on that, we’re going to click next and it’s going to we’ll just click next to features. We don’t have any additional features we need to add, and then we get here is going to ask us about roll services.
So, if you want to set up direct access and or VPN, then you’re going to select this top option.
OK, if you want your Windows server to also be a router, then you’re going to select this option here. And then if you want to set up what’s called a web application proxy, you would select that there.
OK, web application proxy being a server that’s going to allow what’s known as a reverse proxy for web services inside your network.
So these are the three roles services that we have available.
OK. And so from there, I’m going to turn off the web app proxy for right now because I’m not. I don’t need that, but I’m going to click next. Next. All right. From there, I’m just going to click next. I have any additional services that I need something to go ahead and click Install, and I’ll pull the video while this being installed.
OK, the installation is complete, so, I’m just going to hit close and you’ll notice I have a little warning message up here notification telling me that I need to run the Getting Started wizard.
So the thing about working with Raz in the newer servers is that there’s a couple of tools. If you click tools here, you will notice that I have the routing and remote access tool right here. That’s the original tool that Microsoft released in the year 2000 and then further down the road. They also released what’s called RAM Remote Access Management.
Now, if you go if you go into remote access management, this where the Getting Started wizard is that Microsoft is created to sort of help you with setting up your server.
So before that getting started wizard came out, you would just go into routing remote access and you would just kind of have to go step by step and pick and choose what you want. There wasn’t as wizard driven as it is. But essentially what they’re they’re trying to get you to do here is click here on direct access and VPN and run the Getting Started wizard, which of course, if you if you go up here, it’s just going to keep the same thing off.
OK, so, we open that up and it’s going to kick off the getting started wizard. Once the getting started wizard is up and running here, it ask you a couple of questions. First, it’s asking Do you want to deploy direct access and VPN? So again, Direct Access was a feature that came out originally Windows seven, and it was a concept in which we could allow our devices to connect in using a tunnel over IP version six.
Now, this didn’t really catch on very thoroughly, and I think the reason it did is because a lot of people didn’t implement IP version six like Microsoft thought.
So you’re going to find direct access is kind of becoming deprecated. Microsoft isn’t really modifying anymore. They’re really pushing it anymore.
Now, what they mostly want to focus on is doing VPN, but they want you to do Ikee version, too.
So, I’m actually going to select down here where it says Deploy VPN only. And then once I do that, you’re going to see that it’s going to pop up the routing remote access tool. Again, you can get in this tool by going to the tools menu and server manager and clicking on routing and remote access.
So you can get into it that way as well.
So once you get into it, you’re going to notice right out of the gates that the server is currently not configured and enabled.
So, if you right click the server right here, you can click Configure Enable Routing Mode Access, click next on the Wizard. And then from there you can select what this server’s job is going to be.
So, if I wanted to support dial up and VPN and God forbid you got dial up going on still, but you never know, then you choose that option if you want to set up NAT because you can actually set up network address translation on here. You would choose that if you want to have VPN and that you would choose a VPN that if you want to set up a site to site VPN, which connects two offices together, you could choose this option right here.
OK, and that basically would allow you to use your internet connection to connect you to one office to another office using a sites like VPN.
OK. And then finally, you can do custom config, which I like because custom config just kind of lets me pick and choose whatever I want.
So, I’m going to do that. I’m going to click next. And I like to live life dangerously. I’m just going to select everything. All right.
So this just enables all the features and you can configure them.
So don’t worry, just, you know, choosing all of these. The question is going to use a little bit more processing power, a little bit more memory to add all these. But the great thing about it is you can play around with everything if you want.
So at that point, I’m going to click next and I’m going to click finish and it’s going to go in process through. It’s going to say, Hey, can we start the service? Someone say yes, go ahead and start the remote access service up. And at that point, we’ll officially have our server set up. From there, you’ll notice the little green arrow pointing up now, letting me know that it is up and running. You have all these little object. Here, these objects are sometimes referred to as nodes. Oddly enough, kind of a weird term for that, but that is what Microsoft a column. If you read their documentation, you have the network interfaces node right here and this will show you the different interfaces that my machine has. Of course, my machine only has one physical interface and this the Ethernet adapter. You have a loop back. It’s representing lubeck adapter in TCP IP and you have what’s called internal, which is an internal adapter, a software driver that Microsoft uses. But this the actual adapter that I’ve got in my machine from there. If you’re wanting to configure VPNs, here’s where you’re going to do that. You’re going to go to ports and you can see that right out of the gate. Microsoft has some ports that are already configured, including the STP. There’s PPO, which is actually used for if you’re hooking like a DSL connection in your RA server L2TP. And then here’s IKB V2. And then there’s even Jerry. That’s a routing protocol.
OK? It’s called a generic routing encapsulation. It’s used if you’re going to. If you are going to let your rest, there will be a router.
OK, if you want to configure how many incoming connections you’ll support. You can right click ports. You can go to properties. And right here I can configure how many ports that I’m going to accept. Currently, I’m accepting two of each.
So, I could go in here, though, and here’s our step and I could up the amount of ports that I want, you know, just by messing with this little up and down arrow. If you want to disable the port altogether, then you just uncheck this box.
So, for example, if I did not want to support, let’s say I did not want to support P2P because it’s so unsecure, I can click Configure and I can just disable that. You can also disable it for demand routing that gets into sites like VPN, where you’re connecting two offices together.
OK. From there, click OK, and then at that point, we’re currently disabled, we would not be supporting PDP anymore.
OK, now again, the one Microsoft really shines on is this Ikee version too.
So ultimately, if you want to know like which one does Microsoft really push these days this it’s this one. And this when they implemented IKB version two, they kind of stopped pushing direct access so much and started pushing IP. Version two is the VPN protocol of choice by Microsoft.
So, when your clients connect in, you have remote access clients, they’ll show up right here.
OK? You also have remote access and logging impulses here, where you can actually launch something called NPS, which I’m not getting into in this video. But there’s that. And then from there, that’s where your logging will be as well.
OK, so not thoroughly getting into NPS, but NPS is where it’s going to do what’s known as accounting and logging and and all that fun stuff.
OK? Of course, that’s also tied to Event Viewer.
So you got logging going on there, too.
So from there also have IP version four and version six, if I’m trying to configure some of the settings there. You’ll see that here under IP version four, you could see the network adapters under IP version six. Same thing. Whatever network adapters that you want to support this on.
Now, if your RA server is going to act as a router and again, let me say this not a very common thing that people use in the real world. Me as a consultant, I can tell you, I’ve not seen this done very often, and I think I might have implemented it at office, maybe one time in a in 20 some odd years of doing this. But anyway, you can, you can deal with that here. You can implement what are known as static routes. You can set up a routing Table and you can support the GMP protocol. The other thing you can do is you can enable what’s called DHP Relay. The HTP relay is to allow a DHP service to be relayed through a router. Normally, a router might block what are called the HTP broadcast now, usually in the real world. The way we get around that is we can enable a feature on a router that allows DHCP packets to go through the router to get to a DHP server fact and Cisco. You have an IP helpers coming in that does this TCP UDP command that does this IP UDP command. There’s various ways you can get around with this. Ultimately, though, another alternative is you can set up a wrasse server on your network that’ll relay DHP messages. And if you’re a Windows server is going to be a DHCP server, then this definitely something you want to consider if you’re going to use a RaaS. If you’re wrestler was going to support routing, you got DHCP and you need to allow traffic to pass through your router to get to the DHB server, the relay. It’s going to do that. This where you can configure NAT if you did want your server to support NAT.
OK. That would be the location of where you’d configure that. Of course, you can do the same thing with version six as far as static routes and all that, although Microsoft is not really pushing version six at the moment, but in a lot of cases, because a lot of companies aren’t even interested in moving to version six yet, the only companies that have really done that is the really big companies such as Facebook and Amazon and companies like that ISPs. But a lot of companies haven’t even considered moving the version six. Everybody’s still kind of focused on version four. But ultimately, you’ll find that configuring a ransomware isn’t really all that difficult. It’s just a matter of, you know, figuring out what services that you want and then, you know, walking through and configuring those like, for example, if I wanted to do that, I would have to add the interfaces that I’m going to use. I’d have to have a couple interfaces, maybe an internal interface and then maybe an external interface.
OK, and I would specify one is a private interface, and then I would specify one as a public interface. And I would enable Nat from there.
So ultimately to you can even have an address all that now it’s going to hand out, or you could let the HP handle it. You can even specify what ports you’re going to allow NAT to support.
So a lot of it’s just a matter of right clicking and selecting the interfaces that are going to support the feature. And then as far as VPNs, it couldn’t be any easier to set the VPNs. It’s just a matter of, you know, going up here and configuring how many ports you want to support, and then the client side would ultimately connect in. From a client standpoint, a client would click start settings. You would go to over here PCs, network and internet. You would click VPN and you would click Add Connection. And at that point, you would give it a name like. I’ll just say, exam lab practice. VPN is maybe my name. And then here’s the key the VPN server needs to be accessible from the internet.
So, if you put in an EMC, you’d have to have a public address for it or some kind of a name like I might have a name associated with it through DNS like exam, lab practice, VPN exam, my practice .com. Then you could choose the. Protocol, like I’m going to do IKB to put in the weather, you’re going to support smart card one time password, which Typekit username password is of use of default and put the username password and you would click Save. Once you’ve done that, you would be able to connect, and that would be the client side of this. All right. You know, for testing this out.
So, if you’ve got this set up in an office or something where you can test it out, I encourage you to go ahead and configure it and give it a shot, and it’s actually really easy to set up. Let me warn you, though, that a lot of people they’ll try to set up a VPN with P2P because they’ve heard it’s really, you know, it supports all the operating systems. Again, P2P is not a secure operating system.
OK. I’m sorry, not a secure protocol for VPN. It encrypts your data, but it doesn’t provide integrity. The other problem is because P2P is not considered secure. A lot of ISP’s will not root P2P traffic, so be advised that that you may not be able to do that. I learned this the hard way. One time setting this up for an office that wanted P2P turned off their ISP would not allow it. And so, I think they were with Comcast, Finnerty or something. But some ISP’s don’t allow it.
So just consider that if you ever get put in a situation where you got to implement P2P may not be supported when when trying to implement this. All right.
So but ultimately, though, I think you’re going to find working with the rest server is actually pretty easy. As far as configuration goes, it’s just a matter of going through the different nodes and right clicking and specifying the things you want and making sure you know your firewalls and blocking anything particular. You can look the ports up for each individual VPN protocol, but other than that, it’s it’s actually pretty, pretty easy to setup.