Training Guide Administering Windows Server 2012 R2 (2014)

---

DirectAccess clients

DirectAccess clients have the following requirements:

The computer either must already be a member of an Active Directory domain or be configured for offline domain join. The computer must be a member of the domain prior to actually using DirectAccess to connect to internal network resources.

The computer must be running one of the following operating systems:

Windows 8.1 Enterprise edition (x86 and x64)

Windows 8 Enterprise edition (x86 and x64)

Windows 7 Enterprise and Ultimate editions

DirectAccess clients are configured through GPOs. The configuration GPO is automatically created through the DirectAccess setup process. This GPO is filtered so that it applies only to the security group that you’ve designated as hosting the DirectAccess clients. These GPOs are shown in Figure 8-33.

FIGURE 8-33 DirectAccess GPOs

Although you can use all editions of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 as DirectAccess clients, this configuration is not recommended because these operating systems are rarely used as desktop operating systems (except for a few IT professionals). A server at a branch office site should use a statically configured WAN link instead of a DirectAccess connection to connect back to resources in the head office.

Configure DirectAccess

After you understand the infrastructure requirements, configuring DirectAccess is straight-forward. To configure DirectAccess, perform the following steps:

1. Create a security group in Active Directory. Add the computer accounts of all computers that will be DirectAccess clients. This security group can have any name, but a name such as DirectAccess_Clients makes it easy to remember why you created it. Figure 8-34 shows the selection of the custom created DirectAccess_Clients group when running the Remote Access Setup Wizard.

FIGURE 8-34 Creating a security group for DirectAccess clients

2. Ensure that you configure DNS with the following information:

The externally resolvable DNS zone needs to have a record mapping the FQDN of the external interface of the DirectAccess server to the public IPv4 address of the DirectAccess server.

If you use a certificate issued by your organization’s CA, ensure that a DNS record exists for the CRL location.

The internal DNS zone needs a record mapping the name of the NLS to an IP address.

Remove ISATAP from the global query block list on all DNS servers in the organization.

3. If you use your organization’s CA, you have to configure an appropriate certificate template as well as deploy a CRL distribution point in a location that can be accessed by clients on the Internet. This certificate template can be a duplicate of the Web Server Certificate Template, as shown in Figure 8-35. You can use this certificate for both the SSL certificate for the NLS and the IP-HTTPS certificate for the DirectAccess server. If you don’t use your organization’s CA to issue certificates, you can use certificates from a public CA for the NLS and the DirectAccess server.

FIGURE 8-35 Certificate and Web Server Certificate templates

4. Configure firewall rules for all hosts on the trusted network that should be accessible to DirectAccess clients so they enable inbound and outbound ICMPv6 echo requests. You can configure these rules in a GPO that applies to hosts that should be accessible to DirectAccess clients. The rules should have the following properties:

Rule Type: Custom

Protocol Type: ICMPv6

Specific ICMP Types: Echo Request (see Figure 8-36).

FIGURE 8-36 IPv6 ICMP echo request

5. Install the Remote Access role on the computer that will function as the DirectAccess server.

6. Open the Remote Access console. As Figure 8-37 shows, you can choose between running the Getting Started Wizard and the Remote Access Setup Wizard. The Getting Started Wizard enables administrators to quickly deploy DirectAccess by requiring a minimal amount of information. The Remote Access Setup Wizard requires a detailed response, but enables administrators to customize their deployment. The rest of this procedure deals with the Remote Access Setup Wizard.

FIGURE 8-37 Choosing a wizard option

7. The Configure Remote Access page of the Configure Remote Access Wizard enables you to choose among deploying DirectAccess And VPN, DirectAccess Only, or VPN Only.

8. When you select Deploy DirectAccess Only, you are provided with the Remote Access Setup diagram shown in Figure 8-38. This diagram involves a series of steps that enable you to configure the DirectAccess server, clients, and infrastructure. There are four steps:

Step 1: Remote Clients

Step 2: Remote Access Server

Step 3: Infrastructure Servers

Step 4: Application Servers

FIGURE 8-38 Remote Access Setup

Step 1: Remote Clients

The Step 1: Remote Clients section of Remote Access Setup enables you configure which computers will function as DirectAccess clients. When you click the Configure button in the Step 1 area, a three-page wizard appears that enables you to configure the following settings:

1. Choose Deploy Full DirectAccess For Client Access And Remote Management or Deploy DirectAccess For Remote Management Only, as shown in Figure 8-39. If you choose the first option, the people using DirectAccess clients can access internal network resources when they have an active Internet connection. If you choose the second option, you can perform management tasks on the computer when it’s connected on the Internet, but the user can’t access internal resources.

FIGURE 8-39 Select client access and remote management, or remote management only

2. Select which security groups that contain computer accounts will be enabled for DirectAccess, as shown in Figure 8-40. On this page, you can choose Enable DirectAccess For Mobile Computers Only and Use Force Tunneling. When you enable force tunneling, computers designated as DirectAccess clients connect through the remote access server when they connect to both the Internet and the internal trusted network.

FIGURE 8-40 Selecting which security groups that contain computer accounts are enabled for DirectAccess

3. On the Network Connectivity Assistant (NCA) page shown in Figure 8-41, you can configure connectivity information for clients, such as providing the DirectAccess connection name, the email address of the helpdesk, and whether DirectAccess clients use local name resolution.

FIGURE 8-41 NCA configuration

Step 2: Remote Access Server

The Step 2: Remote Access Server section of the Remote Access Setup diagram has a three-page wizard that enables you to do the following:

1. Configure the network topology and specify the public name or IPv4 address that clients use to connect to DirectAccess. The topology options are Edge, Behind Edge (Two Network Adapters), and Behind Edge (Single Network Adapter). These topologies were described earlier in the chapter in the DirectAccess topology section.

2. On the Network Adapters page, verify the network adapter configuration. You can also choose the certificate used to authenticate IP-HTTPS connections. It should be a typical SSL certificate that uses an FQDN that clients use for connections. You can also choose to have a self-signed certificate used, although this is not recommended except on test deployments.

3. On the authentication page, choose whether you want to use Active Directory or Two-Factor Authentication. You can also configure authentication to use computer certificates. When you do this, you must specify the CA from which the computer certificates must be issued. As Figure 8-42 shows, you can also determine whether you will allow computers running the Windows 7 operating system to connect and whether you will enforce NAP policies on clients that have made DirectAccess connections.

FIGURE 8-42 Configuring remote access authentication

Step 3: Infrastructure Servers

After you have configured the remote access clients and the remote access server, the next step is to configure infrastructure servers. The Infrastructure Server Setup Wizard takes you through the following steps:

1. On the first page, specify the location of the NLS by using the URL of the server. If specifying a separate server, remember to use https rather than http in the address. You also have the option of configuring the DirectAccess server as the remote access server and using a self-signed certificate, as shown in Figure 8-43. Self-signed certificates are more appropriate for tests rather than production deployments.

FIGURE 8-43 NLS address configuration

2. The DNS page enables you to specify the DNS suffixes that should be used with the name resolution and the address of the internal DNS server. On this page, shown in Figure 8-44, you can also configure how clients should use the DNS server of their local Internet connection. These are the options:

Use the DNS server of the local connection if the name isn’t resolvable using the DNS server on the trusted network.

Use the DNS server of the local connection if the name isn’t resolvable using the DNS server on the trusted network, or if the DNS server on the trusted network cannot be contacted.

Use the DNS server of the local connection if any DNS error occurs.

FIGURE 8-44 DirectAccess DNS configuration

3. The DNS Suffix Search List enables you to configure any DNS suffixes that should be used by the client for any unqualified names. The default settings add the domain name suffix.

4. The Management Servers page, shown in Figure 8-45, enables you to configure the servers used for DirectAccess client management. You can also configure NAP remediation servers if you are using NAP with DirectAccess.

FIGURE 8-45 DirectAccess Management Server configuration

Step 4: Application Servers

Step 4 of the Remote Access Management Console setup enables you to configure the addresses of application servers that require end-to-end authentication when interacting with DirectAccess clients. Unlike the other steps, this step involves configuring only one dialog box, in which you specify the security group that contains the computer accounts for which you want to require end-to-end authentication and encryption. This dialog box is shown in Figure 8-46. You can also use this dialog box to limit DirectAccess clients so they can connect only to servers in the listed groups and can’t connect to other servers on the trusted network. You use this option in environments with stringent security requirements.

FIGURE 8-46 Configuring authentication between DirectAccess clients and servers

Lesson summary

DirectAccess clients send traffic to the NLS server to determine whether they are located on the trusted network or on the Internet.

You need to install an SSL/web server certificate from a trusted CA on the NLS server and the DirectAccess server.

You must remove ISATAP from the DNS global query block list on all DNS servers in order to use DirectAccess.

A DirectAccess Edge deployment requires two network adapters. One adapter is connected to the Internet. The other adapter is connected to an internal trusted network.

A DirectAccess server can be deployed behind an edge device, such as a firewall, with one or two network adapters.

The DirectAccess server must be a member of an Active Directory domain.

If deployed behind a NAT device, DirectAccess can use only IP over HTTPS.

DirectAccess can be deployed with a single public IPv4 address.

To support two-factor authentication or one-time password, the DirectAccess server requires two consecutive public IPv4 addresses.

Only computers running Windows 8.1 Enterprise Edition, Windows 8 Enterprise edition and Windows 7 Enterprise and Ultimate editions can be configured to use DirectAccess.

DirectAccess clients must be members of an Active Directory domain. It is possible to configure remote domain join with DirectAccess.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. Which of the following client operating systems can function as a DirectAccess client? (Choose all that apply.)

A. Windows RT

B. Windows 8 Enterprise edition

C. Windows 7 Ultimate edition

D. Windows Vista Ultimate edition

2. You want to use two-factor authentication with DirectAccess clients. Which of the following conditions must be met to implement this configuration?

A. The DirectAccess server’s Internet interface must be assigned a single public IPv4 address.

B. The DirectAccess server’s Internet interface must be assigned two consecutive public IPv4 addresses.

C. The DirectAccess server must be configured to use RADIUS authentication.

D. ISATAP must be added to the DNS global query block list on all DNS servers.

3. On which of the following servers must you deploy a web server/SSL certificate when deploying DirectAccess? (Choose all that apply.)

A. Active Directory domain controller

B. DNS server

C. DirectAccess server

D. NSL server

4. Which server does a client attempt to contact to determine whether it is on an internal trusted network before initiating a DirectAccess connection?

A. DirectAccess server

B. DNS server

C. NLS server

D. DHCP server

5. In which of the following situations can a DirectAccess client use only IP over HTTPS?

A. The DirectAccess server has a network interface connected directly to the Internet.

B. The DirectAccess server has a network interface with a public IP address and is located on a perimeter network.

C. The DirectAccess server is behind a NAT device.

D. The DirectAccess server’s public interface is assigned two nonconsecutive public IPv4 addresses.

Practice exercises

The goal of this section is to provide you with hands-on practice with the following:

Configure a RADIUS server

Configure a RADIUS server group

Configure a RADIUS client

Set up RADIUS accounting

Deploy a VPN server

To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.

Exercise 1: Configure a RADIUS server

In this exercise, you configure SYD-DC as a RADIUS server. To complete this exercise, perform the following steps:

1. Start SYD-DC.

2. Start MEL-DC and sign on as Administrator.

3. Open the Windows PowerShell prompt and type the following commands.

Add-Computer -DomainName contoso.com

4. In the Windows PowerShell Credentials dialog box type don_funk@contoso.com and Pa$$w0rd, and click OK.

5. Type the following command in the Windows PowerShell prompt to restart the computer.

Restart-Computer

6. Sign on to SYD-DC as Contoso\don_funk.

7. In the Server Manager console, click Manage, and click Add Roles And Features.

8. On the Before You Begin page of the Add Roles And Features Wizard, click Next.

9. On the Select Installation Type page, click Role-Based Or Feature-Based Installation, and click Next.

10. On the Select Destination Server page, click SYD-DC.contoso.com, and click Next.

11. On the Server Roles page, click Network Policy And Access Services.

12. In the Add Roles And Features Wizard dialog box, click Add Features. Click Next.

13. On the Select Features page, click Next.

14. On the Network Policy And Access Services page, click Next.

15. On the Select Role Services page, verify that Network Policy Server is selected, as shown in Figure 8-47, and click Next.

FIGURE 8-47 Verifying NPS role service

16. On the Confirmation page, click Install, and then click Close.

Exercise 2: Configure a remote RADIUS server group

In this exercise, you configure a RADIUS server group. To complete this exercise, perform the following steps:

1. In the Server Manager console on SYD-DC, click Tools, and then click Network Policy Server.

2. In the NPS console, expand RADIUS Clients And Servers and click Remote RADIUS Server Groups, as shown in Figure 8-48.

FIGURE 8-48 Remote RADIUS Server Groups node

3. On the Action menu, click New.

4. In the New Remote RADIUS Server Group dialog box, type the name CONTOSO REMOTE GROUP, as shown in Figure 8-49.

FIGURE 8-49 Contoso remote RADIUS server group

5. In the New Remote RADIUS Server Group dialog box, click Add.

6. In the Add RADIUS Server dialog box, type SYD-RADIUS-1.contoso.com, as shown in Figure 8-50, and click OK. Do not click Verify.

FIGURE 8-50 New remote RADIUS server

7. Click OK to close the New Remote RADIUS Server Group dialog box.

Exercise 3: Configure a RADIUS client

In this exercise, you configure a RADIUS client. To complete this exercise, perform the following steps:

1. On SYD-DC, in the NPS console, click RADIUS Clients under RADIUS Clients And Servers.

2. On the Action menu, click New.

3. In the New RADIUS client dialog box, configure the following information and click OK (see Figure 8-51).

Friendly Name: MEL-DC

Address: MEL-DC.contoso.com

Shared Secret: Pa$$w0rd

Confirm Shared Secret: Pa$$w0rd

FIGURE 8-51 New RADIUS client

Exercise 4: Set up RADIUS accounting

In this exercise, you configure RADIUS accounting. To complete this exercise, perform the following steps:

1. In the NPS console on SYD-DC, click Accounting, and then click Configure Accounting.

2. On the Introduction page of the Accounting Configuration Wizard, click Next.

3. On the Select Accounting Options page, click Log To A Text File On The Local Computer, as shown in Figure 8-52, and click Next.

FIGURE 8-52 Accounting options

4. On the Configure Local File Logging page, ensure that Accounting Requests, Authentication Requests, Periodic Accounting Status, and Periodic Authentication Status are selected. Also ensure that logs are written to the C:\Windows\System32\LogFiles folder.

5. Remove the option If Logging Fails, Discard Connection Requests, as shown in Figure 8-53, and click Next.

FIGURE 8-53 Local file logging options

6. On the Summary page, click Next, and then click Close.

Exercise 5: Install a VPN server

In this exercise, you configure MEL-DC as a VPN server. To complete this exercise, perform the following steps:

1. Sign on to MEL-DC as Contoso\don_funk.

2. On the Manage menu of the Server Manager console, click Add Roles And Features.

3. On the Before You Begin page, click Next.

4. On the Select Installation Type page, click Role-Based Or Feature-Based Installation, and click Next.

5. On the Select Destination Server page, click MEL-DC.contoso.com, and click Next.

6. On the Select Server Roles page, click Remote Access.

7. On the Select Features page, click Next.

8. On the Remote Access page, click Next.

9. On the Select Role Services page, ensure that DirectAccess And VPN (RAS) is selected, as shown in Figure 8-54, click Add Features, and click Next.

FIGURE 8-54 Local file logging options

10. On the Web Server Role (IIS) page, click Next.

11. On the Select Role Services page, click Next.

12. On the Confirmation page, click Install, and then click Close.

Exercise 6: Configure a VPN server

In this exercise, you configure MEL-DC as a VPN server. To complete this exercise, perform the following steps:

1. On the Tools menu of the Server Manager console on MEL-DC, click Routing And Remote Access.

2. In the Routing And Remote Access console, click MEL-DC.

3. On the Action menu, click Configure and Enable Routing And Remote Access.

4. On the Welcome To The Routing And Remote Access Server Setup Wizard page of the Routing And Remote Access Server Setup Wizard, click Next.

5. On the Configuration page, click Custom Configuration, and click Next.

6. On the Custom Configuration page, click VPN Access, as shown in Figure 8-55, and click Next.

FIGURE 8-55 Choosing VPN Access

7. Click Finish to complete the setup wizard.

8. In the Routing And Remote Access dialog box, click Start Service.

Exercise 7: Prepare for Web Application Proxy

In this exercise, you configure the necessary certificate services infrastructure so that you can deploy ADL-DC as a Web Application Proxy server. To complete this exercise, perform the following steps:

1. While signed on to SYD-DC as contoso\don_funk, right-click the Windows PowerShell icon on the taskbar, right-click Windows PowerShell, and click Run As Administrator.

2. In the Windows PowerShell window, type the following command and press Enter.

Install-WindowsFeature ADCS-Cert-Authority,ADFS-Federation -IncludeManagementTools

3. In the Windows PowerShell window, type the following command and press Enter.

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

4. Close the Windows PowerShell window.

5. On the Server Manager console, click the Refresh icon, and then click the Notification icon.

6. Click Configure Active Directory Certificate Services On The Destination Server.

7. On the Credentials page of the AD CS Configuration Wizard, continue to click Next, accepting the default settings until you reach the Confirmation page.

8. On the Confirmation page, click Configure, and then click Close.

9. On the Server Manager console, click Tools, and then click Certification Authority.

10. In the Certification Authority console, expand Contoso-SYD-DC-CA, and click Certificate Templates.

11. On the Action menu, click Manage.

12. In the Certificate Templates Console, click on the Web Server certificate template.

13. On the Action menu, click Duplicate Template.

14. On the General tab of the Properties Of New Template dialog box, set the name to Web Server 2.

15. On the Request Handling tab of the Properties Of New Template dialog box, select Allow Private Key To Be Exported, as shown in Figure 8-56.

FIGURE 8-56 Allow private key export

16. On the Security tab of the Properties Of New Template dialog box, click Authenticated Users and assign the Read(Allow), Write(Allow), and Enroll(Allow) permissions as shown in Figure 8-57. Click OK to close the Properties Of New Template dialog box.

FIGURE 8-57 Configure template permissions

17. Close the Certificate Templates console.

18. In the Certification Authority console, click the Certificate Templates node. On the Action menu click New, and click Certificate Template To Issue.

19. On the Enable Certificate Templates dialog box, click Web Server 2, as shown in Figure 8-58, and click OK.

FIGURE 8-58 Select certificate template

20. Right-click the Start button, and click Run.

21. In the Run dialog box, type mmc.exe. On the User Account Control dialog box, click Yes.

22. On the File menu of the Console1 dialog box, click Add/Remove Snap-In.

23. In the Add Or Remove Snap-Ins dialog box, click Certificates, and click Add.

24. On the Certificates Snap-In dialog box, click Computer account, click Next, and then click Finish. Click OK to close the Add Or Remove Snap-Ins dialog box.

25. In the Console1 dialog box, expand Certificates, expand Personal, and click Certificates.

26. From the Action menu, click All Tasks, and click Request New Certificate.

27. On the Before You Begin page of the Certificate Enrollment dialog box, click Next twice.

28. On the Request Certificates page, shown in Figure 8-59, click More Information Is Required To Enroll For This Certificate.

FIGURE 8-59 Configure more information

29. On the Certificate Properties dialog box, click Full DN, and click Common Name.

30. In the value box, type syd-dc.contoso.com and click Add, as shown in Figure 8-60, and then click OK.

FIGURE 8-60 Specify common name

31. Click Web Server 2, click Enroll, and click Finish.

32. In console 1, click on the Syd-dc.contoso.com certificate.

33. On the Action menu, click All Tasks, and click Export.

34. On the Welcome To The Certificate Export Wizard, click Next.

35. On the Export Private Key page, click Yes, Export The Private Key, as shown in Figure 8-61, and click Next twice.

FIGURE 8-61 Allow private key export

36. On the Security page of the Certificate Export Wizard, set the password as Pa$$w0rd and click Next.

37. On the File To Export dialog box, type c:\SYD-DC-CERT, click Next, click Finish, and click OK.

Exercise 8: Configure AD FS to support Web Application Proxy

In this exercise, you configure AD FS on SYD-DC, as this role is needed to support the deployment of ADL-DC as a Web Application Proxy server. To complete this exercise, perform the following steps:

1. On the Server Manager console, click the Notification icon, and then click Configure The Federation Service On This Server.

2. On the Welcome page of the Active Directory Federation Services Configuration Wizard, click Next twice.

3. On the Specify Service Properties page, click the drop down menu next to SSL Certificate and click Syd-dc.contoso.com. Set the Federation Service Display Name to Syd-dc.contoso.com, as shown in Figure 8-62, and click Next.

FIGURE 8-62 Allow private key export

4. On the Specify Service Account name page, click Create A Group Managed Service Account, and set the name to CONTOSO\ADFSGMSA as shown in Figure 8-63, and click Next.

FIGURE 8-63 Specify the group managed service account

5. On the Specify Database page, click Create A Database On This Server Using Windows Internal Database, and click Next twice.

6. On the Pre-requisite Checks page, click Configure.

7. Ignore the warnings on the results page and click Close.

Exercise 9: Deploy Web Application Proxy with pass-through preauthentication

In this exercise, you deploy ADL-DC as a Web Application Proxy server and configure the publication of an application using pass-through preauthentication. To complete this exercise, perform the following steps:

1. Start and sign in to ADL-DC as Administrator with the password Pa$$w0rd.

2. Right-click the Start button, and click Run.

3. In the Run dialog box, type \\SYD-DC\C$\SYD-DC-CERT.pfx and click OK.

4. On the Welcome To The Certificate Import Wizard, click Local Machine, as shown in Figure 8-64, and click Next.

FIGURE 8-64 Import certificate

5. On the File To Import page, click Next.

6. On the Private Key Protection page, type the password Pa$$w0rd and click Next.

7. On the Certificate Store page, select Automatically Select The Certificate Store Based On The Type Of Certificate, click Next, click Finish, and click OK.

8. On the Manage menu of the Server Manager console, click Add Roles And Features.

9. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.

10. On the Select Server Roles page, click Remote Access, and click Next three times.

11. On the Select Role Services page, click Web Application Proxy, as shown in Figure 8-65, and then click Add Features. Click Next, click Install, and click Close.

FIGURE 8-65 Import certificate

12. Click the Notification icon on the Server Manager console and click Open The Web Application Proxy Wizard.

13. On the Welcome page of the Web Application Proxy Configuration Wizard, click Next.

14. On the Federation Server page, type the federation service as syd-dc.contoso.com, the user name as contoso\don_funk and the password as Pa$$w0rd as shown in Figure 8-66, and click Next.

FIGURE 8-66 Federation Service name

15. On the AD FS Proxy Certificate page, click the down arrow, click SYD-DC.contoso.com, and click Next.

16. On the Confirmation page, click Configure, and then click Close.

17. In the Tasks pane of the Remote Access Management Console, click Publish.

18. On the Welcome page of the Publish New Application Wizard, click Next.

19. On the Preauthentication page, click Pass-Through as shown in Figure 8-67, and click Next.

FIGURE 8-67 pass-through authentication

20. On the Publishing Settings page, configure the following information as shown in Figure 8-68 and click Next, click Publish, and click Close.

Name: syd-dc.contoso.com

External URL: https://syd-dc.contoso.com

External Certificate: syd-dc.contoso.com

Backend Server URL: https://syd-dc.contoso.com

FIGURE 8-68 Publishing settings

Suggested practice exercises

The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.

Exercise 1 Deploy the NPS role on ADL-DC. Configure ADL-DC as a RADIUS client of MEL-DC.

Exercise 2 Configure ADL-DC as a NAT router.

Exercise 3 Configure CBR-DC as a DirectAccess server.

Answers

This section contains the answers to the lesson review questions in this chapter.

Lesson 1

1. Correct answer: B

A. Incorrect. A RADIUS server performs authentication and authorization operations on RADIUS traffic forwarded to it by a RADIUS client. A RADIUS proxy is a RADIUS client of a RADIUS server.

B. Correct. A RADIUS proxy forwards authentication and authorization traffic to RADIUS server groups based on the properties of the traffic.

C. Incorrect. RADIUS clients forward authentication and authorization traffic to RADIUS servers or proxies.

D. Incorrect. RADIUS accounting records authentication and authorization request data.

2. Correct answer: B

A. Incorrect. RADIUS accounting records authentication and authorization request data.

B. Correct. A RADIUS server performs authentication and authorization operations on RADIUS traffic forwarded to it by a RADIUS client. A RADIUS proxy is a RADIUS client of a RADIUS server.

C. Incorrect. A RADIUS proxy forwards authentication and authorization traffic to RADIUS server groups based on the properties of the traffic.

D. Incorrect. RADIUS clients forward authentication and authorization traffic to RADIUS servers or proxies.

3. Correct answer: A

A. Correct. RADIUS clients forward authentication and authorization traffic to RADIUS servers or proxies.

B. Incorrect. RADIUS accounting records authentication and authorization request data.

C. Incorrect. A RADIUS server performs authentication and authorization operations on RADIUS traffic forwarded to it by a RADIUS client. A RADIUS proxy is a RADIUS client of a RADIUS server.

D. Incorrect. A RADIUS proxy forwards authentication and authorization traffic to RADIUS server groups based on the properties of the traffic.

4. Correct answer: C

A. Incorrect. A RADIUS proxy forwards authentication and authorization traffic to RADIUS server groups based on the properties of the traffic.

B. Incorrect. RADIUS clients forward authentication and authorization traffic to RADIUS servers or proxies.

C. Correct. RADIUS accounting records authentication and authorization request data.

D. Incorrect. A RADIUS server performs authentication and authorization operations on RADIUS traffic forwarded to it by a RADIUS client. A RADIUS proxy is a RADIUS client of a RADIUS server.

5. Correct answers: A, C, and D

A. Correct. You specify a friendly name when configuring a RADIUS client on a RADIUS server.

B. Incorrect. You don’t specify an authentication protocol when configuring a RADIUS client on a RADIUS server.

C. Correct. You specify an IP address or FQDN when configuring a RADIUS client on a RADIUS server.

D. Correct. You specify a shared secret when configuring a RADIUS client on a RADIUS server.

Lesson 2

1. Correct answers: C and D

A. Incorrect. The SSTP protocol VPN protocol can be used by computers running the Windows Vista, Windows 7, Windows 8, and Windows 8.1 client operating systems.

B. Incorrect. The IKEv2 protocol can be used by computers running the Windows 7, Windows 8, and Windows 8.1 client operating systems.

C. Correct. The L2TP/IPsec protocol can be used by computers running the Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1 client operating systems.

D. Correct. The L2TP/IPsec protocol can be used by computers running the Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1 client operating systems.

2. Correct answer: C

A. Incorrect. The L2TP/IPsec protocol can be used by computers running the Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1 client operating systems.

B. Incorrect. The L2TP/IPsec protocol can be used by computers running the Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1 client operating systems.

C. Correct. The IKEv2 protocol can be used by computers running Windows 7 and Windows 8 client operating systems.

D. Incorrect. The SSTP protocol VPN protocol can be used by computers running the Windows Vista, Windows 7, and Windows 8, and Windows 8.1 client operating systems.

3. Correct answer: C

A. Incorrect. You can’t use IKEv2 through firewalls in hotels that allow both secure and insecure web traffic only.

B. Incorrect. You can’t use L2TP/IPSec through firewalls in hotels that allow both secure and insecure web traffic only.

C. Correct. SSTP uses port 443, making it possible to use this VPN protocol through firewalls in hotels that allow secure web traffic.

D. Incorrect. You can’t use PPTP through firewalls in hotels that allow both secure and insecure web traffic only.

4. Correct answer: B

A. Incorrect. SSTP doesn’t support VPN reconnect.

B. Correct. This VPN protocol supports VPN reconnect. VPN reconnect enables reestablishment of disrupted VPN connections for up to 8 hours after the disruption occurred without requiring manual user reauthentication.

C. Incorrect. PPTP doesn’t support VPN reconnect.

D. Incorrect. L2TP/IPsec doesn’t support VPN reconnect.

5. Correct answer: C

A. Incorrect. You configure VPN access to provide protected network access to clients on the Internet. You can’t use VPN access to enable protected network clients to share an Internet connection.

B. Incorrect. You configure dial-up access if you want to enable access to your organization’s internal network for clients that have modems. You can’t use dial-up access to allow protected network clients to share an Internet connection.

C. Correct. You can use NAT to enable a group of computers on a private network to share an Internet connection.

D. Incorrect. You choose LAN router if you need to make a group of computers on your organization’s network that has public IP addresses accessible to hosts on the Internet.

Lesson 3

1. Correct answers: B and C

A. Incorrect. Windows RT can’t be joined to a domain and can’t function as a DirectAccess client.

B. Correct. Windows 8 Enterprise edition can be configured as a DirectAccess client. This is the only edition of Windows 8 that can be used with DirectAccess.

C. Correct. Windows 7 Ultimate edition can be configured as a DirectAccess client. You can also configure computers running Windows 7 Enterprise edition as DirectAccess clients.

D. Incorrect. Windows Vista can’t be configured as a DirectAccess client.

2. Correct answer: D

A. Incorrect. The DirectAccess server’s Internet interface must be assigned two consecutive public IPv4 addresses.

B. Correct. The DirectAccess server’s Internet interface must be assigned two consecutive public IPv4 addresses.

C. Incorrect. DirectAccess does not use RADIUS authentication.

D. Correct. You must remove ISATAP from the DNS global query block list on all DNS servers to use DirectAccess.

3. Correct answer: D

A. Incorrect. You don’t need to deploy a web server/SSL certificate on a domain controller when deploying DirectAccess.

B. Incorrect. You don’t need to deploy a web server/SSL certificate on a DNS server when deploying DirectAccess.

C. Incorrect. You must deploy a web server/SSL certificate on the NLS server when deploying DirectAccess.

D. Correct. You must deploy a web server/SSL certificate on the NLS server when deploying DirectAccess.

4. Correct answer: C

A. Incorrect. DirectAccess clients attempt to contact the NLS server to determine their network location before attempting to initiate a DirectAccess connection.

B. Incorrect. DirectAccess clients attempt to contact the NLS server to determine their network location before attempting to initiate a DirectAccess connection.

C. Correct. DirectAccess clients attempt to contact the NLS server to determine their network location before attempting to initiate a DirectAccess connection.

D. Incorrect. DirectAccess clients attempt to contact the NLS server to determine their network location before attempting to initiate a DirectAccess connection.

5. Correct answer: C

A. Incorrect. IP over HTTPS is the option only when a DirectAccess server is deployed behind a NAT device.

B. Incorrect. IP over HTTPS is the option only when a DirectAccess server is deployed behind a NAT device.

C. Correct. IP over HTTPS is the option only when a DirectAccess server is deployed behind a NAT device.

D. Incorrect. IP over HTTPS is the option only when a DirectAccess server is deployed behind a NAT device.