For Geeks @nd the not so Geeky

Windows 7 Remote Access and VPN Protocols

Enable Remote Access Windows 7

Remote access solutions or desktop remote access usually incorporate the Routing and Remote Access  Service (RRAS)  to configure internet connections such as secure Virtual Private Network  (VPN) connections or even dial-up or ISDN connections to link computers together allowing the user to access files, folders applications and printers  pretty much like being connected to a corporate network.

Remote Desktop Software

Do not confuse remote access with remote control. Remote control creates a session on the remote computer through the use of remote desktop or remote assistance on Windows 7. The enable remote desktop Windows 7 command line syntax is mstc.exe. Just do a Google search for “Windows 7 remote desktop setup” if you are not sure on how to configure remote desktop access or enable remote desktop n Windows 7.

There are also other 3rd party applications such as Citrix or PCAnywhere relying on remote desktop client software enabling  the remote computer’s desktop appear on your screen which is useful if you want to provide remote access assistance or remote access support. routing and remote access windows 7

Remote Assistance Windows 7 –

VPN Remote Access Connection Protocols

Data Integrity – protects against tampering with the data by a third party

Data Confidentiality – encrypts data so it is cannot be read by third parties

Replay Protection – data can only be sent once so an attacker cannot capture alter and resend data

Data Origin Authentication – sender and receiver are sure of origin of the transmitted data

Standard Remote Access Protocols

  • Point to Point Protocol (PPP) – oldest dial-up protocol which supports TCP/IP, IPX/SPX allowing for compression and encryption.  Serial Line Interface Protocol (SLIP) is no longer supported in Windows7
  • Point to Point Tunneling Protocol (PPTP) – used to transmit private data over a public network through VPN tunneling with built-in security for encryption and authentication. Provides data confidentiality but not data integrity
  • Layer 2 Tunneling Protocol (L2TP) – More secure than PPTP as it creates a secure VPN connection when used in combination with IPSec. Uses digital certificates or a pre-shared key. Client and server must support IPSec NAT Traversal (NAT-T)
  • Secure Socket Tunneling Protocol (SSTP) – SSTP uses enhanced key negotiation, encryption and integrity checking by encapsulating PPP traffic over  SSL using the HTTPS protocol thereby enabling network traffic across firewalls and proxy servers
  • Internet Key Exchange version 2 (IKEv2) – new to Windows 7. Supports strong authentication and encryption methods by using an IPSec tunnel over UDP port 500

VPN Tunneling Protocols –

Remote Access Authentication Protocols

remote access protocols

EAP-MS-CHAPv2 is the strongest password-based authentication protocol, and it is the only password-based authentication protocol that can be used with IKEv2.

On a client computer you can configure remote access settings through group policy or secpol.msc. Jeep in mind that the default values for an account lockout or invalid password attempts are known to experienced hackers and therefore should be changed. This is also where you would configure IPSec settings you use in combination with VPN.

Windows Vista and Windows 7 computers use 128 bit encryption by default whereas Windows Server 2000 or 2003 use either 40 or 56 bit encryption. This will usually result in an error 741 meaning the encryption levels don’t match. Encryption levels can be changed by accessing the security tab of the VPN properties dialog box.

VPN Reconnect in Windows 7

A standard VPN client needs to authenticate every time the connection with the server is lost. IKEv2 in Windows 7 however enables a VPN client to automatically reestablish a VPN connection within 8 hours of connection loss

Remote Access with VPN Reconnect –

Advanced Audit Policy in Windows 7

Windows 7 Professional, Ultimate and Enterprise group policy provides a much granular and comprehensive set of audit policies compared to previous Windows versions.

Windows Remote Access Advanced Security Auditing Settings –

Netork Access Protection (NAP)

NAP requires that clients provide a health certificate proving that the authenticating client is up to date with regards to the latest security patches. NAP is available starting from Windows 7 Professional and up. It verifies whether:

  • Software update are installed and configured
  • Windows firewall and  automatic updates  are enabled
  • The Anitivirus software is enabled and up-to-date

Through the use of multiple System Health Validators (SHVs) available in Windows 7 and Windows server 2008 you can apply different policies to be met according to whether the client is connecting through VPN or via the LAN.

A health validation server can redirect clients that are not compliant to a remediation network where they can freceive updates throught WSUS and antivirus updates after which they will be able to connect to the network.

  • NAP Enforcement Options
  • No Enforcement – used for monitoring only
  • IPSec – compliant clients receive an X509 health certificate while others get rejected
  • 802.1X – unhealthy wired or wireless clients get access to a restricted VLAN
  • Terminal Services Gateway – clients have to be compliant to access terminal service applications
  • VPN – routes unhealthy clients to remediation servers based on IP filters
  • DirectAccess – only allows healthy clients to create an IPSec tunnel

NAP Client Configuration –

Network Access Protection –

Remote Desktop Gateway (RD Gateway)

Available in Windows 7 and Windows Server 2008 R2 and uses the Remote Desktop Protocol (RDP) in combination with HTTPS to allow for a secure an encrypted connection to corporate servers via TCP port 443 much like a remote access terminal server.

An RD Gateway server on the corporate network can allow access to any published applications on the internal network that have been granted access. Following are the advantages of employing an RD Gateway:

  1. No need to establish a VPN connection
  2. Connections across firewalls and proxy servers are facilitated
  3. Applications running on the local client can be shared with applications running on the remote network using your ISP connection

RemoteApp programs are programs which can be accessed remotely through the RD Gateway and appear on the user’s desktop and start menu as if they were installed and running locally.

Remote Desktop Gateway

RemoteApp –

DirectAccess – Access Computer Remotely

DirectAccess does not require user intervention or logon to allow remote access as it uses certificates for authentication. As soon as the client connects to a network a properly configured computer will automatically connect to the corporate network remote access services using IPv6 and an IPSec VPN connection. DirectAccess can be integrated with NAP to increase security. Only domain joined computers running Windows 7 Ultimate or Enterprise support DirectAccess.

A properly configured Windows 7 client will in most cases connect to the corporate network prior to the Windows logon. A specially configured intranet site is configured on the DirectAccess server allowing the client immediate connection as soon as it is identified on a network.

Should the client be unable to contact the intranet site it tries to establish an IPv6 directly across the Internet. If a native IPv6 connection is not available the client tries to connect using an IPv6 over IPv4 tunnel utilizing the 6to4 (direct IPv4 connection) and Teredo (NAT connection) tunneling technologies in order.

If the above is not possible due to a firewall or proxy server a connection is attempted over HTTPS using TCP port 443.

DirectAccess – Remote Access Servers Requirements

  • Windows Server 2008 R2 that is a member of a AD DS domain with CA and DNS configured
  • 2 network adapters of which the one connected to the Internet is configured with 2 IPv4 addresses
  • Internal resources must support IPv6 as well as ISATAP and NAT-PT for clients that only support IPv4
  • Digital certificates in place that include the fully qualified domain name (FQDN) assigned to the external NIC

DirectAccess –


Leave a Response