VNUHCM UNIVERSITY OF SCIENCE

FACULTY OF ELECTRONICS TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS NETWORKS

COURSE
Network Technology

Understanding Organization
Chapter 1 Networks and Remote Access
REMOTE ACCESS SERVICES
05
Editor: Nguyen Viet Ha, Ph.D.

Lecturer: Nguyen Minh Tri, Ph.D. Email: [email protected] 2

Understanding Organization Networks Understanding Organization Networks

Demilitarized Zone (DMZ)
Separates LAN from untrusted networks
Fig. A Fig. A (internet).
sample sample Also known as perimeter networks or
network network screened subnetworks.
structure structure

3 4
 Understanding Organization Networks Understanding Organization Networks
Demilitarized Zone (DMZ) Demarc (demarcation point)
Separates LAN from untrusted networks A translation device or router with a
Fig. A (internet). Fig. A specialized network interface for the last
sample Also known as perimeter networks or sample mile technology that passes traffic directly
network screened subnetworks. network between the ISP and NAT router.
structure structure
Servers and resources in the DMZ are Common last mile technologies:
accessible from the internet (and/or LAN) o Digital subscriber line (DSL): uses a
(Ex: web, email, DNS, FTP and proxy telephone network.
servers.), but the rest of the internal LAN o Cable broadband: uses a television
remains unreachable. cable network.
Provides an additional layer of security o Gigabit Passive optical Network
to the LAN as it restricts a hacker's (GPON): uses fiber optic cable.
ability to directly access internal servers o Long-range Wi-Fi: uses radio wireless,
and data from the internet. often using wireless transmitters
5 positioned in a line of sight. 6

Understanding Organization Networks Understanding Organization Networks

NAT (Network Address Translation) Send
To access the Internet, public IP address is
Fig. A needed. 209.165.200.226
sample
network IPsrc: NAT is a process in which one or more local IP
DA SA
structure Public address is translated into one or more Global
209.165.201.1 209.165.200.226
IP address and vice versa in order to provide
Internet access to the local hosts.

NAT generally operates on a router or firewall.

IPsrc: DA SA
Private 209.165.201.1 192.168.10.10

7 8
 Understanding Organization Networks Understanding Organization Networks
Receive NAT (Network Address Translation)
To access the Internet, public IP address is
DA SA 209.165.200.226 Fig. A needed.
192.168.10.10 209.165.201.1 sample
network IPsrc: NAT is a process in which one or more local IP
structure Public address is translated into one or more Global
IP address and vice versa in order to provide
Internet access to the local hosts.

NAT generally operates on a router or firewall.

Also, it does the translation of port numbers

IPsrc:
i.e. masks the port number of the host with
DA SA
Private another port number, in the packet that will be
209.165.200.226 209.165.201.1 routed to the destination. (PAT Port Address
9 Translation or NAT Forwarding) 10

Understanding Organization Networks Understanding Organization Networks

209.165.200.226 209.165.200.226
SA DA
SA DA
192.168.10.10:1555 209.165.201.1:80 209.165.201.1:80 209.165.200.226:1555

SA DA SA DA

209.165.200.226:1555 209.165.201.1:80 209.165.201.1:80 192.168.10.10:1555

SA DA
SA DA
209.165.202.129:80 192.168.10.11:1331
209.165.200.226:1331 209.165.202.129:80

SA DA SA DA

192.168.10.11:1331 209.165.202.129:80 209.165.202.129:80 209.165.200.226:1331

(PAT) (PAT)

11 12
 Understanding Remote Access Understanding Remote Access
Members of the organization need to connect to resources hosted on Provide access to these resources using a
servers in the DMZ from outside the organization. remote access technology.
For example, when an executive or sales team member needs to At least one server in your DMZ must be
access work files on a file server in the organization when on a configured as a remote access server that
business trip. accepts requests from remote access
clients on the Internet.

13/69
/50 14

Understanding Remote Access Understanding Remote Access

Provide access to these resources using a Alternatively, organizations can connect
remote access technology. remote access servers directly to a demarc.
At least one server in your DMZ must be
(1a. NAT: configured as a remote access server that
1.2.3.4 accepts requests from remote access The remote access server must have two
172.16.0.50) clients on the Internet. network interfaces.
One is connected to the demarc.
Another is connected to the DMZ.
(1b)
(1) The remote access client first connect to
the remote access server in the DMZ, using The remote access server is exposed directly
encryption provided by the remote access
to the Internet.
(2) server.
Must have a firewall (and preferably
(2) The remote access server then
authenticates the user before allowing additional security software) enabled to
remote access. ensure that the security of the remote
15
access server is not compromised. 16
 Understanding Remote Access Understanding Remote Access
A NAT router often contains additional management and security Microsoft provides three main remote access technologies that can be
capabilities, such as traffic throttling, intrusion prevention, and malware used to obtain access to servers in a DMZ from across the Internet:
filtering. Often referred to as a Next Generation Firewall (NGFW).
Virtual private network (VPN)

DirectAccess

Remote Desktop Services

Each of these remote access technologies provides its own protocols, as

well as supports different authentication and encryption types.
Some NGFWs contain built-in remote access server functionality,
eliminating the need for a separate remote access server.
17/69
/50 18/69
/50

VPN Benefits

2 Virtual Private Network (VPN)

19 20/69
/50
 VPN Benefits VPN Benefits
Security: Security:
Confidentiality Confidentiality
o Guarantees that only authorized users can read the message. If o Encryption: Symmetric Encryption
the message is intercepted, it cannot be deciphered within a
reasonable amount of time.

21/69
/50 22/69
/50

VPN Benefits VPN Benefits

Security: Security:
Confidentiality Confidentiality
o Encryption: Symmetric Encryption o Encryption: Asymmetric Encryption

23/69
/50 24/69
/50
 VPN Benefits VPN Benefits
Security: Security:
Confidentiality Confidentiality
o Encryption: Asymmetric Encryption o Encryption: Asymmetric Encryption

DH uses very large numbers in its calculations.

EX: DH2: 1024-bit (~ decimal number of 309 digits).

Extremely slow for any sort of bulk encryption.

Asymmetric Encryption is normally used as Authentication

or Secure Key Exchange.
25 26

VPN Benefits VPN Benefits

Security: Security:
Confidentiality Data Integrity
o Encryption: Asymmetric Encryption o Guarantees that the message was not altered. Any changes to
data in transit will be detected.

DH Group 1: 768 bits

DH Group 2: 1024 bits
DH Group 5: 1536 bits
DH Group 14: 2048 bits
DH Group 15: 3072 bits
DH Group 16: 4096 bits

27 28/69
/50
 VPN Benefits VPN Benefits
Security: Security: PSK Authentication
Origin Authentication Origin Authentication (Pre-shared Secret Key)
o Guarantees that the message is not a forgery and does actually
come from whom it states.

Pre-shared Secret Key (PSK)

Uses an additional secret key
as input to the hash function.

29/69
/50 30/69
/50

VPN Benefits VPN Benefits

Security: Security: RSA Authentication
Origin Authentication Origin Authentication

RSA authentication uses digital certificates to authenticate.

Local device derives a hash and encrypts with private key.
The encrypted hash is attached to the message and is
forwarded to the remote end and acts like a signature.
At the remote end, the encrypted hash is decrypted using
the public key of the local end.
If the decrypted hash matches the recomputed hash, the
signature is genuine.
Each peer must authenticate its opposite peer before the
tunnel is considered secure.
31/69
/50 32
 VPN Types: Remote-Access VPNs VPN Types: Remote-Access VPNs
VPN is a remote access technology that provides encryption for data VPNs provide an encrypted channel (or
that is sent across the Internet between a remote access client and tunnel between systems on a network,
server. they are often referred to as VPN tunnels.

A network is created between the remote access client Each end of the VPN tunnel is
and server that is used in addition to the underlying physical represented by a virtual network interface
network. that is configured with an IP address.
o Also called an overlay network.

Data that is sent on the virtual

network is encrypted automatically
and can only be decrypted by the
remote access server or client.
33/69
/50 34

VPN Types: Remote-Access VPNs VPN Types: Remote-Access VPNs

The default gateway configured in the VPN By default, all the traffic will pass through
network interface on the remote access the remote access server.
client is automatically set to 0.0.0.0
To ensure that all packets generated
However, if remote access clients configure
client are encrypted and sent on the VPN
split tunneling, they will be able to:
to the remote access server.
Access the resources in their
DMZ across the VPN tunnel.
The remote access server then decrypts Use the default gateway on their physical
these packets and relays them to the DMZ network interface to access Internet
network to allow users to access resources in resources.
the organization.

35 36
 VPN Types: Site-to-Site VPNs VPN Types: Site-to-Site VPNs
VPNs can also be VPN between routers can also be used to encrypt server traffic that
used to encrypt passes across the Internet between different locations.
IP traffic that
For example:
passes across the
Internet between o Active Directory replication between domain controllers.
two routers at o Folder content that is synchronized between file servers using
different locations DFS replication.
in an
organization.

Internal hosts Most organizations use a hardware-based router or NGFW appliance to

have no provide VPNs between different locations in an organization.
knowledge that a However, you can instead configure a Windows Server system as a
VPN is being router that provides VPNs between locations.
used.
37/69
/50 38/69
/50

VPN Protocols VPN Protocols

Many different VPN technologies have been developed since the 1990s, IPsec
and each one uses a specific VPN protocol to tunnel traffic. o IETF (Internet Engineering Task Force) standard.

o IPsec protects and authenticates IP packets between source and

When you implement a remote access server using Windows Server, destination.
four different VPN protocols are supported:
Protect traffic from Layer 4 through Layer 7 (OSI model).
Point-to-Point Tunneling Protocol (PPTP)
o It was developed by a consortium of vendors including Microsoft o IPsec is not bound to any specific rules for secure
o Encrypts data using Microsoft Point-to-Point Encryption (MPPE). communications.
Supports encryption key length from 40 to 128 bits. This flexibility of the framework allows IPsec to easily integrate
Windows operating systems contain a registry key that new security technologies without updating the existing IPsec
prevent the use of MPPE keys less than 128 bits by default. standards.

39/69
/50 40
 VPN Protocols VPN Protocols
IPsec IPsec

Security Association (SA). 41 Security Association (SA). 42

VPN Protocols VPN Protocols

GRE over IPsec
o Generic Routing Encapsulation (GRE) is a non-secure site-to-site
VPN tunneling protocol.
Not support encryption.

o It can encapsulate various network layer protocols.

o Supports multicast and broadcast traffic

43 44/69
/50
 VPN Protocols VPN Protocols
GRE over IPsec Layer Two Tunneling Protocol (L2TP)
o A standard IPsec VPN (non-GRE) can only create secure tunnels o Developed by Microsoft and Cisco.
for unicast traffic.
Ex: Routing protocols will not exchange routing information o Relies on IP Security (IPSec) for the encryption of data packets.
over an IPsec VPN. Encryption keys length from 56 to 256 bits.
Encapsulate routing protocol traffic using a GRE packet,
and then encapsulate the GRE packet into an IPsec packet
o The remote access client and server authenticate to each other.
to forward it securely to the destination VPN gateway.
Configure the same preshared key (password) or install an
IPSec encryption certificate on both the remote access client
and server.

45 46/69
/50

VPN Protocols VPN Protocols

Internet Key Exchange version 2 (IKEv2) Secure Socket Tunneling Protocol (SSTP)
o An enhancement to IPSec that provides VPN tunneling with faster o Tunnels data through HTTPS packets on a network.
speeds compared to L2TP.
o It originally used Secure Sockets layer (SSL) encryption with
o It uses 256-bit encryption keys 128-bit keys.

o Requires that remote access clients and servers authenticate to o Modern SSTP implementations use 256-bit keys alongside
each other using an IPSec encryption certificate or preshared key. Transport layer Security (TLS) encryption.
Sometimes expressed as SSL/TLS.
Both terms are often used interchangeably.

o To use SSTP, the remote access server must contain an HTTPS

encryption certificate.
47/69
/50 48/69
/50
 VPN Protocols VPN Authentication
Secure Socket Tunneling Protocol (SSTP) Before a VPN tunnel can be established, the remote access client must
o TLS works at layer 4 (OSI) first authenticate to the remote access server using credentials.

49/69
/50 50

VPN Authentication VPN Authentication

Remote access server validate received credentials before providing Using RADIUS
remote access. You can optionally
configure a remote
access server to
In Active Directory domain
forward credentials it
Remote access server will forward the credentials to a domain receives from a remote
controller in the DMZ. access client to a
If match, and dial-in permission is granted, the domain controller will Remote Access dial-In
allow the remote access connection and return a Kerberos ticket for user Authentication
the user to the remote access server. Service (RADIUS)
The remote access server will then create the VPN tunnel, send the server instead of a
Kerberos ticket to the remote access client, and relay traffic from the domain controller.
VPN to the DMZ to allow for resource access.

51/69
/50 52/69
/50
 VPN Authentication
Using RADIUS
After a RADIUS server receives credentials from a remote access
server, it forwards them to a domain controller for validation.
After the domain controller validates the credentials and dial-in
permission, it returns the Kerberos ticket for the user to the RADIUS
server.
The RADIUS server then checks its remote access policies to
ensure that the user meets necessary requirements before allowing
3 DIRECTACCESS
the remote access connection and forwarding the Kerberos ticket to
the remote access server.
The remote access server will then create the VPN tunnel, send
the Kerberos ticket to the remote access client, and relay traffic from
the VPN to the DMZ to allow for resource access.

53/69
/50 54

DIRECTACCESS DIRECTACCESS
VPNs remote users must manually initiate a VPN connection each time To determine whether they are located on a network outside the
they wish to connect to the resources in their organization. organization, each remote access client that participates in DirectAccess
contains a Network Connectivity Assistant service.
For organizations that deploy laptop computers that are joined to an
Active Directory domain, secure remote access for these computers can Probes a location using HTTPS each time their network
be automated using DirectAccess. interface is activated on a network.
o If a DirectAccess client can connect to the Network Location
When laptop computers Server (NLS), it must be inside the corporate network.
connect to a network outside of
the organization, DirectAccess o If it cannot, it must be outside of the corporate network.
automatically initiates an IPSec
tunnel that functions like a VPN
to provide remote access to the
organization DMZ.
55/69
/50 56/69
/50
 DIRECTACCESS DIRECTACCESS
If the remote access client determines that it is on a network outside of DirectAccess remote access servers use HTTPS to authenticate users to
the organization: Active Directory.
It automatically creates an IPSec tunnel to the remote access After a user enters their Active Directory credentials, the credentials are
server after prompting the user to log into the Active Directory cached for use with future remote access connections.
domain, if necessary.

Because DirectAccess uses both HTTPS and IPSec, when configuring

firewall exceptions, port forwarding, or reverse proxy, you must specify
the port numbers for SSTP and L2TP/IKEv2 if the configuration tool for
the firewall, NAT router, or NGFW does not allow you to specify the
DirectAccess protocol by name.

57/69
/50 58/69
/50

DIRECTACCESS
Remote access clients use IPv6 when contacting a network location
server or authenticating to a remote access server using DirectAccess.
These IPv6 packets are automatically enclosed in IPv4 packets when
sent across an IPv4 network.

4 REMOTE DESKTOP

59/69
/50 60
 REMOTE DESKTOP REMOTE DESKTOP
Remote desktop uses a different method to achieve remote access After a remote access client obtains a graphical desktop session, they
compared to VPNs and DirectAccess. can run programs on the remote access server and access resources on
the DMZ network to which the remote access server is connected.
Remote access clients use a Remote desktop app to log into a remote In other words, Remote Desktop allows remote access clients to access
access server to obtain a graphical desktop session on the remote a graphical desktop running in the organization DMZ to provide access
access server itself (called to organization resources.
session-based desktop
deployment), or a graphical
desktop session from a Hyper-V
virtual machine running on the
remote access server (called
virtual machine-based
desktop deployment).

61/69
/50 62/69
/50

REMOTE DESKTOP REMOTE DESKTOP

The Remote Desktop app uses Remote desktop Protocol (RDP) to There are Remote Desktop apps available for Windows, macOS, Linux,
transfer desktop graphics, keystrokes, and mouse movements to and UNIX, Android, and iOS remote access clients.
from the remote access server. The Remote Desktop app available by default on Windows systems is
called Remote Desktop Connection.
Programs that are run in a Remote Desktop session are executed on the
remote access server and can access shared folders and printers on the
organization network as well as volumes and printers installed on the Instead of running a full graphical desktop, remote access clients can
underlying remote access client, if configured. use RemoteApp to access a single program (e.g., Microsoft Outlook)
running on a remote access server using Remote Desktop.
Thus, a remote access user could use File Explorer in their Remote This program can also be configured to appear as a shortcut on the
Desktop session to transfer files from the organization to their local Start menu. When remote access clients click this shortcut, the
computer for later use, or print a document in Microsoft Word on the program will execute on the remote access server and transfer the
remote access server to a printer that is installed on their local program window, keystrokes, and mouse movements to and from
computer. the remote access client.

63/69
/50 64/69
/50
Services available for the Remote Desktop services server role Services available for the Remote Desktop services server role

65/69
/50 66/69
/50

REMOTE DESKTOP REMOTE DESKTOP

If you deploy multiple Remote Desktop Session Host or Remote Desktop Many server administrators install the Remote Desktop Connection
Virtualization Host remote access servers in your DMZ, then you could Broker when there is only one remote access server that contains the
install a single server that contains the Remote Desktop Connection Remote Desktop Session Host or Remote Desktop Virtualization Host
Broker to distribute RDP requests across all of the remote access role service.
servers.
If additional servers are installed with the Remote Desktop Session Host
In this case, remote access clients will connect to the Remote Desktop or Remote Desktop Virtualization Host role service afterwards, they are
Connection Broker server. Furthermore, the server that hosts the automatically linked with the Remote Desktop Connection Broker, and
Remote Desktop Connection Broker can also host the Remote Desktop no additional firewall, port forwarding, or reverse proxy configuration is
Licensing, Remote Desktop Web Access, and Remote Desktop Gateway necessary.
role services to provide licensing, RemoteApp, and HTTPS encryption for
all remote access servers in the DMZ.

67/69
/50 68/69
/50
THANK YOU FOR YOUR ATTENTION

Nguyen Minh Tri, Ph.D.

Department of Telecommunications and Networks
Faculty of Electronics and Communications
University of Science, Vietnam National University, Ho Chi Minh City
Email: [email protected]