In the last part of the series we looked at how you can manage and use your Windows computers from anywhere as long as you are on the same network. But what if you are not?
在本系列的最后一部分中,我们介绍了只要您位于同一网络上,便可以在任何地方管理和使用Windows计算机。 但是,如果不是,该怎么办?
Be sure to check out the previous articles in this Geek School series on Windows 7:
请务必查看Windows 7上此Geek School系列中的先前文章:
And stay tuned for the rest of the series all this week.
并继续关注本周剩余的系列节目。
网络访问保护 (Network Access Protection)
Network Access Protection is Microsoft’s attempt to control access to network resources based on the health of the client trying to connect to them. For example, in the situation where you are a laptop user, there may be many months where you are on the road and do not connect your laptop to your corporate network. During this time there is no guarantee that your laptop does not get infected with a virus or malware, or that you even receive anti-virus definition updates.
网络访问保护是Microsoft尝试根据尝试连接到网络资源的客户端的运行状况来控制对网络资源的访问。 例如,在您是笔记本电脑用户的情况下,可能在旅途中有很多个月,并且没有将笔记本电脑连接到公司网络。 在此期间,无法保证您的笔记本电脑不会感染病毒或恶意软件,甚至无法收到反病毒定义更新。
In this situation, when you get back to the office and connect the machine to the network, NAP will automatically determine the machines health against a policy you have set up on one of your NAP servers. If the device that connected to the network fails the health inspection it automatically gets moved to a super-restricted section of your network called the remediation zone. When in the remediation zone, the remediation servers will automatically try and rectify the problem with your machine. Some examples could be:
在这种情况下,当您回到办公室并将计算机连接到网络时,NAP将根据您在其中一台NAP服务器上设置的策略自动确定计算机的运行状况。 如果连接到网络的设备无法通过健康检查,则它将自动移动到网络的超级区域(称为“补救区域”)。 在修复区域中时,修复服务器将自动尝试并纠正计算机上的问题。 一些示例可能是:
- If you firewall is disabled and your policy requires it to be enabled, the remediation servers would enable your firewall for you. 如果禁用了防火墙,并且您的策略要求启用防火墙,则修复服务器将为您启用防火墙。
- If your health policy states that you need to have the latest Windows updates and you don’t, you could have a WSUS server in your remediation zone that will install the latest updates on your client. 如果您的健康策略规定您需要拥有最新的Windows更新,而您不需要,则可以在补救区域中安装WSUS服务器,该服务器将在客户端上安装最新的更新。
Your machine will only get moved back to the corporate network if it is deemed healthy by your NAP servers. There are four different ways you can enforce NAP, each having its own advantages:
如果您的NAP服务器认为您的计算机正常,则您的计算机将仅移回到公司网络。 您可以采用四种不同的方式来执行NAP,每种方式都有其自身的优势:
VPN – Using the VPN enforcement method is useful in a company where you have telecommuters remotely working from home, using their own computers. You can never be sure about what malware someone might install on a PC that you have no control over. When you use this method, a client’s health will be checked every time they initiate a VPN connection.
VPN –使用VPN强制方法在公司中有远程办公人员使用自己的计算机在家远程工作的公司中很有用。 您永远无法确定某人可能无法控制的PC上安装了哪些恶意软件。 使用此方法时,客户端每次启动VPN连接时都会检查其运行状况。
DHCP – When you use the DHCP enforcement method a client will not be given a valid network addresses from your DHCP server until they have been deemed healthy by your NAP infrastructure.
DHCP –使用DHCP强制实施方法时,除非您的NAP基础结构认为客户机正常,否则不会从DHCP服务器获得有效的网络地址。
IPsec – IPsec is a method of encrypting network traffic using certificates. Although not very common, you can also use IPsec to enforce NAP.
IPsec – IPsec是一种使用证书加密网络流量的方法。 尽管不是很常见,但您也可以使用IPsec强制执行NAP。
802.1x – 802.1x is also sometimes called port based authentication and is a method of authenticating clients at the switch level. Using 802.1x to enforce a NAP policy is standard practice in today’s world.
802.1x – 802.1x有时也称为基于端口的身份验证,它是在交换机级别对客户端进行身份验证的方法。 使用802.1x强制执行NAP策略是当今世界的标准做法。
拨号连接 (Dial-Up Connections)
For some reason in this day and age Microsoft still wants you to know about those primitive dial-up connections. Dial-up connections use the analog telephone network, also known as POTS (Plain Old Telephone Service), to deliver information from one computer to another. They do this using a modem, which is a combination of the words modulate and demodulate. The modem gets hooked up to your PC, normally using a RJ11 cable, and modulates the digital information streams from your PC into an an analog signal that can be transferred across the telephone lines. When the signal reaches its destination it is demodulated by another modem and turned back into a digital signal that the computer can understand. In order to create a dial-up connection, right click on the network status icon and open the Network and Sharing Center.
由于当今的某些原因,Microsoft仍然希望您了解这些原始的拨号连接。 拨号连接使用模拟电话网络(也称为POTS(普通老式电话服务))将信息从一台计算机传递到另一台计算机。 他们使用调制解调器来完成此任务,调制解调器是调制和解调这两个词的组合。 调制解调器通常使用RJ11电缆连接到PC,并将来自PC的数字信息流调制为模拟信号,该信号可以通过电话线传输。 当信号到达目的地时,它会被另一个调制解调器解调,然后转换回计算机可以理解的数字信号。 为了创建拨号连接,请右键单击网络状态图标,然后打开“网络和共享中心”。
Then click on the Set up a new connection or network hyperlink.
然后单击“设置新的连接或网络”超链接。
Now choose to Set up a dial-up connection and click next.
现在选择设置拨号连接,然后单击下一步。
From here you can fill in all the information required.
从这里您可以填写所有必需的信息。
Note: If you get a question that requires you to set up a dial-up connection on the exam, they will provide the relevant details.
注意:如果您遇到要求在考试中建立拨号连接的问题,他们将提供相关详细信息。
虚拟专用网 (Virtual Private Networks)
Virtual Private Networks are private tunnels you can establish over a public network, such as the internet, so that you can securely connect to another network.
虚拟专用网络是可以在公共网络(例如Internet)上建立的专用隧道,以便可以安全地连接到另一个网络。
For example, you might establish a VPN connection from a PC on you home network, to your corporate network. That way it would appear as if the PC on your home network was really part of your corporate network. In fact, you can even connect to network shares and such as if you had taken your PC and physically plugged it into your work network with an Ethernet cable. The only difference is of course speed: instead of getting the Gigabit Ethernet speeds that you would if you were physically in the office, you will be limited by the speed of your broadband connection.
例如,您可以建立从家庭网络上的PC到公司网络的VPN连接。 这样一来,您的家庭网络上的PC就好像是公司网络的一部分。 实际上,您甚至可以连接到网络共享,例如,如果您已将PC并通过以太网电缆物理地插入工作网络中。 唯一的区别当然是速度:您将无法获得如实在办公室时所能达到的千兆以太网速度,而将受到宽带连接速度的限制。
You are probably wondering how safe these “private tunnels” are since they “tunnel” over the internet. Can every one see your data? No, they can’t, and thats because we encrypt the data sent over a VPN connection, hence the name virtual “private” network. The protocol used to encapsulate and encrypt the data sent over the network is left up to you, and Windows 7 supports the following:
您可能想知道这些“专用隧道”由于它们在Internet上“隧道”的安全性如何。 每个人都能看到您的数据吗? 不,它们不能,那是因为我们对通过VPN连接发送的数据进行加密,因此将其命名为虚拟“专用”网络。 用来封装和加密通过网络发送的数据的协议由您自己决定,Windows 7支持以下功能:
Note: Unfortunately these definitions you will need to know by heart for the exam.
注意:不幸的是,您在考试中需要完全了解这些定义。
Point-to-Point Tunneling Protocol (PPTP) – The Point to Point Tunneling Protocol allows network traffic to be encapsulated into an IP header and sent across an IP network, such as the Internet.
点对点隧道协议(PPTP) –点对点隧道协议允许将网络流量封装到IP标头中,并通过IP网络(例如Internet)发送。
Encapsulation: PPP frames are encapsulated in an IP datagram, using a modified version of GRE.
封装 :PPP帧使用GRE的修改版本封装在IP数据报中。
Encryption: PPP frames are encrypted using Microsoft Point-to-Point Encryption (MPPE). Encryption keys are generated during authentication where the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocols are used.
加密 :PPP帧使用Microsoft点对点加密(MPPE)进行加密。 身份验证期间会生成加密密钥,其中使用Microsoft质询握手身份验证协议版本2(MS-CHAP v2)或可扩展身份验证协议-传输层安全性(EAP-TLS)协议。
Point-to-Point Tunneling Protocol (PPTP) – The Point to Point Tunneling Protocol allows network traffic to be encapsulated into an IP header and sent across an IP network, such as the Internet.
点对点隧道协议(PPTP) –点对点隧道协议允许将网络流量封装到IP标头中,并通过IP网络(例如Internet)发送。
Layer 2 Tunneling Protocol (L2TP) – L2TP is a secure tunneling protocol used for transporting PPP frames using the Internet Protocol, it is partially based on PPTP. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP frames. Instead L2TP uses IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec.
第2层隧道协议(L2TP) – L2TP是用于使用Internet协议传输PPP帧的安全隧道协议,它部分基于PPTP。 与PPTP不同,Microsoft的L2TP实现不使用MPPE来加密PPP帧。 而是L2TP在传输模式下使用IPsec进行加密服务。 L2TP和IPsec的组合称为L2TP / IPsec。
Encapsulation: PPP frames are first wrapped with a L2TP header and then a UDP header. The result is then encapsulated using IPSec.
封装 :PPP帧首先用L2TP标头包装,然后是UDP标头包装。 然后使用IPSec封装结果。
Encryption: L2TP messages are encrypted with either AES or 3DES encryption using keys generated from the IKE negotiation process.
加密 :L2TP消息使用IKE协商过程中生成的密钥通过AES或3DES加密进行加密。
Layer 2 Tunneling Protocol (L2TP) – L2TP is a secure tunneling protocol used for transporting PPP frames using the Internet Protocol, it is partially based on PPTP. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP frames. Instead L2TP uses IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec.
第2层隧道协议(L2TP) – L2TP是用于使用Internet协议传输PPP帧的安全隧道协议,它部分基于PPTP。 与PPTP不同,Microsoft的L2TP实现不使用MPPE来加密PPP帧。 而是L2TP在传输模式下使用IPsec进行加密服务。 L2TP和IPsec的组合称为L2TP / IPsec。
Secure Socket Tunneling Protocol (SSTP) – SSTP is a tunneling protocol that uses HTTPS. Since TCP Port 443 is open on most corporate Firewalls, this is a great choice for those countries that don’t allow traditional VPN connections. It is also very secure since it uses SSL certificates for encryption.
安全套接字隧道协议(SSTP) – SSTP是使用HTTPS的隧道协议。 由于TCP端口443在大多数公司防火墙上都是开放的,因此对于那些不允许使用传统VPN连接的国家来说,这是一个不错的选择。 由于它使用SSL证书进行加密,因此它也是非常安全的。
Encapsulation: PPP frames are encapsulated in IP datagrams.
封装 :PPP帧封装在IP数据报中。
Encryption: SSTP messages are encrypted using SSL.
加密 :SSTP消息使用SSL加密。
Secure Socket Tunneling Protocol (SSTP) – SSTP is a tunneling protocol that uses HTTPS. Since TCP Port 443 is open on most corporate Firewalls, this is a great choice for those countries that don’t allow traditional VPN connections. It is also very secure since it uses SSL certificates for encryption.
安全套接字隧道协议(SSTP) – SSTP是使用HTTPS的隧道协议。 由于TCP端口443在大多数公司防火墙上都是开放的,因此对于那些不允许使用传统VPN连接的国家来说,这是一个不错的选择。 由于它使用SSL证书进行加密,因此它也是非常安全的。
Internet Key Exchange (IKEv2) – IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500.
Internet密钥交换(IKEv2) – IKEv2是使用UDP端口500上的IPsec隧道模式协议的隧道协议。
Encapsulation: IKEv2 encapsulates datagrams using IPSec ESP or AH headers.
封装 :IKEv2使用IPSec ESP或AH标头封装数据报。
Encryption: Messages are encrypted with either AES or 3DES encryption using keys generated from the IKEv2 negotiation process.
加密 :消息使用IKEv2协商过程生成的密钥通过AES或3DES加密进行加密。
Internet Key Exchange (IKEv2) – IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500.
Internet密钥交换(IKEv2) – IKEv2是使用UDP端口500上的IPsec隧道模式协议的隧道协议。
Server Requirements
服务器要求
Note: You can obviously have other operating systems set up to be VPN servers. However, these are the requirements to get a Windows VPN server running.
注意:您显然可以将其他操作系统设置为VPN服务器。 但是,这些是运行Windows VPN服务器的要求。
In order to allow people to create a VPN connection to your network, you need to have a server running Windows Server and has the following roles installed:
为了允许人们创建到您网络的VPN连接,您需要有一台运行Windows Server的服务器并安装以下角色:
- Routing and Remote Access (RRAS) 路由和远程访问(RRAS)
- Network Policy Server (NPS) 网络策略服务器(NPS)
You will also need to either set up DHCP or allocate a static IP pool that machines connecting over VPN can use.
您还需要设置DHCP或分配一个静态IP池,通过VPN连接的计算机可以使用该池。
建立VPN连线 (Creating a VPN Connection)
In order to connect to a VPN server, right click on the network status icon and open the Network and Sharing Center.
为了连接到VPN服务器,请右键单击网络状态图标,然后打开“网络和共享中心”。
Then click on the Set up a new connection or network hyperlink.
然后单击“设置新的连接或网络”超链接。
Now choose to connect to a workplace and click next.
现在选择连接到工作场所,然后单击下一步。
Then choose to use your existing broadband connection.
然后选择使用您现有的宽带连接。
P
P
Now you will need to enter the IP or DNS Name of the VPN server on the network you want to connect to. Then click next.
现在,您需要输入要连接到的网络上VPN服务器的IP或DNS名称。 然后单击下一步。
Then enter your username and password and click connect.
然后输入您的用户名和密码,然后单击连接。
Once you have connected, you will be able to see if you are connected to a VPN by clicking on the network status icon.
连接后,您可以通过单击网络状态图标来查看是否已连接到VPN。
家庭作业 (Homework)
Read the following article on TechNet, which guides you through planning security for a VPN.
Note: Today’s homework is a little bit out of scope for the 70-680 exam but it will give you a solid understanding of what’s going on behind the scene when you connect to a VPN from Windows 7.
注意:今天的作业有点超出70-680考试的范围,但是当您从Windows 7连接到VPN时,它将使您对幕后情况有个深刻的了解。
If you have any questions, you can tweet me @taybgibb, or just leave a comment.
如果您有任何疑问,可以发给我@taybgibb ,或发表评论。
翻译自: https://www.howtogeek.com/134943/geek-school-learning-windows-7-remote-access/
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
