Title : You Might Not Have Permission To Use This Network Resource
link : You Might Not Have Permission To Use This Network Resource
You Might Not Have Permission To Use This Network Resource
in this section i will look at configuringremote access. now days with more people working away from the office and even at home, remoteaccess is an important topic to understand. in this video i will first look at the 3 stagesthat make up a remote connection. it is important to understand these steps to help you troubleshootingnetwork problems. next i will look at nat. nat is a technology that allows one publicip address to be used by many computers.
You Might Not Have Permission To Use This Network Resource, on smaller networks and at home you may howeverwant to consider using internet connection sharing. this is simpler to nat but requiresa dedicated computer to access the internet. if you want to allow vpn access into you company,microsoft offers remote access service. one i look at how remote access service worksand how to install it, i will have a closer
look at the vpn protocols that make it work.depending on which operating systems you are using with remote access server will determinewhich protocols you make available on it. next i will look at network policy server.with remote access there are a lot of settings to configure, network policy server helpsyou to configure these settings throughout your environment. lastly i will look at radius.radius is a system that allows you to centralized control of remote access. in other words,who has access and keeping records of who accesses what.when looking at remote access it makes it easier to look at it in 3 stages. the firstis connection. the connection stage makes the physical connection between the 2 parties.at this stage encryption and protocols are
decided.when troubleshooting connection problems, make sure that both sides of the connectionsupport the same protocols and encryption. if they don’t, a connection will not bemade. if a connection cannot be made the next stage, authentication cannot occur.the authentication stage identifies who the connection is been made by. typically theconnection is identified by username and password or certificates. you could however use ipaddresses as well but this is seen as not been very secure.the last stage of remote access is authorization. authorization determines what they can access.this is done through ip filters which either allow or block connections to certain ip addressesand ntfs permissions which block or allow
access to files.when troubleshooting remote access problems try to keep these stages in mind. if you arenot being prompted for a username and password the problem is probably a connection problem.if you keep getting denied access the problem may be with your certificate or user nameand password. if everything seems to be working and yourconnection is up and running but you can’t see or access anything, the problem is probablywith authorization. remember to keep these 3 stages in mind when troubleshooting networkproblems. with ip version 4 addresses starting to runout, systems had to be devised to help use the available ip addresses a lot better. oneof these systems is nat. nat standards for
network address translation.the concept behind nat is that many computers communicates with a nat device. the nat devicecommunicates with the internet. as shown here, 4 computers are connected to the same natdevice and share the one public ip address. nat is very scalable and could be used for100’s or even 1000’s of computers. as you can see on the left hand side, each clientcomputer has its own ip address but the ip address is a private ip address.nat is usually found in most d s l modems and is the reason why you can connect multiplecomputers to the same d s l modem. nat was designed to better utilized the remainingip version 4 addresses. with the larger address space in ip version6, nat is not required for ip version 6 since
ip addresses in ip version 6 are far frombeing scarce. if you want to use nat with windows you will require windows server. clientoperating systems like windows vista and windows 7 do not support nat.in the real world you probably won’t see windows used for nat as nat is usually donewith hardware devices. nat is primary aimed at large business, if you have a small businessor are a home user you may want to look at something like ics.ics, or internet connection sharing is used when one computer shares it’s connectionwith other computers. for example, imagine this computer was connected to the internetbut the dsl modem used is a usb modem and thus can only be connected to one computerat a time.
later on you wanted to connect some more computersup to the internet. since the dsl modem only has one usb connection you can’t connectup any more computers to the connection. with internet connection sharing you could connectthe other computers up via the main computer. the down side with internet connection sharingis that the computer that is accessing the internet must always be on for the other computerto access the internet. one common use for internet connection sharing is when you placea wireless device on your network for example a laptop.you can of course upgrade your d s l modem to one that supports wireless, but anothersolution is to install a network card in the computer running ics. this will allow yourlaptop to connect to the internet using it
wireless adapter without having to upgradeany of your existing networking gear. let’s have a look at how to configure ics.ics works off an existing network connection, to access an existing network connection,open the control panel and select the option view network status and tasks. from here youneed to select change adapter settings from the right hand side.this will show you all the currently installed network connections. the one that i am interestedin is my i s p connection which is a dial up connection. ics works on almost any typeof connection. to configure it, select the properties of the connection and then selectthe tab sharing. on the sharing tab select the option allowother network users to connect through this
computers internet connection. next i needto select which adapter the other computers are connected to, in this case it will belocal area connection. you will also notice the option establisha dial-up connection whenever a computer on my network attempts to access the internet.this will essentially bring up the connection automatically when one of the computers onyour network requests it. ics is now set up and will allow computersconnected to local are connection to access the internet. if i select the button settings,this allows me to set up port forwarding. port forwarding will forward a request fora particular services to a particular computer. if i were to select remote desktop and enterin work station 10. all remote desktop connections
that come through this internet connectionwill be directed to work station 10. if you don’t set up any port forwarding than allincoming services will remain on the computer with ics enabled. now that you have an understandingof ics, let’s have a look at remote access service it’s bigger brother.the microsoft remote access service provides two basic services for clients. the firstis dial up services. the client will access the ras server through a modem. generallythe modem will be in a bank of modems rather than a standalone modem. the ras server willprovide access to the production network for the client connect to that modem.ras also provides, vpn access. over the years vpn access has become more common and nowdays it is rare for anyone to use modem access.
when vpn is used, the client creates a tunnelover the public internet to access the ras server.this means the ras server needs to have access to the internet. for this reason, the rasserver is normally a member server and placed on the d m z or perimeter network. doing thishelps prevent the ras server being compromised and if it is, helps prevent the rest of thenetwork being compromised as well. to install the remote access server, launchserver manager from the start menu under administrative tools. from the left hand side select theoption add roles and then select add roles from the right hand side. if you have watchedthe previous video on routing, you would remember me doing the same thing as i am going to donow and that is select network policy and
access services.if i now move on to the components screen i need to select routing and remote accesscomponent. you will notice that the routing component is also select. this is not requiredfor remote access so i will deselect it. i can now move on and start installing the role.depending on the speed of your server, this role will generally take a few minutes toinstall. once completed i can close server manager and then launch the routing and remoteaccess server tool from administrative tools under the start menu. routing and remote accessin windows server 2008 has not changed that much from windows server 2003 and windowsserver 2000, so if you have some previous experience in remote access you should nothave to many problems configuring it on windows
server 2008.in order to start using remote access, you need to configure it. to do this, right clickon the remote access server, in this case ras 1 and select the option configure routingand remote access. this will launch the routing and remote access server wizard.in this particular case i want to set up this server to allow remote access so i will leaveit on the default option at the top, remote access dial up and vpn. on the next screenyou get to decide if you want this server to support connections via vpn or via dialup, in this case i will select both. on most servers providing remote access theywill have more than one network card. one network card will generally be connected tothe internet and the other will be connected
to the production network.i will in this case select the second network card as it is the network card that my clientare connected to. notice also the option "enable security on the selected interface by settingup static packet filters". this means the local firewall will be configuredto deny anything other than vpn traffic. this is one good reason to use the wizard to ensurethat these rules are created. be warned however, ticking this tick box will deny all trafficthrough that network card that is not a remote connection.you will no longer be able to receive pings, contact domain controllers or retrieve webpages. if have a second network card that will perform these duties tick this tick box,if not it is probably best not to tick this
box.on the next screen you can decide where the clients will get their ip addresses from,this can either be from a pool you enter in or from the dhcp server. i have a dhcp serveron the network, however for this example i will enter in a manual range.for a client to operate on the network, it needs to be allocated a ip address from theproduction network. the ras server makes the client think that it is directly connectedto that network and other devices on the network will think that it is directly connected.when i set up a ras server on a network i like to manually enter in a range of ip addressesas this helps with troubleshooting. if you have a range of ip addresses that you knowis just been used for vpn, when you see one
of those ip addresses in a log file you knowthat it came from a remote connection. when you enter in the range of ip addresses,you only need to enter in the start ip address and the amount of ip addresses that your wantto use. windows will automatically work out the end ip address for you.once you have configure how you want your clients to obtain their ip addresses, youwill need to decide if you want to use radius or not. radius is an authentication system.i will cover radius in more detail later in this video.for the present just think of radius as a system that authenticates users on the network.radius is often used when you have multiple remote access servers and you want to authenticatethem all using one system.
once ipress finish, routing and remote accesswill be installed. remote access services does not take long to install. once done yourras server is ready to go. you may how ever want to do some more configuration to theserver depending on what type of clients will be connecting. let’s have a look at theprotocols ras supports. the first is pptp. pptp or point to pointtunneling protocol and was developed by microsoft and thus is supported by most microsoft operatingsystem. if you are using a non microsoft operating system you will need to use anther protocolto connect the vpn server. pptp is becoming obsolete by newer protocolsbut may be your only choice if you have some older windows operating systems that needto connect up to your vpn server. the protocol
only supports tcp ip which now days with thepopularly of the protocol may not present a problem.the protocol requires tcp port 1723 to be open to operate effectively. the next protocolis l2tp or layer two tunneling protocol. this protocol is and open standard so you can useit to connect your non microsoft clients. l2tp also supports multiple protocols, notjust tcp ip. l2tp can use ipsec for encryption assuming that you are using certificates inyour organization. the down side with l2tp is that it is not supported on older operatingsystems. l2tp uses tcp port 1701 and udp port 500 forcommunication and also has ip version 6 support. l2tp is a better protocol in a lot of waysbut because of its lack of backward support
it is not uncommon for vpn servers to haveboth pptp and l2tp both configured. with both installed the client can decide which onethey want to use. the disadvantage with both these protocolsis that they require ports to be open on the firewall to operate that may not normallybe open. a lot of administrator don’t like opening additional port on their firewallswhich brings us to the last protocol. sstp or secure socket tunneling protocol addressessome of the problems with firewalls by using ssl for encryption. ssl uses port 443 to transfertraffic. because of this, sstp has better firewall support because port 443 may allready be open as it is commonly used by web traffic to encrypt data.the protocol also supports certificates for
authentication if your organization has acertificate authority. the protocol is designed for client access and thus can’t be usefor site to site access. the protocol is new to windows server 2008 and has limited supportfor older clients. when sstp first arrived you needed to havewindows vista with service pack 1 or above. since then microsoft has added support towindows xp with the release of service pack 3. sstp is a good protocol to use and givesyou a lot of features if you clients support it. let’s have a look at how to configureand connect to ras server. first of all i want to see what protocolsare enabled on my ras server. to this, select ports. here you can see all the ports thatare currently waiting connections. you can
see a port waiting for an sstp connectionand further down a port waiting for a pptp connection.if a client was connected to this server, the status would change from inactive to connected.if i now right click on ports and select properties, you can see all the protocols i just talkedabout. if ipress configure for sstp, you can seehere that by default it is enabled and accepting remote access connections. sstp can only beused for incoming connections so you will notice that the options for outgoing are grayedout. you will also notice that the maximum portsis set to 128 by default. this means that this server can accept 128 sstp connections.bear in mind that when i set up the ip address
pool i only allocated 50 ip addressees.if you are planning on have a lot of incoming connections, make sure that you maximum portsis high enough to support them and also you have a big enough pool of free ip addresses.if i now select pptp and again press configure, you will notice that again i have the optionto enable or disable incoming connections. i also have the option to enable or disabledemand dial connections. demand dial connections will create a connections as required. forexample, if you had two branches offices connected by vpn, a demand dial connection will bringup the connection when the client attempts to use it.the next protocol is l2tp, you can see the options are the same as the other protocols.if you want to disable any of these protocols
just clear the relevant check box. the lastof the ras protocols is ike. this is essentially ipsec meaning if you wantto make a native ipsec connection ras supports it. this may be a good option for you if youhave none windows computers that want to connect up to ras.to start using ras you need to make a connection from a client computer. to do this, i willswitch to my windows 7 computer. i will use a windows 7 as a client for this demonstrationas it is more than likely that a non windows server 2008 will be used to connect to ras.to create the new connection, open the control panel and then select" view network statusand tasks". this will take you into the network and sharing center. to start the new connectionwizard, select the option set up a new connection
or network.depending on which version of windows you are running, the wizard may be a little differentand may be launched from a different location. in this case, the option i want is connectto a workplace. this wizard can also be used to create a dialup connection, in this case i want a vpn connection so i will select use my internet connection.the next screen will ask if you want to set up an internet connection to connect to thevpn server. you would select this option if you neededto dial up to an isp using a modem or you had to connect via a different connection.when configured correctly, whenever this vpn connection is activated the connection tothe internet will first be opened before trying
to connect to the ras server.on this screen i need to enter in the ip address or server name of the ras server, i can alsogive the connect a suitable name. at the bottom of the screen you will notice the option allowother people to use this connection. ticking this option will allow other userson the computer to connect up using this connection. if this connection connects back to your headoffice for example, ticking this option allows you to set up the connection using the administratorand than any user that logs onto the computer will be able to use the connection.on this screen you can enter in the username and password for this connection. just toprove a point, i am going to user the domain administrators user name and password whichhas access to everything on the network.
if you are creating a shared connection, itis often a good idea to tick the tick box remember this password. if you don’t tickthis tick box, a user will be prompted each time the connect is run for a password.the connection does not take long to create, once created i can select connect or disconnectand go down to vpn work and press connect to start the connect up. you will notice thatthe connection will fail to connect. windows will come back saying there was anerror verifying the username and password even though i used a domain administratorsaccount. this is because no user by default has access to the ras server. to fix thisproblem, i need to switch to my domain controller. to enable access to the administrator, i needto make a change to the domain administrators
account. to do this, i need to run activedirectory users and computers found in administrative tools under the start menu.all i need to do is locate the administrators account under the users “o uâ€. selectthe properties on the administrator account and then go to the dial in tab. on this tabyou can see by default dial in access is determined by the n p s network policy.i don’t have n p s configured on this network as yet. n p s is a system designed to helpyou control access to your network. why is it required? well if you look at the optionsabove, if i want to enable access for the administrator i need to select the optionallow access. if you have a network with 1000's of users you need a system like n p s to simplifieradministration.
in a moment i will look at how we can usen p s to configure our network, if i now go back to my windows 7 clients and press theredial button, you will notice that the computer now connects up to the network.you will notice that under connections, work vpn has appeared. this computer is now connectedto the work network and to other computers it will appear as if it is on the networkeven though it is accessing the network through the ras server.to demonstrate this, if i now open a command prompt from the start menu and run the commandip config. you will notice that computer now has and ip address of 10 dot 0 dot 0 dot 151.this is one the ip addresses that i allocated to the ras server earlier using the configurationwizard. imagine on a large network with 100’s
or even 1000’s of users having to manuallygo into active directory and configure them to be allow access to the network via remoteaccess. back in the windows nt days, this is whatyou had to do. now days we can use n p s to do the hard work for us.n p s or network policy server allows you to create rules defining how users can connectto your network. if you have used remote access services before, you may notice n p s is simplerto remote access policy. network policy server replaces remote accesspolicy and improves on it. the main role of n p s is to provide, authentication and authorizationsettings. on a large network it is essential to have something like network policy serverto deploy settings, otherwise trying to administrator
dial in services using active directory andmanually tick and un tick boxes for individual users would be a night mare.also as you will see, there are a lot of things you can do with network policy server thatyou can’t do by modifying the settings in active directory or using the routing andremote access tool. let’s have a look how to use network policy server.i already have the routing and remote access tool open from the previous demonstration.all i need to do is select remote access logging and policies, right click it and select launchn p s. to see what policies have already been created, select the folder network polices.you can see here by default that two polices have already been created. there are createdduring the installed and you can see they
both have an access type of deny. the secondpolicy checks the time and checks it rule lists for a match.it’s rule list is set for 24 7 so anything that makes it to this policy is going to bedenied. this policy acts as a catch all to ensure any connections that do not match apolicy are denied. to create a new policy, right click network policies and select new.for the policy name i will enter in company vpn and for the type of policy i will selectremote access server. you will notice that there are a lot of other type of policiesavailable. this is one of the reasons for the name change from remote access policiesbecause the polices have expand to include more than remote access.on the specify condition you need to enter
in some conditions this policy will checkfor. you can enter in more than one set of conditions, for example you could enter ina user group and a date and time condition. as you can see, there are a lot of differentconditions you can set. you can even set conditions based on the protocols been used. in thisparticular case i want to create a policy for domain users so i will select windowsgroups. from here, it is a simple matter of lookingup the domain users group in active directory and adding it. once added any user in thedomain users group will be effected by this policy. on this screen you need to selectwhether this is an allow or deny policy. in this particular case i want to allow alldomain users to be able to connect to my ras
server. notice the tick box access is determinedby user dial-in properties. if i tick this tick box, if the condition of the policy aremeet, network policy server will than refer to active directory and either allow or denybased on the settings in active directory. on this screen you can set the authenticationtypes, at the top you have e a p types. this basically refers to devices like smart cards.at the bottom of the screen you have other authentication methods.later in the course i will go into more details about these authentication methods. on thisscreen you can configure some constraints for your connections. first there is the idletimeout. if you set a value here, for example 15 minutes, if the user does not perform anyactivity for 15 minutes they will be disconnected.
the session time out when set will determinehow long a session will be allowed to run for before it is disconnected. the calledstation id can be used to determine where the connection is been made from. if the connection is not been made from an authorized station it will be disconnected.day and time restrictions allow the connection only to be made at certain times and if runningoutside these times they will be disconnected. with vpn’s and high speed networks, a lotof these settings are no longer used on most networks.when you had a network with limited modems, setting like these needed to be set up toallow a fair access to these facilities. without settings like these, modem banks would becomejammed and end users would not be able to
connect.with vpn, one server can handle a high amount of connections so fair play issues hardlyever come up. the last constraints setting is n a s port types. these settings relateto the type of media the connection comes over.if you want certain settings for wireless and different settings for wired networksyou could set them here. for example, you could require a higher encryption standardfor wireless than vpn traffic. on the next screen you can configure even more settings.the first two options relate to radius. if your clients are using radius to connect toyour server, you can send additional options to the client if you wish. if your vendorhas special radius attributes, you can use
the next option vendor specific.the multilink sections refers to using multiple modems together to give you a higher speed.with high speed internet now days, this is hardly worth the effort setting up, but itis on by default if you choose to use it. in the ip filters section, you can set ipfilters to block certain traffic. as you can see in the dialog you can set ip addressesand select different protocols. this allows you to restrict incoming connections fromcertain addresses and also stop them connecting to certain locations.on the encryption screen you can set what type of encryption standard will be allowed.it is important to note that no encryption is ticked by default. on your network youmay want to clear this tick box.
depending on how old the clients are thatare connecting to your server you may want to deselect lower encryption options. rememberthat high encryption does also put more load on your server, in some cases you may wantto deselect the higher options if you are having performance problems on your server.the last section let’s you have more control over how the ip address is allocated to theclient. if you want to set static ip addresses or want to let the client choose their ownip address you will need to set it here. that’s it, press finish and your new policyhas been created. notice now the policy is the first in the list. this is important.policy are evaluated in order until a match is made. if you for example you had the denypolicy first, all connections would be denied
regardless of what you set in the other polices.when troubleshooting policy problems, make sure you look at any policies that are beforethe policy in question. if a match is made, windows will not look at the policy.the last thing that i want to look at is radius. radius stands for remote authentication dialin user service. radius allow for the central management of authentication, authorizationand accounting also known as triple a. if you have a large organization and you wantto centralized administration of your remote connections you should consider installinga radius server or multiple radius servers throughout your organization.radius over the years has expanded from the dial up service that it was originally aimedat. i have seen radius set up to use smart
cards and secure tokens. when a client connectionsup to a ras server, the ras server will connect to the radius server and either allow or denythe user. radius is an open standard so you will findit is used with other products, not just microsoft products. if you want to centralize your authentication,authorization and accounting consider installing a radius server.when you start configuring your network for remote access remember, a lot of protocolsand devices are used when a remote connection is made. this means there are a lot of placeswhere problems can occurs. when troubleshooting break the problem down into smaller parts.can you ping the other side, if so the connection is fine, the problem may be with authorization.check the firewall rules the connection is
passing through. certain protocols requiresome non standard ports to be open. if these ports are being blocked on the client, serveror a firewall in between the connection than the connection will fail. remote access canbe a lot of effort to set up, but when it is running well it is worth the effort.
At the end this articel You Might Not Have Permission To Use This Network Resource
Now you have reading You Might Not Have Permission To Use This Network Resource with link addresshttps://networkrealtionforbussiness.blogspot.com/2017/06/you-might-not-have-permission-to-use.html
0 Response to "You Might Not Have Permission To Use This Network Resource"
Posting Komentar