Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objetivos:
Al finalizar el laboratorio el estudiante ser capaz de:
Configurar componentes NAP.
Configurar el acceso VPN.
Configurar el cliente para soportar NAP.
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con lquidos, ni comida al aula de Laboratorio.
Al culminar la sesin de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
Mquinas virtuales:
DVD:
De Windows Server 2012
Procedimiento:
Nota: En el siguiente laboratorio se realizarn las siguientes actividades:
Configurar componentes NAP
Configurar el acceso a la VPN
Configurar el cliente para soportar NAP
Escenario
A. Datum es una empresa de manufactura e ingeniera que tiene su oficina principal en Londres, Reino
Unido. Una oficina de TI est ubicada en Londres y da soporte a la oficina de Londres y otras
sucursales. A. Datum ha implementado una infraestructura basada en Windows Server 2012.
Para ayudar a incrementar la seguridad y que cumpla con sus requerimientos. A. Datum est
requiriendo extender la solucin VPN para que incluya NAP. Necesita establecer una forma de
verificarlo y, si fuese necesario, automticamente traer las computadoras en el cumplimiento cuando
ellas se conecten remotamente utilizando la conexin VPN. Cumplir este objetivo utilizando NPS para
crear un sistema de validacin de la salud del sistema validar la salud del sistema, la red y las directivas,
de igual manera debe configurar NAP para verificar y remediar la salud del cliente.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-RTR y
LON-CL2.
Escenario
Usted debera configurar los componentes NAP, tales como los requerimientos de certificados, salud y
directivas de red y directivas de requerimiento de conexin como el primer paso en la implementacin
del cumplimiento y seguridad.
11. Verify the status of certificate installation as Succeeded, and then click Finish.
15. In Server Manager, in the details pane, click Add Roles and Features. Click Next.
18. On the Select server roles page, select the Network Policy and Access Services check box.
20. On the Network Policy and Access Services page, click Next.
23. Verify that the installation was successful, and then click Close.
27. Expand Network Access Protection, expand System Health Validators, expand Windows
29. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall
is enabled for all network connections check box, and then click OK.
30. In the navigation pane, expand Policies.
32. In the Create New Health Policy dialog box, in the Policy name box, type Compliant.
33. In the Client SHV checks box, verify that Client passes all SHV checks is selected.
34. In the SHVs used in this health policy box, select the Windows Security Health Validator
check box.
35. Click OK.
37. In the Create New Health Policy dialog box, in the Policy Name box, type Noncompliant.
38. In the Client SHV checks box, select Client fails one or more SHV checks.
39. In the SHVs used in this health policy area, select the Windows Security Health Validator
check box.
40. Click OK.
Entregable 1. Capture la pantalla que muestre el resultado de las directivas creadas en Health
Policies.
Entregable 2.
11. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is
14. On the Specify Network Policy Name And Connection Type page, in the Policy name box,
17. In the Health Policies dialog box, in the Health policies box, type Noncompliant, and then click
OK.
18. On the Specify Conditions page, click Next.
19. On the Specify Access Permission page, verify that Access granted is selected, and then click
Next.
20. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next.
21. Click Next again.
22. On the Configure Settings page, click NAP Enforcement. Click Allow limited access.
25. In the IPv4 section, click Input Filters, and then click New.
28. In the Subnet mask box, type 255.255.255.255, and then click OK.
29. Click Permit only the packets listed below, and then click OK.
30. Under IPv4, click Output Filters, and then click New.
33. In the Subnet mask box, type 255.255.255.255, and then click OK.
34. Click Permit only the packets listed below, and then click OK.
Entregable 3. Capture la pantalla que muestre las directivas creadas en Network Policies.
11. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP
14. Verify that Enforce Network Access Protection is selected, and then click OK.
Results: After this exercise, you should have installed and configured the required Network
Access Protection (NAP) components, created the health and network policies, and created the
connection request policies.
Escenario
Despus de configurar NAP, debe configurar un servidor VPN y entonces habilitar que el protocolo
ICMP atraviese el firewall para propsitos de prueba.
4. In the Disable Routing and Remote Access dialog box, click Yes.
5. In the Routing and Remote Access console, right-click LON-RTR (local), and then click
Configure and Enable Routing and Remote Access.
6. Click Next, ensure that the Remote access (dial-up or VPN) option is selected, and then click
Next.
7. Select the VPN check box, and then click Next.
8. Click the network interface named Internet. Clear the Enable security on the selected interface
by setting up static packet filters check box, and then click Next.
9. On the Network Selection page, click Next.
10. On the IP Address Assignment page, select From a specified range of addresses, and then
click Next.
11. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP
address, and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP
addresses were assigned for remote clients, and then click Next.
12. On the Managing Multiple Remote Access Servers page, verify that No, use Routing and
Remote Access to authenticate connection requests is selected, and then click Next.
13. Click Finish.
14. Click OK three times, and then wait for the Routing and Remote Access Service to start.
16. In the Network Policy Server, click Connection Request Policies, and, in the results pane,
verify that the Microsoft Routing and Remote Access Service Policy is Disabled.
Note: Press F5 to Refresh. If the Microsoft Routing and Remote Access Service
Policy is enabled, right-click it, and then click Disable.
11. In the Name window, in the Name box, type ICMPv4 echo request, and then click Finish.
Entregable 5. Capture la pantalla que muestre la regla creada en Windows Firewall with
Advanced Security.
Results: After this exercise, you should have created a VPN server and configured inbound
communications.
Escenario
Debe habilitar un cliente VPN para conectarse a la red Adatum. Necesita habilitar y configurar los
requerimientos del cliente NAP.
11. In Services, in the results pane, double-click Network Access Protection Agent.
12. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the
14. Press the Windows key, and then press the R key to display the Run windows.
15. In the Run window, type gpedit.msc, and then press Enter.
16. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
17. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
11. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
13. In the Use Extensible Authentication Protocol (EAP) list, select Microsoft: Protected EAP
15. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access
17. In the Network Connections window, right-click the Adatum VPN connection, and then click
Connect/Disconnect.
18. In the Networks list on the right, click Adatum VPN, and then click Connect.
20. In the Password box, type Pa$$w0rd, and then click OK.
21. Right-click Start, click Run, type cmd.exe, and then press Enter.
22. At the command prompt, type ipconfig /all, and then press Enter. View the IP configuration.
The client now meets the requirement for virtual private network (VPN) full connectivity.
24. Switch to Network Connections.
26. In the Networks list on the right, click Adatum VPN, and then click Disconnect
29. Expand Network Access Protection, expand System Health Validators, expand Windows
31. On the Windows 8/Windows 7/WindowsVista tab, select the Restrict access for clients that
do not have all available security updates installed check box, and then click OK.
34. In the Networks list on the right, click Adatum VPN, and then click Connect.
36. Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State
should be Restricted.
37. Switch to Network Connections.
39. In the Networks list on the right, select Adatum VPN, and then click Disconnect.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and
have enabled and tested NAP on LON-CL2.
DESAFIO
1. Volver el estado de las mquinas virtuales al snapshot creado antes de iniciar el laboratorio.
Conclusiones:
Indicar las conclusiones que lleg despus de los temas tratados de manera prctica en este
laboratorio.