All posts in category Web Application Proxy

New Pluralsight Windows Server 2012 R2 DirectAccess, VPN, and WAP Video Training Course

Pluralsight IT Pro and Developer TrainingI’m very excited to announce that my latest video training course is now available on Pluralsight! Recently I had the opportunity record a “Play-by-Play” session entitled Secure Remote Access with Windows Server 2012 R2. In this course I cover all aspects of the Unified Remote Access role in Windows Server 2012 R2 including DirectAccess, client-based remote access VPN, site-to-site VPN, and the Web Application Proxy (WAP). This training course differs from some of the other DirectAccess video training content I’ve developed in the past. This course is much less formal, and takes a casual, conversational approach to delivering the content. Many scenarios are presented and discussed, and of course there is plenty of practical demonstration as well. I think you’ll really like this unique format.

Pluralsight IT Pro and Developer Training

Pluralsight video training is available as a monthly subscription. If you don’t already have a Pluralsight account, you can sign up immediately and get a 10-day free trial. In addition to viewing my new course, be sure to browse their amazing video training course catalog. The amount and quality of content they have is astounding. You’ll find my DirectAccess with Windows Server 2012 R2 course there, along with many others. I’m confident you’ll find the service a tremendous value. Get started now!

2 Comments
by Richard M. Hicks on October 12, 2015  •  Permalink
Posted in DirectAccess, Remote Access, Training, VPN, Web Application Proxy, Windows 10, Windows 8.1, Windows Server 2012 R2
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on October 12, 2015

https://directaccess.richardhicks.com/2015/10/12/new-pluralsight-windows-server-2012-r2-directaccess-vpn-and-wap-video-training-course/

DirectAccess and the TLS Logjam Attack

Another critical flaw affecting Transport Layer Security (TLS) was discovered recently that could put some organizations at risk. The “Logjam” attack exploits a weakness in how the Diffie-Hellman key exchange is used. An attacker, acting as a man-in-the-middle, can potentially force a downgrade of the TLS connection, resulting in the use of weak cryptography. The Qualys SSL Labs SSL Server Test has been updated to identify this vulnerability. When testing a DirectAccess server you will receive the following warning message.

“This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.”

DirectAccess and the Logjam Attack

DirectAccess leverages SSL and TLS as part of the IP-HTTPS IPv6 transition protocol, which is used to tunnel IPv6 packets over the IPv4 Internet. These IPv6 packets are encrypted using IPsec. If an attacker were to break the SSL/TLS connection they would gain nothing. Because of this, a dedicated DirectAccess server is unaffected by the Logjam attack. Mitigating it would provide no additional protection, so you can safely ignore the warning about weak DH key exchange parameters being supported.

However, if DirectAccess has been configured to use one-time password (OTP) authentication, the client-based VPN role has been enabled and configured, or the Web Application Proxy (WAP) role has been installed on the DirectAccess server, then the Logjam attack represents a serious risk and should be mitigated. Also, in some cases it may be desirable to make this change on a dedicated DirectAccess server just to prevent an audit finding and avoid having to explain why the DirectAccess workload would be unaffected by this attack.

To mitigate this vulnerability it will be necessary to remove support for cipher suites that use the Diffie-Hellman key exchange protocol on the DirectAccess server. This is accomplished by opening the Local Group Policy Editor (gpedit.msc) on the DirectAccess server and expanding Computer Configuration, Administrative Templates, and Network. Select SSL Configuration Settings and then double-click SSL Cipher Suite Order. Select Enabled and then replace the default list of cipher suites with the following list.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA

DirectAccess and the Logjam Attack

Once complete, restart the DirectAccess server. The Qualys SSL Labs server test should no longer give a warning about the use of weak Diffie-Hellman keys. In addition, this reordering and optimization of cipher suites will also improve the protocol support and key exchange scores, as shown here.

DirectAccess and the Logjam Attack

As a reminder, and overall rating of “F” is expected when testing a dedicated DirectAccess server. By design, DirectAccess provides support for null cipher suites to improve scalability and performance for Windows 8.x and later DirectAccess clients. More details here.

1 Comment
by Richard M. Hicks on June 1, 2015  •  Permalink
Posted in DirectAccess, Encryption, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, SSL and TLS, VPN, Web Application Proxy, Windows 10, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on June 1, 2015

https://directaccess.richardhicks.com/2015/06/01/directaccess-and-the-tls-logjam-attack/

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Looking for more information about DirectAccess load balancing? See my post entitled DirectAccess Deployment Guide for Kemp LoadMaster Load Balancers.

DirectAccess in Windows Server 2012 R2 supports load balancing and multisite configuration options to provide both local and geographic redundancy, respectively. To configure either of these options, open the Remote Access Management console, expand Configuration in the navigation tree, highlight DirectAccess and VPN, and then select either Enable Multisite or Enable Load Balancing in the Tasks pane.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Depending on your configuration you may encounter a scenario in which these features do not appear in the Remote Access Management console.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

This occurs when the Web Application Proxy (WAP) role is installed on the DirectAccess server. Although this is a supported configuration, enabling load balancing or multisite on a DirectAccess server with WAP installed requires additional configuration. Specifically, load balancing and/or multisite must be configured before installing the WAP role.

To restore support for load balancing and multisite configuration options, remove the WAP role using the GUI or with the Uninstall-WindowsFeature Web-Application-Proxy PowerShell command.

2 Comments
by Richard M. Hicks on March 9, 2015  •  Permalink
Posted in 6to4, DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, Teredo, Web Application Proxy, Windows Server 2012 R2
Tagged , , , , , ,

Posted by Richard M. Hicks on March 9, 2015

https://directaccess.richardhicks.com/2015/03/09/directaccess-load-balancing-and-multisite-configuration-options-unavailable/

« Older Posts
Newer Posts »