Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Grupo: Ciclo:
Requiere No
Excelente Bueno Puntaje
Criterios de Evaluación (4pts) (3pts)
Mejora Acept.
Logrado
(2pts) (0pts)
Instala correctamente los componentes de
Network Access Protection (NAP)
Crea y configura correctamente políticas de
salud y de red.
Configura y establece correctamente la
conexión VPN del cliente.
Redacta correctamente los pasos principales
de la implementación y conclusiones
Se comunica de manera efectiva, trabaja con
orden, limpieza y puntualidad
Objetivos:
Al finalizar el laboratorio el estudiante será capaz de:
Seguridad:
● Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
● No ingresar con líquidos, ni comida al aula de Laboratorio.
● Al culminar la sesión de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
● Una computadora con:
● Windows 7 o superior
● VMware Workstation 10+ o VMware Player 7+
● Conexión a la red del laboratorio
● Máquinas virtuales:
● DVD:
Procedimiento:
Nota: En el siguiente laboratorio se realizarán las siguientes actividades:
Escenario
A. Datum es una empresa de manufactura e ingeniería que tiene su oficina principal en Londres,
Reino Unido. Una oficina de TI está ubicada en Londres y da soporte a la oficina de Londres y otras
Para ayudar a incrementar la seguridad y que cumpla con sus requerimientos. A. Datum está
requiriendo extender la solución VPN para que incluya NAP. Necesita establecer una forma de
ellas se conecten remotamente utilizando la conexión VPN. Cumplirá este objetivo utilizando NPS
para crear un sistema de validación de la salud del sistema validar la salud del sistema, la red y las
directivas, de igual manera debe configurar NAP para verificar y remediar la salud del cliente.
Lab Setup
1. Abrir VMware Workstation y crear un “snapshot” de las máquinas virtuales: LON-DC1, LON-RTR
y LON-CL2.
Escenario:
Usted debería configurar los componentes NAP, tales como los requerimientos de certificados, salud
y directivas de red y directivas de requerimiento de conexión como el primer paso en la
implementación del cumplimiento y seguridad.
*** Reemplazar XYZ por las iniciales de su primer nombre, apellido paterno y apellido materno.
El servidor LON-DC1 gestiona certificados digitales, por ello se le pedirá que permita
que cualquier usuario, que haya iniciado sesión, pueda solicitar un certificado digital
para su computadora.
1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.
2. In the certsrv management console, expand AdatumCA, right-click Certificate Templates,
and then select Manage on the context menu.
3. In the Certificate Templates Console details pane, right-click Computer, and then click
Properties.
4. Click the Security tab in the Computer Properties dialog box, and then select
Authenticated Users.
5. In the Permissions for Authenticated Users, select the Allow check box for the Enroll
permission, and then click OK.
6. Close the Certificate Templates Console.
7. In certsrv - [Certification Authority (Local)], right-click AdatumCA, point to All Tasks,
and then click Stop Service.
8. Right-click AdatumCA, point to All Tasks, and then click Start Service.
9. Close the certsrv management console.
7. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then
click Request New Certificate.
8. The Certificate Enrollment dialog box opens. Click Next.
9. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy,
and then click Next.
10. Select the Computer check box, and then click Enroll.
11. Verify the status of certificate installation as Succeeded, and then click Finish.
28. Expand Network Access Protection, expand System Health Validators, expand Windows
Security Health Validator, and then click Settings.
29. In the right pane under Name, double-click Default Configuration.
30. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall
is enabled for all network connections check box, and then click OK.
Entregable 3. Capture la pantalla que muestre el resultado de las directivas creadas en Health
Policies.
30. Under IPv4, click Output Filters, and then click New.
31. In the Add IP Filter dialog box, select Source network.
32. In the IP address box, type 172.16.0.10.
33. In the Subnet mask box, type 255.255.255.255, and then click OK.
34. Click Permit only the packets listed below, and then click OK.
35. On the Configure Settings page, click Next.
36. On the Completing New Network Policy page, click Finish.
Entregable 4. Capture la pantalla que muestre las directivas creadas en Network Policies.
8. On the Specify Connection Request Forwarding page, verify that Authenticate requests
on this server is selected, and then click Next.
9. On the Specify Authentication Methods page, select the Override network policy
authentication settings check box.
10. In the EAP Types area, click Add.
11. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected
EAP (PEAP), and then click OK.
12. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods,
click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
13. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
14. Verify that Enforce Network Access Protection is selected, and then click OK.
Results: After this exercise, you should have installed and configured the required Network
Access Protection (NAP) components, created the health and network policies, and created the
connection request policies.
2. Click Administrative Tools, and then double-click Routing and Remote Access. If prompted, at
the Enable DirectAccess Wizard dialog box, click Cancel, and then click OK.
3. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.
4. In the Disable Routing and Remote Access dialog box, click Yes.
5. In the Routing and Remote Access console, right-click LON-RTR (local), and then click
Configure and Enable Routing and Remote Access.
6. Click Next, ensure that the Remote access (dial-up or VPN) option is selected, and then
click Next.
7. Select the VPN check box, and then click Next.
8. Click the network interface named Internet. Clear the Enable security on the selected interface
by setting up static packet filters check box, and then click Next.
9. On the Network Selection page, click Next.
10. On the IP Address Assignment page, select From a specified range of addresses, and then
click Next.
11. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP
address, and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP
addresses were assigned for remote clients, and then click Next.
12. On the Managing Multiple Remote Access Servers page, verify that No, use Routing and
Remote Access to authenticate connection requests is selected, and then click Next.
Entregable 8. Capture la pantalla que muestre la regla creada en Windows Firewall with
Advanced Security.
Results: After this exercise, you should have created a VPN server and configured inbound
communications.
4. In the MMC labeled Console1, click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins window, click NAP Client Configuration, click Add, and then
click OK.
9. Close Console1.
10. Switch to the Command Prompt window, type Services.msc, and then press Enter.
11. In Services, in the results pane, double-click Network Access Protection Agent.
12. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the
Startup type list, click Automatic.
14. Press the Windows key, and then press the R key to display the Run windows.
15. In the Run window, type gpedit.msc, and then press Enter.
16. In the console tree, expand Local Computer Policy, expand Computer Configuration,
expand Administrative Templates, expand Windows Components, and then click Security
Center.
17. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
10. In the Network and Sharing Center window, click Change adapter settings.
11. Right-click the Adatum VPN XYZ connection, click Properties, and then click the Security tab.
12. Under Authentication, click Use Extensible Authentication Protocol (EAP).
13. In the Use Extensible Authentication Protocol (EAP) list, select Microsoft: Protected EAP
(PEAP) (encryption enabled), and then click Properties.
14. Clear the Verify the server's identity by validating the certificate check box.
15. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access
Protection check box.
16. Click OK twice to accept the settings.
17. In the Network Connections window, right-click the Adatum VPN XYZ connection, and then
click Connect/Disconnect.
18. In the Networks list on the right, click Adatum VPN XYZ, and then click Connect.
19. In Network Authentication, in the User name box, type Adatum\Administrator.
20. In the Password box, type Pa$$w0rd, and then click OK.
21. Right-click Start, click Run, type cmd.exe, and then press Enter.
22. At the command prompt, type ipconfig /all, and then press Enter. View the IP configuration.
System Quarantine State should be Not Restricted.
Entregable 11. Capture la pantalla que muestre el resultado de ipconfig /all -> Windows IP
Configuration.
23. At the command prompt, type ping 172.16.0.10, and then press Enter. This should be successful.
The client now meets the requirement for virtual private network (VPN) full connectivity.
Entregable 12. Capture la pantalla que muestre el resultado de ipconfig /all -> Windows IP
Configuration.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and
have enabled and tested NAP on LON-CL2.
Indicar las conclusiones que llegó después de los temas tratados de manera práctica en este
laboratorio.