1 / 50

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote Access

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote Access. Objectives. Describe the purpose and features of Windows Server 2003 remote access capabilities Enable and configure Routing and Remote Access Service as a dial-up server

Gabriel
Download Presentation

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-291:MCSE Guide to Managing a Microsoft Windows Server 2003 Network, EnhancedChapter 10:Remote Access

  2. Objectives • Describe the purpose and features of Windows Server 2003 remote access capabilities • Enable and configure Routing and Remote Access Service as a dial-up server • Enable and configure Routing and Remote Access Service as a VPN • Configure a remote access server • Allow remote clients access to network resources • Create and configure remote access policies • Troubleshoot remote access Guide to MCSE 70-291, Enhanced

  3. Remote Access Overview • Allows mobile users access to network resources on the internal network: including files, printers, databases, and e-mail • Windows Server 2003 has the ability to be a remote access server Guide to MCSE 70-291, Enhanced

  4. Dial-up Remote Access • Oldest type of remote access • Allows two computers to connect and transfer information using modems and a phone line • V.90 standard allows uploads at 33.6 Kbps while v.92 allows uploads at 48 Kbps • Main advantage is availability • Main drawback is speed Guide to MCSE 70-291, Enhanced

  5. VPN Remote Access • Uses a public network to transmit private information • Encryption is used • Public network most commonly used is Internet • VPN is limited to the speed of the network access method • Advantage: high speed and reduced maintenance • Drawback: security risk presented by allowing access to network resources from the Internet Guide to MCSE 70-291, Enhanced

  6. Enabling and Configuring a Dial-up Server • Windows Server 2003 uses Routing and Remote Access Service to act as a dial-up server • A modem must be installed • Windows Server 2003 attempts to find a modem through Plug and Play by default • A modem can be manually configured Guide to MCSE 70-291, Enhanced

  7. Activity 10-1: Installing a Modem • Objective: Install a modem on your server • Use the Phone and Modem Options utility under Control Panel • You are only simulating the installation of a modem here Guide to MCSE 70-291, Enhanced

  8. Enabling RRAS for Dial-up Connections • Management of RRAS is done with the Routing and Remote Access snap-in • A red arrow indicates that RRAS is not started • Routing and Remote Access Wizard is used to enable and configure RRAS for the first time • A green arrow indicates RRAS is started Guide to MCSE 70-291, Enhanced

  9. Activity 10-2: Enabling RRAS as a Dial-up Server • Objective: Configure RRAS on your server to act as a remote access server • Use Routing and Remote Access utility • Right click your server and choose the configuration option • Proceed as the wizard instructs Guide to MCSE 70-291, Enhanced

  10. Dial-up Protocols • LAN protocols supported by RRAS for dial-up networking are: TCP/IP, IPX/SPX, and AppleTalk • Remote access protocols supported by RRAS for dial-up networking are: PPP and SLIP • The same protocols required by LAN clients are also required by dial-up clients • Remote access protocols are only for dial-up and not VPN connections • PPP has a number of advantages over SLIP including the ability to automatically configure IP information Guide to MCSE 70-291, Enhanced

  11. Dial-up Protocols (continued) Guide to MCSE 70-291, Enhanced

  12. Dial-up Protocols (continued) • PPP has several options that can be enabled to enhance performance: • Multilink Connections • Dynamic Bandwidth • LCP Extensions • Software Compression Guide to MCSE 70-291, Enhanced

  13. Dial-up Protocols (continued) Guide to MCSE 70-291, Enhanced

  14. Activity 10-3: Creating a Dial-up Connection • Objective: Configure your server with a dial-up connection • Start the New Connection Wizard • Configure a SLIP: Unix Connection Guide to MCSE 70-291, Enhanced

  15. Enabling and Configuring a VPN Server • Windows Server 2003 uses RRAS as a VPN server • All connectivity accomplished through a regular network card • Enabling VPN accomplished using Routing and Remote Access Server Setup Wizard • Enabling packet filters should only be chosen if the server has multiple network cards with the filtered card connected to the Internet and the unfiltered cards connected to VPN traffic Guide to MCSE 70-291, Enhanced

  16. Enabling and Configuring a VPN Server (continued) Guide to MCSE 70-291, Enhanced

  17. Activity 10-4: Enabling RRAS as a VPN Server • Objective: Enable RRAS as a VPN server • Ensure your IP address is x.0.0.1 where x is student number and subnet mask is 255.0.0.0 • Choose Disable Routing and Remote Access • Choose Configure and Enable Remote Access • Select VPN in the resulting wizard and proceed as instructed Guide to MCSE 70-291, Enhanced

  18. VPN Protocols • PPTP and L2TP are supported for VPN connections by Windows Server 2003 • By default, 128 PPTP ports and 128 L2TP ports are provided • Can increase the number of ports or you can disable a protocol by setting the number of ports to zero • PPTP is the most popular, widely supported, and can function through NAT • L2TP cannot provide a VPN connection alone Guide to MCSE 70-291, Enhanced

  19. VPN Protocols (continued) Guide to MCSE 70-291, Enhanced

  20. Activity 10-5: Modifying the Default Number of VPN Ports • Objective: Reduce the number of PPTP and L2TP ports to 10 each • Use Routing and Remote Access Utility • Set maximum ports for WAN miniport (PPTP) to ten • Set maximum ports for WAN miniport (L2TP) to ten Guide to MCSE 70-291, Enhanced

  21. Configuring Remote Access Servers • Default configuration is generally sufficient for day-to-day operations • Can specify whether or not the server is a remote access server • Can control authentication and logging • Can specify whether or not the server is a router for IP, and if it allows IP-based remote access connections • Can enable broadcast name resolution Guide to MCSE 70-291, Enhanced

  22. Authentication Methods • Windows Server 2003 can use a number of different authentication methods: • No Authentication • Password Authenticated Protocol • Shiva Password Authentication Protocol • Challenge Handshake Authentication Protocol • Microsoft Challenge Handshake Authentication Protocol • Microsoft Challenge Handshake Authentication Protocol version 2 • Extensible Authentication Protocol Guide to MCSE 70-291, Enhanced

  23. IP Address Management • When dial-up and VPN clients connect to Windows Server 2003, they are assigned an IP address • Options for DNS and WINS server are taken from the configuration of a specified interface on the remote access server • Windows 2000 and newer clients can send a DHCPINFORM packet after a remote access connection has been established Guide to MCSE 70-291, Enhanced

  24. IP Address Management (continued) Guide to MCSE 70-291, Enhanced

  25. IP Address Management (continued) Guide to MCSE 70-291, Enhanced

  26. Allowing Client Access • When remote access is first configured on Windows Server 2003, none of the users are granted remote access permission • Remote access permission is controlled by their user object • If RRAS does not participate in Active Directory, the user object is stored in the local user account database • If RRAS belongs to an Active Directory domain, the user object is stored in the Active Directory database located on the domain controller Guide to MCSE 70-291, Enhanced

  27. Allowing Client Access (continued) Guide to MCSE 70-291, Enhanced

  28. Activity 10-6: Allowing a User Remote Access Permission • Objective: Create a new user and allow it remote access permission • Use the Computer Management tool • Add a new user • Allow the newly created user dial-in access Guide to MCSE 70-291, Enhanced

  29. Creating a VPN Client Connection • VPN clients are usually configured on client operating systems such as Windows XP • Windows Server 2003 can be configured as a VPN client • VPN connections are created using the New Connection Wizard Guide to MCSE 70-291, Enhanced

  30. Creating a VPN Client Connection (continued) Guide to MCSE 70-291, Enhanced

  31. Activity 10-7: Creating a Client VPN Connection • Objective: Create a client VPN connection and then test it • Use the New Connection Wizard • Select Virtual Private Network Connection • Allow all users to use this connection • Enter proper user name and password as instructed Guide to MCSE 70-291, Enhanced

  32. Configuring a VPN Client Connection • Most configuration is done with the New Connection Wizard • You can: • Configure the IP address of the VPN server to which you are connecting • Configure whether or not an initial connection is created • Configure dialing and redialing options • Specify if password and data encryption are required • Configure the network configuration for VPN connection • Configure an Internet connection firewall and Internet connection sharing Guide to MCSE 70-291, Enhanced

  33. Remote Access Policies • Critical in controlling and allowing remote access • How the policies are applied depends on whether the domain is in mixed or native mode • Policies applied to a user may vary depending on the machine you are connecting to • To use remote access, you must understand: • Remote access policy components • Remote access policy evaluation • Default remote access policies Guide to MCSE 70-291, Enhanced

  34. Remote Access Policies (continued) Guide to MCSE 70-291, Enhanced

  35. Remote Access Policy Components • Composed of conditions, remote access permissions, and a profile • Conditions are criteria that must be met in order for remote access policy to apply to a connection • Remote access permission set in a remote access policy has only two options: Deny or Grant remote access permission • The profile contains settings that are applied to a remote access connection if the conditions have been matched and permission has been allowed Guide to MCSE 70-291, Enhanced

  36. Activity 10-8: Creating a Remote Access Policy • Objective: Create a new remote access policy on your server • Use the Computer Management utility • Add a new group • Start the New Remote Access Policy Wizard • Follow the instructions of the wizard Guide to MCSE 70-291, Enhanced

  37. Remote Access Policy Evaluation • Evaluation conditions follows the same process for mixed mode domain and native mode domains • After a condition match has been found, the permissions of the user attempting the connection must be evaluated • Even if remote access permission is granted, it does not guarantee that a remote connection will be successful as some profile settings may interfere Guide to MCSE 70-291, Enhanced

  38. Remote Access Policy Evaluation (continued) Guide to MCSE 70-291, Enhanced

  39. Remote Access Policy Evaluation (continued) Guide to MCSE 70-291, Enhanced

  40. Activity 10-9: Testing Remote Policy Evaluation • Objective: Verify the process by which remote access permission is granted • Partner A tasks: • Verify that the existing VPN is functional • Verify the policy application • Partner B tasks: • Create a new low security policy and place it first in order • Verify remote access permission • Set the Ignore-User-Dialin-Properties attribute to true • Delete the LowSecurity remote access policy Guide to MCSE 70-291, Enhanced

  41. Default Remote Access Policies • Default policies are created to make managing remote access easier • They reduce the amount of configuration required to have a functional remote access server • First default policy listed is named Connections to Microsoft Routing and Remote Access Server • Second default policy is named Connections to other access servers Guide to MCSE 70-291, Enhanced

  42. Troubleshooting Remote Access • Providing remote access is very complex • Most problems are due to software configuration errors introduced by users and administrators • Best troubleshooting tools include: • Log files • Error messages • Network Monitor • Ipconfig • Hardware errors can also cause problems Guide to MCSE 70-291, Enhanced

  43. Software Configuration Errors • The following are common software configuration errors: • Incorrect phone numbers and IP addresses • Incorrect authentication settings • Incorrectly configured remote access policies • Name resolution is not configured • Clients receive incorrect IP options • The fact that the remote access server leases 10 IP addresses from DHCP at startup is NOT an error Guide to MCSE 70-291, Enhanced

  44. Hardware Errors • The following are common hardware troubleshooting tips: • Ensure hardware is on the Microsoft hardware compatibility list • Use ping to determine if the address is reachable • See if you can dial in to a different remote access server • Ensure there is a link light on the network card Guide to MCSE 70-291, Enhanced

  45. Logging • Can be configured in many places • Check event log if RRAS is unable to start or is not performing as expected • Can configure detailed connection logs Guide to MCSE 70-291, Enhanced

  46. Activity 10-10: Modem Logging • Objective: Enable modem logging • Enable the Record a Log option under the modem properties Guide to MCSE 70-291, Enhanced

  47. Troubleshooting Tools • Ping utility is used to determine if a host is reachable • Ipconfig utility used to confirm that the correct IP settings are being delivered to the remote access client • Network Monitor can be used to perform packet captures which may provide some further clues as to the cause of some error Guide to MCSE 70-291, Enhanced

  48. Summary • RRAS in Windows Server 2003 can be configured as a remote access server for dial-up and VPN • RRAS supports several LAN protocols • A VPN server is easier to maintain than a dial-up server • VPN connections can use PPTP or L2TP/IPSec • L2TP does not perform encryption; IPSec is used to perform encryption Guide to MCSE 70-291, Enhanced

  49. Summary (continued) • Many authentication methods are supported by RRAS • Windows 2000 and newer remote access clients can receive IP configuration options from a DHCP server rather than the interface of a remote access server • In a mixed mode Active Directory domain, remote access permission is controlled using the properties of the user object in Active Directory • Remote access policies are composed of conditions, remote access permissions, and a profile Guide to MCSE 70-291, Enhanced

  50. Summary (continued) • The most common problem with remote access connections is improper software configuration • A variety of logs can be configured to help you troubleshoot remote access problems • The most common troubleshooting tools for remote access are ipconfig, ping, and Network Monitor Guide to MCSE 70-291, Enhanced

More Related