740 likes | 943 Views
(Skill 5). Introducing Routing and Remote Access Service (RRAS). Routing and Remote Access Service (RRAS)
E N D
(Skill 5) Introducing Routing and Remote Access Service (RRAS) Routing and Remote Access Service (RRAS) • Can be configured on a Windows Server 2003 computer to create a remote access service (RAS) server that can manage hundreds of concurrent dial-up connections or to receive Virtual Private Network (VPN) connections on the internal network • Can also be configured to provide shared Internet access using Network Address Translation (NAT) or to create a secure connection between two servers on the Internet connecting two LANs
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (2) • Remote access service (RAS) server • A computer running Windows Server 2003 and RRAS • Configured specifically to function using a modem or modem pool • Users can dial in from a remote computer that is also configured with a modem • A Virtual Private Network (VPN) server is a type of remote access server
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (3) Connection methods used by clients • Dial-up • Establishes a non-permanent connection between a remote access server and remote access client using an analog phone line or ISDN • Remote access server answers the call, authenticates and authorizes the caller, and transfers data • VPN • Establishes a secure point-to-point connection across private networks or a public network such as the Internet • Creates a logical link called a tunnel between a remote user and a private network
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (4) • To establish a dial-up connection, Windows Server 2003 uses either PPP or SLIP WAN protocols • Point-to-Point Protocol (PPP) • Allows remote clients to access network resources • Provides error-checking to detect possible problems prior to data transfer • Serial Line Internet Protocol (SLIP) • An older remote communications protocol used by UNIX computers • Does not provide security • Transfers data without checking for errors
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (5) PPP supports many networking and authentication protocols • Password Authentication Protocol (PAP) • The least secure authentication protocol • Uses plain text passwords for authentication • Shiva Password Authentication Protocol (SPAP) • An authentication protocol used to connect to a Shiva server • More secure than PAP; less secure than CHAP or MS-CHAP • Challenge Handshake Authentication Protocol (CHAP) • Sends a challenge message to the client, the client applies an algorithm to the message to calculate a hash value (a fixed-length number), and sends the value to the server • The server also calculates a value and compares it to the client’s • If the values match, a connection is established
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (6) • MS-CHAP • Microsoft’s version of CHAP • The challenge message is specifically designed for Windows operating systems and one-way encryption is used • MS-CHAP2 • Authenticates both the client and the server • A different encryption key is used to transmit and receive data • Extensible Authentication Protocol (EAP) • Used to customize your method of remote access authentication for PPP connections • Supports multiple authentication methods • IEEE 802.1X • New in Windows Server 2003 is support for IEEE 802.1X • Allows wireless and Ethernet LAN connections
(Skill 5) Figure 11-38 RAS
(Skill 5) Figure 11-39 Dial-up connections
(Skill 5) Figure 11-40 SLIP and PPP
(Skill 5) Introducing Routing and Remote Access Service (RRAS) (7) • Secure connections in VPNs are created using PPTP or L2TP • Point-to-Point Tunneling Protocol (PPTP) • An extension of PPP • Installed by default during the installation of RRAS • Layer 2 Tunneling Protocol (L2TP) with IPSec • Also an extension of PPP • Combines features from PPTP and Cisco’s Layer Two Forwarding (L2F) protocol • Bandwidth Allocation Protocol (BAP) • Often referred to as Multilink PPP, is used with PPP to augment the use of multilinked devices • Multilinked devices are several ISDN lines or modem links combined to obtain greater bandwidth • Bandwidth Allocation Control Protocol (BACP) is the control protocol for BAP
(Skill 5) Figure 11-41 Tunneling
(Skill 5) Figure 11-42 Configuring BAP and BACP
(Skill 6) Understanding Types of Remote Access Connections • Types of dial-up equipment used to establish a connection between a remote network and a remote access client • POTS (Plain Old Telephone System) • ISDN (Integrated Services Digital Network) • DSL (Digital Subscriber Line) • Cable modem lines • Frame relay • Leased telecommunication lines • Modems (asynchronous and synchronous)
(Skill 7) Configuring Remote Access Services • Routing and Remote Access Service (RRAS) • Installed automatically during the installation of Windows Server 2003 • By default, RRAS is not enabled • You enable and configure RRAS to set up • A remote access server • A VPN • Network Address Translation • A secure connection between two servers • A network router
(Skill 7) Figure 11-43 The Add Server dialog box
(Skill 7) Figure 11-44 The Configuration screen in the RRAS Setup Wizard
(Skill 7) Figure 11-45 The Remote Access screen
(Skill 7) If there is more than one network connection configured on the server, this screen will open so that you can select the correct network interface Figure 11-46 The Network Selection screen
(Skill 7) RADIUS servers are used to provide centralized authentication Figure 11-47 The RADIUS Server Selection screen
(Skill 7) Figure 11-48 The Managing Multiple Remote Access Servers screen
(Skill 7) Figure 11-49 The Routing and Remote Access console
(Skill 7) Enter the IP address for the DHCP server in the Server address text box and click Add Figure 11-50 The DHCP Relay Agent Properties dialog box
(Skill 7) Configuring Remote Access Services (2) • Use the RAS Properties dialog box to configure your RAS server • General tab is used to specify whether your computer will be configured as a router, a remote access server, or both • Security tab is used to choose one of two types of authentication providers to validate remote access clients • IP tab is used to specify settings for the IP protocol such as the method for distributing IP addresses to remote clients • PPP tab is used to configure PPP (Point-to-Point Protocol) to specify whether a remote client can establish multilink connections • Logging tab is used to manage and monitor an RRAS server by selecting the types of events you want to record for accounting and security purposes
(Skill 7) Figure 11-51 The General tab in the <RAS_servername> Properties dialog box
(Skill 7) Click to open the Authentication Methods dialog box to set the authentication protocols Figure 11-52 The Security tab
(Skill 8) Creating a Remote Access Policy Remote access policies • Are used, along with user properties in some cases, to control what connection attempts will be rejected or accepted by an RRAS server • You create them to determine which users can access the network and to prevent unauthorized access • A remote access policy consists of a set of rules and conditions that must be met by a connection before a user can gain access
(Skill 8) Creating a Remote Access Policy (2) Components of a remote access policy • Conditions are the criteria a user must meet in order to be granted access • Permissions are located on the Dial-in tab in the user account Properties dialog box • Allow access permission skips the remote access policy and applies the remote access profile • Deny access permission drops the caller • Control access through Remote Access Policy permission checks the permissions in the remote access policy; if they are set to Grant remote access permission, the profile is applied • Remote access profile is a list of settings offered to the client
(Skill 8) Creating a Remote Access Policy (3) Remote access profile settings • Allowed dial-in days and times • Connection limits • Allowed dial-in media and phone numbers • Authentication settings • Encryption settings
(Skill 8) Creating a Remote Access Policy (4) • Use the Edit Dial-in Profile dialog box to configure a remote access profile • Dial-in Constraints tab is used to specify the dial-in number and the type of media to be used for a connection • IP tab is used to set the IP properties for a connection • Multilink tab is used to configure the RRAS server to handle multilink calls and to specify the number of ports a single remote client can use at one time • Authentication tab is used to set the authentication protocols (PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2, EAP) • Encryption tab is used to specify the type of encryption for remote access clients (no encryption, basic, strong, or strongest) • Advanced tab is used to configure connection attributes (RADIUS, frame types, AppleTalk zones, special filters, etc.)
(Skill 8) Attributes that can be set as conditions for a remote access policy Figure 11-53 The Select Attribute dialog box
(Skill 8) Only available in Windows 2000 native mode or Windows 2003 mode domains. When this option is set, the permissions configured in the remote access policy are checked. If they are set to Grant, the profile is applied. If they are set to Deny, the caller is disconnected. Figure 11-54 The Dial-in tab in the Properties dialog box for a user
(Skill 8) Figure 11-55 The Dial-in Constraints tab on the Edit Dial-in Profile dialog box
(Skill 8) Click to open the Add IP Filter dialog box Figure 11-56 The Inbound Filters dialog box
(Skill 8) You can create an IP packet filter to control the allowed upper-layer protocols, and the remote IP addresses with which clients are allowed to communicate Figure 11-57 The Add IP Filter dialog box
(Skill 8) Select to set Bandwidth Allocation Protocol (BAP) settings; you can dynamically drop a link if bandwidth usage by remote clients drops below a certain threshold Figure 11-58 The Multilink tab
(Skill 8) The default remote access policy denies remote access Figure 11-59 The Routing and Remote Access console
(Skill 8) Figure 11-60 The Policy Configuration Method screen
(Skill 8) Figure 11-61 Setting Day and Time Restrictions
(Skill 8) Time during which the policy will permit users to connect to the remote access server Figure 11-62 The Time of day constraints dialog box
(Skill 8) Figure 11-63 The Policy Conditions screen Figure 11-64 The Permissions screen
(Skill 8) Click to open the Inbound Filters dialog box to deny or permit particular IP packets to be processed by the network Figure 11-65 The IP tab
(Skill 8) Allows clients to connect using 40-bit encryption key MPPE or IPSec encryption Allows clients to connect using 56-bit encryption key MPPE or IPSec encryption Allows clients to connect using 128-bit encryption key MPPE or IPSec encryption Allows clients to connect without using data encryption Figure 11-66 The Encryption tab
(Skill 8) Creating a Remote Access Policy (5) • If you have multiple remote access policies, the RRAS server evaluates them in the order in which they are listed in the Routing and Remote Access console; you can change the order • In RRAS, the properties of individual user accounts or the RRAS policy is used to set which users can access the RRAS server • Your domain must be in Windows 2000 native mode or Windows Server 2003 mode to use RRAS policies • The biggest advantage of RRAS policies is ease of administration
(Skill 8) Creating a Remote Access Policy (6) • In addition to setting remote access permissions on the Dial-in tab in the Properties dialog box for a user account, you can also set callback options • Callback options define how a computer responds when a user dials in • No callback • If you select this option, there will be no callback • Once the connection is established, the computer stays connected and allows access to resources • Set by Caller (Routing and Remote Access Service only) • If you select this option, the server disconnects as soon as a user dials in and calls back on the number that the user indicates • Useful when users need to call in from different locations • Always Callback to • If you select this option, the computer calls back a specified number • Enhances security as a user can establish a connection using only one number
(Skill 8) Select to allow the user to dial-in to the RRAS server Select to allow the remote client to connect on the first call-in attempt Select to set a callback number that must always be used Figure 11-67 Dial-in properties for a user account
(Skill 9) Creating a VPN Server Virtual private network (VPN) • A method of using the public telecommunication infrastructure to securely connect two or more subnets • Access is restricted to only certain clients who are authenticated by their user account, subnet, or IP address • A VPN encapsulates, authorizes, and routes data by creating tunnels • A tunnel is a secure, logical link that is established between a remote user and a private network • The Routing and Remote Access service can be used to configure a computer to be a VPN server which can accept both remote access and demand-dial VPN connections from remote access clients
(Skill 9) Figure 11-68 Creating a VPN
(Skill 9) Figure 11-69 Creating a VPN server
(Skill 9) Figure 11-70 Selecting the network interface that connects to the Internet
(Skill 9) Creating a VPN Server (2) • After configuring the properties for a VPN server, you can create remote access policies and a remote access profile just as you can for a RAS server • By default, if configured to support VPN connections, Windows Server 2003 automatically creates 128 PPTP and 128 L2TP ports for incoming VPN connections • You can change the number of ports if your VPN server needs to support more clients for either protocol • To configure VPN clients,you must enter the FQDN or IP address for the VPN server in the New Connection Wizard