1 / 56

Overview of Routing and Remote Access Service (RRAS)

Overview of Routing and Remote Access Service (RRAS). When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features. Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features. RRAS is fully integrated with Windows 2000 Server.

ide
Download Presentation

Overview of Routing and Remote Access Service (RRAS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of Routing and Remote Access Service (RRAS) • When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features. • Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features. • RRAS is fully integrated with Windows 2000 Server. • RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking. • The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.

  2. Combining Routing and Remote Access Service • Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP), which is the protocol suite that is commonly used to negotiate point-to-point connections. • Demand-dial routing connections also use PPP to provide the same kinds of services as remote access connections. • The PPP infrastructure of Windows 2000 Server supports several types of access.

  3. Installation and Configuration

  4. Disabling Routing and Remote Access Service • You can use the Routing and Remote Access snap-in to disable RRAS. • You can refresh the RRAS configuration by first disabling the service and then enabling it.

  5. Authentication and Authorization

  6. IPX Support • The Windows 2000 Server router is a fully functional IPX router. • Routing and Remote Access Service includes a number of features to support IPX routing.

  7. AppleTalk • Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk packets and supporting the use of RTMP. • Most large AppleTalk networks are AppleTalk internets that are connected by routers. • A Windows 2000–based server can provide routing and seed routing support.

  8. Demand-Dial Routing • Windows 2000 provides support for demand-dial routing. • IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.

  9. Remote Access • RRAS enables a computer to be a remote access server. • RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.

  10. VPN Server • RRAS enables a computer to be a virtual private network (VPN) server. • RRAS supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec).

  11. RADIUS Client-Server • Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. • RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests. • The RADIUS server has access to user account information and can check remote access authentication credentials. • RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.

  12. API Support for Third-Party Components • RRAS has fully published API sets for unicast and multicast routing protocol and administration utility support. • Developers can write additional routing protocols and interfaces directly into RRAS architecture.

  13. Overview of Remote Access • Remote access clients are either connected to only the remote access server’s resources, or they are connected to the RAS server’s resources and beyond. • A Windows 2000 remote access server provides two remote access connection methods.

  14. Dial-Up Remote Access Connections

  15. Remote Access Client • A number of remote access clients can connect to Windows 2000 remote access server. • Almost any third-party PPP remote access clients can connect to a Windows 2000 remote access server. • The Microsoft remote access client can dial into a Serial Line Interface Protocol (SLIP) server.

  16. Remote Access Service Server • The remote access server accepts dial-up connections. • The remote access server forwards packets between remote access clients and the network to which the remote access server is attached.

  17. Dial-Up Equipment and WAN Infrastructure • Public Switched Telephone Network (PSTN) • Digital links and V.90 • Integrated Services Digital Network (ISDN) • X.25 • ATM over ADSL

  18. Public Switched Telephone Network (PSTN)

  19. Digital Links and V.90

  20. Asynchronous Transfer Mode (ATM) over Asymmetric Digital Subscriber Line (ADSL)

  21. Remote Access Protocols • Remote access protocols control the establishment of connections and the transmission of data over WAN links. • Windows 2000 remote access supports three types of remote access protocols: PPP, SLIP, and AsyBEUI.

  22. LAN Protocols • LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server. • Windows 2000 remote access supports TCP/IP, IPX, AppleTalk, and NetBEUI.

  23. Secure User Authentication • Secure user authentication is obtained through the encrypted exchange of user credentials. • Secure authentication is possible through the use of PPP and one of the supported authentication protocols.

  24. Mutual Authentication • Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials. • It is possible for a RAS server not to request authentication from the remote access client.

  25. Data Encryption • Data encryption encrypts the data sent between the remote access client and the RAS server. • Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client. • Data encryption is possible over dial-up remote access links when using PPP along with EAP-TLS or MS‑CHAP. • Microsoft Windows 2000, Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support Microsoft Point-to-Point Encryption (MPPE).

  26. Callback • The RAS server calls the remote access client after the user credentials have been verified. • Callback can be configured on the server to call the remote access client back at a number specified by the user of the remote access client. • Callback can be configured to always call back the remote access client at a specific number.

  27. Caller ID • Caller ID can be used to verify that the incoming call is coming from a specified phone number. • Caller ID requires that the caller’s telephone line, phone system, RAS server’s telephone line, and the Windows 2000 driver for the dial-up equipment support caller ID.

  28. Remote Access Account Lockout • The remote access account lockout feature is used to specify how many times a remote access authentication can fail against a valid user account before access is denied. • The feature does not distinguish malicious attempts from authentic users. • An administrator must decide on two remote access account lockout variables.

  29. Managing Users • Set up a master account database in the Active Directory store or on a RADIUS server. • A master account database allows the RAS server to send the authentication credentials to a central authenticating device.

  30. Managing Addresses • For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection. • The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.

  31. Overview of Access Management • Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies. • Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt. • Multiple remote access policies can be used to meet various conditions. • RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.

  32. Access by User Account

  33. Access by Policy

  34. Accepting a Connection Attempt When a user attempts a connection, the connection attempt is accepted or rejected based on a specific logic.

  35. Managing Account Lockout • Changing settings in the registry on the authenticating computer configures the account lockout feature. • If the RAS server is configured for Windows authentication, modify the registry on the RAS server computer. • If the RAS server is configured for RADIUS authentication and IAS is being used, modify the registry on the IAS server.

  36. Managing Authentication • Windows authentication • RADIUS authentication • Windows and RADIUS accounting

  37. Overview of Virtual Private Networks (VPNs) • VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet. • VPN is a point-to-point connection between the user’s computer and a corporate server. • VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork. • The secure connection across the internetwork appears to the user as a virtual network interface.

  38. Connecting Networks over the Internet • Dedicated lines • Dial-up lines

  39. Connecting Computers over an Intranet • VPNs allow a department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server. • The VPN server is not acting as a router between the corporate internetwork and the department LAN.

  40. Overview of Tunneling • Tunneling is a method of using an internetwork infrastructure to transfer a payload. • Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information. • The process of encapsulation and transmission of packets is known as tunneling. • The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.

  41. Tunnel Maintenance and Data Transfer • Tunnel maintenance protocol • Tunnel data transfer protocol

  42. Tunnel Types • Voluntary tunnels • Compulsory tunnels

  43. PPTP

  44. L2TP

  45. PPTP vs. L2TP • PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity. • When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP. • L2TP provides tunnel authentication, while PPTP does not. • PPTP uses PPP encryption and L2TP does not.

  46. IPSec • Overview of IPSec • ESP tunnel mode vs. ESP transport mode • IPSec ESP tunnel mode packet structure

  47. IP-IP • IP-IP is a simple OSI layer 3 tunneling technique. • A virtual network is created by encapsulating an IP packet with an additional IP header. • The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing. • The IP payload includes everything above IP.

  48. Managing Users • A master account database is usually set up on a domain controller or on a RADIUS server. • The same user account is used for both dial-in remote access and VPN remote access.

  49. Managing Addresses and Name Servers • The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients. • By default, the IP addresses assigned to VPN clients are obtained through DHCP.

  50. Managing Access Configure the properties on the Dial-In tab of the users’ properties and modify remote access policy as necessary.

More Related