1 / 47

Windows Server 2003 RRAS 安裝設定與管理維護

Windows Server 2003 RRAS 安裝設定與管理維護. 林寶森 jeffl@ms11.hinet.net. Routing and Remote Access. Routing DHCP Relay Agent IGMP Router and Proxy NAT / Basic Firewall Open Shortest Path First (OSPF) RIP Version 2 for Internet Protocol Remote Access Dial-up VPN. 3. 4. RA server authenticates

mikel
Download Presentation

Windows Server 2003 RRAS 安裝設定與管理維護

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2003RRAS 安裝設定與管理維護 林寶森 jeffl@ms11.hinet.net

  2. Routing and Remote Access • Routing • DHCP Relay Agent • IGMP Router and Proxy • NAT / Basic Firewall • Open Shortest Path First (OSPF) • RIP Version 2 for Internet Protocol • Remote Access • Dial-up • VPN

  3. 3 4 RA server authenticates and authorizes the client RA server transfers data 1 Dial-up client calls the RA server 2 RA server answers the call How Dial-up Network Access Works Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider Remote Access Server Domain Controller Dial-upClient

  4. Connecting to a Virtual Private Network Corporate Network Network Adapter Connected to the Internet Network Adapter Connected to the Local Network VPN Server Internet Tunnel VPN Client

  5. 3 4 VPN server authenticates and authorizes the client VPN server transfers data 1 VPN client calls the VPN server 2 VPN server answers the call How a VPN Connection Works A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link VPN Server Domain Controller VPN Client Transit Network

  6. Remote Access Server Remote Access Server Remote User to Corp Net Branch Office to Branch Office Encryption Protocols for a VPN Connection Examples of Remote Access Server Using VPN

  7. IPHeader GREHeader PPPHeader Encrypted PPP Payload(IP Datagram, IPX Datagram) Selecting a Tunneling Protocol PPP Frame PPTP RemoteResource Server Secure Tunnelover ExistingNetwork Private Network RemoteAccessServer Client L2TP/IPSec PPP Frame IPHeader IPSecESPHeader UDPHeader L2TPHeader PPPHeader PPP Payload(IP Datagram, IPX Datagram) IPSec ESPTrailer IPSecAuthTrailer Encrypted by IPSec Signed

  8. Routing and Remote Access Action View Routing and Remote Access Server Status SERVERX (local) Configure and Enable Routing and Remote Access Start Routing and Remote Access Stop Routing and Remote Access Remove Service Save Configuration… Load Configuration... View Refresh Properties Help Configuring Inbound Connections

  9. Routing and Remote Access Action View Name Device Comment Status Routing and Remote Access WAN Miniport (PPTP)(VPN3-4) VPN Inactive WAN Miniport (PPTP)(VPN3-3) VPN Inactive WAN Miniport (PPTP)(VPN3-2) VPN Inactive WAN Miniport (PPTP)(VPN3-1) VPN Inactive WAN Miniport (PPTP)(VPN3-0) VPN Inactive WAN Miniport (L2TP)(VPN2-4) VPN Inactive WAN Miniport (L2TP)(VPN2-3) VPN Inactive WAN Miniport (L2TP)(VPN2-2) VPN Inactive WAN Miniport (L2TP)(VPN2-1) VPN Inactive WAN Miniport (L2TP)(VPN2-0) VPN Inactive Direct Parallel (LPT1) PARALLEL Inactive Modem (COM 3) MODEM Inactive Server Status SERVERX (local) PPTP Ports Ports Remote Access Clients IP Routing Remote Access Policies Ports L2TP Ports Cable and Modem Ports Configuring a Remote Access Server

  10. Ports Properties Devices Configure ports - WAN Miniport (PPTP) Routing and Remote Access (RRAS) uses the deviceslisted below. You can use this device for remote access requests or demand-dial connections. Device Used By Type Num... Remote access connections (inbound) Ports, Grouped By Type WAN Minip WAN Minip Direct Para Ras Ras None PPTP L2TP Parallel 5 5 1 Demand-dial routing connections (inbound/outbound) Phone number for this device: Ports Function of Port You can set a maximum port limit for a device that supports multiple ports. Phone Number(if applicable) 5 Maximum ports: Configure OK Cancel Number of Virtual Ports Configuring a RRAS Port

  11. LONDON (local) Properties IP General Security PPP Event Logging Enable IP routing Allow IP-based remote access and demand-dial connections IP address assignment This server can assign IP addresses by using: Dynamic Host Configuration Protocol (DHCP) Static address pool From To Number IP Add… Mask Add… Edit… Remove Use the following adapter to obtain DHCP, DNS, and WINS addresses for dial-up clients. Adapter: Corpnet Apply OK Cancel Configuring Server Properties

  12. Bandwidth Allocation Protocol Multilink Without BAP Remote Access Server A Client C Cannot Connect B C Multilink with BAP Remote Access Server A Client C Can Connect B C Connection Switches on Demand

  13. What Is a Remote Access Policy? A remote access policy is a named rule that consists of the following elements: • Conditions. One or more attributes that are compared to the settings of the connection attempt • Remote access permission. If all conditions of a remote access policy are met, remote access permission is either granted or denied • Profile. A set of properties that are applied to a connection when it is authorized (either through the user account or policy permission settings)

  14. Conditions Permissions Profile RRAS matches the connection to the settings of the user account and the policy profile. Yes No Deny Allow RRAS checks the user’s dial-in permission in Active Directory. RRAS matches the conditions of theremote access policy to the conditions of the connection. Use Remote Access Policy Connection Connection Deny Allow Profile Evaluation No Yes Following Policy Evaluation Logic

  15. Assign a Static IP Address Callback Options Apply Static Routes Remote Access Permission Verify Caller ID User Account Dial-in Properties Dial-In Properties

  16. IP Addresses Caller IDs NAS-Port Type Authentication Type Time of Day User Groups Remote Access Policy Conditions Attributes

  17. Dial-in Constraints Multilink IP Properties IP Address Assignment IP Filters Authentication Encryption Advanced Settings What Is a Remote Access Policy Profile? Remote Access User

  18. Authenticating Remote Access Clients

  19. Extensible Authentication Protocols • Allows the Client and Server to Negotiate the Authentication Method That They Will Use • Supports Authentication by Using • MD5-CHAP • Transport Layer Security • Additional third-party authentication methods • Ensures Support of Future Authentication Methods Through an API

  20. RADIUS Client Forwards requests to RADIUS Server Internet RADIUS Server Authenticates requests and stores accounting information Client Remote Authentication Dial-In User Service

  21. What Is RADIUS? RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access • RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks • Use RADIUS to manage network access centrally across many types of network access • RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies

  22. You can configure IAS to support: RADIUS Server • Dial-up corporate access • Extranet access for business partners • Internet access • Outsourced corporate access through service providers What Is IAS? IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial-up, and wireless connections

  23. = RADIUS Client and Server Connection IAS as an Authentication Server • Centralized remote access policies • Authentication provider ISP RRAS IAS Internet RRAS CentralOffice Remote Office Windows Server 2003 Domain Controller

  24. Communicates to the RADIUS client to grant or deny access 4 RADIUS Client 2 Forwards requests to a RADIUS server Domain Controller 3 Authenticates requests and stores accounting information Dials in to a local RADIUS client to gain network connectivity 1 How Centralized Authentication Works Remote Access Server Remote AccessClient RADIUS Server

  25. IAS Server Ports Authentication Domain Controller DHCP Server Wireless Access Point Wireless Client (Station) Address and Name Server Allocation Wireless Solution Considerations

  26. Add RADIUS Client Client Information Specify information regarding the client. Client address (IP or DNS): Verify… 192.168.1.200 Client-Vendor Microsoft Client must always send the signature attribute in the request Shared secret: Confirm shared secret: < Back Finish Cancel Configuring an IAS Server Use an IP address, if possible Select Microsoft if using Routing and Remote Access

  27. PHOENIX (local) Properties Security Event Logging General IP PPP Add RADIUS Server The authentication provider validate credentials for remote access clients and demand-dial routers. Server name: Radius Server Authentication provider: Change… Secret: Configure… RADIUS Authentication Time-out (seconds): 5 Authentication Methods… Initial score: 30 The accounting provider maintains a log of connection requests and sessions. 1812 Port: Accounting provider: Always use digital signatures Configure… Windows Accounting OK Cancel OK Cancel Apply Configuring a RRAS to Use RADIUS Change to RADIUS Authentication Enter the Server Name

  28. Routing and Remote Access Logging

  29. Two types of routing interfaces: • LAN • Demand-dial What Are Routing Interfaces? A routing interface is an interface over which IP packets are forwarded

  30. 131.107.16.0 131.107.8.0 131.107.16.3 131.107.16.1 131.107.8.1 Router 131.107.24.1 Routing Table Routing Table 131.107.16.0 131.107.16.3 Default 131.107.16.1 131.107.8.0 131.107.8.1 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 131.107.24.0 What is IP Routing? • The Process of Sending Packets Through Routers to Other Networks • A Routing Table Defines Paths to Other Networks

  31. 1 2 3 Routing Table A Routing Table B 131.107.24.0 131.107.16.1 131.107.16.0 131.107.16.2 131.107.8.0 131.107.8.1 131.107.8.0 131.107.16.2 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 131.107.8.1 131.107.16.2 131.107.16.1 131.107.24.1 Router Router A B Default Gateway 131.107.8.1 Default Gateway 131.107.24.1 131.107.8.z 131.107.16.z 131.107.24.z Build Routing Tables

  32. Three types of routing table entries: • Host route • Network route • Default route What Are Routing Tables? A routing table is a series of entries called routes that contain information about the location of the network IDs in the internetwork

  33. Dual ISP Solution 0.0.0.0 Router-1 Metric 1 0.0.0.0 Router-2 Metric 2 Router-2 Router-1 0.0.0.0 Router-1 Metric 2 0.0.0.0 Router-2 Metric 1

  34. Example of Routing Table 10.7.0.0/16 10.7.1.253 10.0.0.0/8 10.7.1.1 Default Gateway 10.7.1.254

  35. Static Route Interface: LondonRouter Destination 192 . 168 . 1 . 0 Network mask: 255 . 255 . 255 . 0 Gateway: . . . Metric: 1 Use this route to initiate demand-dial connections OK Cancel Configuring Static IP Routes

  36. Corporate Intranet Remote Network PSTN, ISDN, or Internet RRAS 1 RRAS 2 Examining the Role of Demand-Dial Routing

  37. Routing and Remote Access Action View LAN and Demand Dial Interfaces Type Status Connection S… Routing and Remote Access Server Status Loopback Loopback Enabled Connected LONDON (local) Local Area Connection Dedicated Enabled Connected Remote Access Polic Internal Internal Enabled Connected Remote Access Logg Routing Interfaces New Demand dial interface… IP Routing New IP Tunnel… General Static Routes Refresh RIP Help Creating a Demand-Dial Interface

  38. Static vs. Dynamic IP Routing • Static Routing • Routers do not share routing information. • Routing tables are built manually. • Dynamic Routing • Routers share routing information automatically. • Routing tables are built dynamically. • Requires a routing protocol, such as RIP or OSPF.

  39. What Are Routing Protocols? A routing protocol is a set of messages that routers use to determine the appropriate path to forward data OSPF RIP • Designed for small to medium-size networks • Uses a routing table • Easier to configure and manage • Does not scale well • Designed for large to very large networks • Uses a link-state database • Complex to configure and manage • Operates efficiently in large networks

  40. Routing and Routed Protocols • Routing Protocols • RIP, OSPF, EGP, BGP, HELO… • SAP (IPX/SPX), RTMP (AppleTalk) • Routed Protocols • TCP/IP, IPX/SPX, AppleTalk

  41. What Is Packet Filtering? • Packet filtering specifies what type of traffic is allowed into and out of a router • A packet filter is a TCP/IP configuration setting that is designed to allow or deny inbound or outbound packets Router Inbound Filter Outbound Filter Use packet filtering to: • Prevent access by unauthorized users • Prevent access to resources • Improve performance by preventing unnecessary packets from traveling over a slow connection

  42. How filters are applied: • AND is used within a filter • OR is used between filters How Packet Filters Are Applied Packet Router 192.168.0.48 Inbound Exclusion Filter 192.168.0.32 UDP Any 192.168.0.32 UDP Action: Drop

  43. IP Routing General Status New Interface… IGM New Routing Protocol… Remote Show TCP/IP Information… Remote Show Multicast Forwarding Table… Show Multicast Statistics… Network Address Translation (NAT) Properties View General Translation Address Assignment Name Resolution Refresh The network address translator can automatically assign IP addresses to computers on the private network by using Dynamic Host Configuration Protocol (DHCP). Export List… Properties Automatically assign IP addresses by using DHCP Help IP address: 192 . 168 . 0 . 0 Mask: 255 . 255 . 255 . 0 Exclude… Apply OK Cancel Configuring Network Address Translation

  44. What Is a DHCP Relay Agent? A DHCP relay agent is a computer or router configured to listen for DHCP/BOOTP broadcasts from DHCP clients and then relay those messages to DCHP servers on different subnets DHCP Relay Agent DHCP Server Unicast Broadcast Broadcast Subnet A Subnet B Routers Non-RFC 1542 Compliant Client Client Client Client

  45. DHCP Relay Agent Hop Count The hop count threshold is the number of routers that the packet can be transmitted through before being discarded DHCP Relay Agent 2 Hop Count = 2 DHCP Relay Agent 1 DHCP Server

  46. DHCP Relay Agent Boot Threshold The boot threshold is the length of time in seconds that the DHCP Relay Agent will wait for a local DHCP server to respond to client requests before forwarding the request DHCP Server 2 Boot Threshold = 10 seconds DHCP Relay Agent Local DHCP Server DHCP Server 3

  47. Private Network Routing and Remote Access-based Router Internet IGMP ProxyMode Interface IGMP RouterMode Interface IGMP Registrations Multicast Traffic Private Network MulticastMbone Server • IGMP Router Mode Interface • IGMP Proxy Mode Interface Including the IGMP Routing Protocol

More Related