windows network administration chapter 10

Windows Network Administration

Chapter 10 Administering Routing and Remote Access

Introduction

• Routing and Remote Access Service (RRAS)– Enables users to connect to LAN from remote

computer

• Windows Dial-up Networking (DUN)– Allows modem dial-up connection/modem to work

like LAN interface– Allows servers to host one or more dial-up

network users– Infrastructure:

• Modem• POTS / ISDN

Point-to-Point Protocol (PPP)

• Allows two devices to establish TCP/IP connection over serial link

• Three phases• Protocols:

– Link Control Protocol (LCP)– Challenge Handshake Authentication Protocol

(CHAP)– Callback Control Protocol (CBCP)– Compression Control Protocol (CCP)– IP Control Protocol (IPCP)– Internet Protocol (IP)

• Encapsulation• Multilink extensions

Three Phases of PPP

Virtual Private Networking

• VPN: Private networking using Internet connection

• Encrypted tunnels• Windows Server 2003 VPN support

– Point-to-Point Tunneling Protocol (PPTP)– Layer 2 Tunneling Protocol (L2TP)

Virtual Private Networking

How VPNs Work

• Connection process:1. Client establishes Internet connection2. Client sends VPN request to server

• Request Format varies (PPTP, L2TP)

3. Client authenticates to server• Authentication process varies (PPTP, L2TP)

4. Client/server negotiation for VPN session• Encryption algorithm and strength

5. Client/server PPP negotiation

VPNs

• VPN packets– Encrypted by VPN software– Encapsulated inside regular IP packets

• VPN encapsulation1. Data packet created2. IP stack adds TCP and IP headers: IP datagram3. Add PPP header: PPP frame4. VPN software encrypts PPP frame5. Add GRE header: Encapsulated PPTP packet6. PPTP stack adds IP header and PPP header7. Packet sent

VPN Encapsulation

PPTP and L2TP

• PPTP– Encryption using Microsoft Point-to-Point

Encryption (MPPE)– Authenticates to server with

challenge/response process• L2TP

– More general purpose than PPTP– No native encryption or authentication– Used with IPsec for security

• ISAKMP, Oakley protocols for creating encrypted channel before establishing tunnel

Configuring Routing

• Windows Server 2003 RRAS– Fully functional multiprotocol router– To use as additional router

• Activate and configure RRAS

– To use as IP router• Add demand-dial interfaces for demand-dialing• Give each routable interface network address • Install and configure routing protocols on

interfaces

– RRAS Setup Wizard

RRAS Snap-in: Network Interfaces Node

Local Area Connection Properties

Setting Up Demand-Dial Interfaces

• Demand-Dial Interface Wizard– Interface Name page– Connection Type page

• Physical device or VPN connection– Depending on connection type

• Select a Device page• VPN Type page

– Network Address / Phone Number page– Protocols and Security page– Dial-In Credentials page– Dial-Out Credentials page

Demand-Dial Interface Wizard

Demand-Dial Interface Wizard

Demand-Dial Interface Wizard

Configuring IP Routing Properties

Managing Static Routes

• Create static routes to populate routing table

• Static routes:– Combine network address with subnet

mask to provide list of destinations

• To create static route:– Static Route dialog box, or– route add command

route add destination mask netmask gateway metric interface

Managing Static Routes

Configuring Remote Access

• General configuration of RAS• Server Properties dialog box

– General tab: Whether to allow remote connections

– Protocol specific tabs: What protocols to support and their settings

– Security tab: Security settings– PPP tab: Which PPP protocols clients may

use– Logging tab: Level of log detail

Configuring Remote Access

Configuring Remote Access

Configuring VPN Access

• VPN: – Sits between internal network and

Internet

• VPN server:– Should be outside any firewalls or

network security measures

Configuring VPN Access

Configuring VPN Access

• Common configuration: Two NICs:– One connects to Internet– Other connects either to:

• Private network, OR • Intermediate network connected to private

network

• Converting RRAS server to handle VPN traffic

Configuring VPN Access

Configuring a VPN

• Adjust number and kind of VPN ports• Enable or disable PPTP or L2TP• Ports Properties dialog box

– List of hardware ports– Two WAN miniport devices (virtual ports)

• PPTP• L2TP

– Configure Device dialog box

Configuring a VPN

Remote Access Security

• To control who uses remote access services– Set up remote access profiles on

individual accounts– Create and manage remote access

policies that apply to groups of users

Configuring User Access

• Profile: – User account information– Typically stored in Active Directory

• Two user management snap-ins– If RRAS is part of Active Directory domain:

• Active Directory Users and Computers

– If RRAS is not part of Active Directory domain

• Local Users and Groups

• Dial-in tab of user’s Properties dialog box

Configuring User Access

Remote Access Policies

• Remote access policies– To determine who can connect– Each user has single policy applied when

connecting– Three components

• Conditions• Permissions• Profile

– Ordering and application of policies• Caller must match all conditions of policy• First policy to match caller is used

Configuring Remote Access Policies

• RRAS snap-in– Remote Access Policies folder– New Remote Access Policy Wizard

• Policy Configuration Method page• Policy Conditions page

– Select Attribute dialog box

• Permissions page

Configuring Remote Access Policies

Configuring Remote Access Policies

Configuring Remote Access Policies

Using Remote Access Profiles

• Remote Access profiles– Settings to determine what happens during call setup

and completion

• Each policy has associated profile– Profile determines settings for connections that meet

policy conditions

• Profile Properties dialog box– Dial-In Constraints tab– IP tab– Multilink tab– Authentication tab– Encryption tab– Advanced tab

Using Remote Access Profiles

Using Remote Access Profiles

Using Remote Access Profiles