Upload
ide
View
30
Download
1
Embed Size (px)
DESCRIPTION
Overview of Routing and Remote Access Service (RRAS). When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features. Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features. RRAS is fully integrated with Windows 2000 Server. - PowerPoint PPT Presentation
Citation preview
Overview of Routing and Remote Access Service (RRAS)• When RRAS was implemented in Microsoft Windows NT
4.0, it added support for a number of features.
• Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features.
• RRAS is fully integrated with Windows 2000 Server.
• RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking.
• The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.
Combining Routing and Remote Access Service
• Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP), which is the protocol suite that is commonly used to negotiate point-to-point connections.
• Demand-dial routing connections also use PPP to provide the same kinds of services as remote access connections.
• The PPP infrastructure of Windows 2000 Server supports several types of access.
Installation and Configuration
Disabling Routing and Remote Access Service
• You can use the Routing and Remote Access snap-in to disable RRAS.
• You can refresh the RRAS configuration by first disabling the service and then enabling it.
Authentication and Authorization
IPX Support
• The Windows 2000 Server router is a fully functional IPX router.
• Routing and Remote Access Service includes a number of features to support IPX routing.
AppleTalk
• Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk packets and supporting the use of RTMP.
• Most large AppleTalk networks are AppleTalk internets that are connected by routers.
• A Windows 2000–based server can provide routing and seed routing support.
Demand-Dial Routing
• Windows 2000 provides support for demand-dial routing.
• IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.
Remote Access
• RRAS enables a computer to be a remote access server.
• RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.
VPN Server
• RRAS enables a computer to be a virtual private network (VPN) server.
• RRAS supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec).
RADIUS Client-Server
• Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server.
• RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests.
• The RADIUS server has access to user account information and can check remote access authentication credentials.
• RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.
API Support for Third-Party Components
• RRAS has fully published API sets for unicast and multicast routing protocol and administration utility support.
• Developers can write additional routing protocols and interfaces directly into RRAS architecture.
Overview of Remote Access
• Remote access clients are either connected to only the remote access server’s resources, or they are connected to the RAS server’s resources and beyond.
• A Windows 2000 remote access server provides two remote access connection methods.
Dial-Up Remote Access Connections
Remote Access Client
• A number of remote access clients can connect to Windows 2000 remote access server.
• Almost any third-party PPP remote access clients can connect to a Windows 2000 remote access server.
• The Microsoft remote access client can dial into a Serial Line Interface Protocol (SLIP) server.
Remote Access Service Server
• The remote access server accepts dial-up connections.
• The remote access server forwards packets between remote access clients and the network to which the remote access server is attached.
Dial-Up Equipment and WAN Infrastructure
• Public Switched Telephone Network (PSTN)
• Digital links and V.90
• Integrated Services Digital Network (ISDN)
• X.25
• ATM over ADSL
Public Switched Telephone Network (PSTN)
Digital Links and V.90
Asynchronous Transfer Mode (ATM) over Asymmetric Digital Subscriber Line (ADSL)
Remote Access Protocols
• Remote access protocols control the establishment of connections and the transmission of data over WAN links.
• Windows 2000 remote access supports three types of remote access protocols: PPP, SLIP, and AsyBEUI.
LAN Protocols
• LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server.
• Windows 2000 remote access supports TCP/IP, IPX, AppleTalk, and NetBEUI.
Secure User Authentication
• Secure user authentication is obtained through the encrypted exchange of user credentials.
• Secure authentication is possible through the use of PPP and one of the supported authentication protocols.
Mutual Authentication
• Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials.
• It is possible for a RAS server not to request authentication from the remote access client.
Data Encryption
• Data encryption encrypts the data sent between the remote access client and the RAS server.
• Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client.
• Data encryption is possible over dial-up remote access links when using PPP along with EAP-TLS or MS‑CHAP.
• Microsoft Windows 2000, Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support Microsoft Point-to-Point Encryption (MPPE).
Callback
• The RAS server calls the remote access client after the user credentials have been verified.
• Callback can be configured on the server to call the remote access client back at a number specified by the user of the remote access client.
• Callback can be configured to always call back the remote access client at a specific number.
Caller ID
• Caller ID can be used to verify that the incoming call is coming from a specified phone number.
• Caller ID requires that the caller’s telephone line, phone system, RAS server’s telephone line, and the Windows 2000 driver for the dial-up equipment support caller ID.
Remote Access Account Lockout
• The remote access account lockout feature is used to specify how many times a remote access authentication can fail against a valid user account before access is denied.
• The feature does not distinguish malicious attempts from authentic users.
• An administrator must decide on two remote access account lockout variables.
Managing Users
• Set up a master account database in the Active Directory store or on a RADIUS server.
• A master account database allows the RAS server to send the authentication credentials to a central authenticating device.
Managing Addresses
• For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection.
• The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.
Overview of Access Management
• Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies.
• Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt.
• Multiple remote access policies can be used to meet various conditions.
• RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.
Access by User Account
Access by Policy
Accepting a Connection Attempt
When a user attempts a connection, the connection attempt is accepted or rejected based on a specific logic.
Managing Account Lockout
• Changing settings in the registry on the authenticating computer configures the account lockout feature.
• If the RAS server is configured for Windows authentication, modify the registry on the RAS server computer.
• If the RAS server is configured for RADIUS authentication and IAS is being used, modify the registry on the IAS server.
Managing Authentication
• Windows authentication
• RADIUS authentication
• Windows and RADIUS accounting
Overview of Virtual Private Networks (VPNs)
• VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet.
• VPN is a point-to-point connection between the user’s computer and a corporate server.
• VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork.
• The secure connection across the internetwork appears to the user as a virtual network interface.
Connecting Networks over the Internet
• Dedicated lines
• Dial-up lines
Connecting Computers over an Intranet
• VPNs allow a department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server.
• The VPN server is not acting as a router between the corporate internetwork and the department LAN.
Overview of Tunneling
• Tunneling is a method of using an internetwork infrastructure to transfer a payload.
• Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information.
• The process of encapsulation and transmission of packets is known as tunneling.
• The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.
Tunnel Maintenance and Data Transfer
• Tunnel maintenance protocol
• Tunnel data transfer protocol
Tunnel Types
• Voluntary tunnels
• Compulsory tunnels
PPTP
L2TP
PPTP vs. L2TP
• PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity.
• When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP.
• L2TP provides tunnel authentication, while PPTP does not.
• PPTP uses PPP encryption and L2TP does not.
IPSec
• Overview of IPSec
• ESP tunnel mode vs. ESP transport mode
• IPSec ESP tunnel mode packet structure
IP-IP
• IP-IP is a simple OSI layer 3 tunneling technique.
• A virtual network is created by encapsulating an IP packet with an additional IP header.
• The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing.
• The IP payload includes everything above IP.
Managing Users
• A master account database is usually set up on a domain controller or on a RADIUS server.
• The same user account is used for both dial-in remote access and VPN remote access.
Managing Addresses and Name Servers
• The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients.
• By default, the IP addresses assigned to VPN clients are obtained through DHCP.
Managing Access
Configure the properties on the Dial-In tab of the users’ properties and modify remote access policy as necessary.
Managing Authentication
• The VPN server can be configured to use either Windows or RADIUS authentication.
• If Windows is selected, the user credentials are authenticated by using Windows authentication and remote access policy.
• If RADIUS is selected, user credentials and parameters are sent as a series of RADIUS request messages to the RADIUS server.
Troubleshooting
• Connection attempt is rejected when it should be accepted.
• Connection attempt is accepted when it should be rejected.
• Unable to reach locations beyond the VPN server.
• Unable to establish a tunnel.
Routing and Remote Access Snap-In
Net Shell Command-Line Utility• The Net Shell utility includes a number of options.
• Commands can be abbreviated to the shortest unambiguous string.
• Commands can be either global or context specific.
• Global commands can be issued in any context and are used for general netsh functions.
• Netsh has two command modes.
• You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window.
• To create a script of the current configuration, type the global dump command.
• The Net Shell command includes context-specific commands.
Authentication and Accounting Logging
• RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled.
• The authentication and accounting information is stored in a configurable log file or files.
• You can configure the type of activity to log and log file settings.
Event Logging
• The Windows 2000 Router performs extensive error logging in the system event log.
• Four levels of logging are available.
• Take specific steps if an OSPF router is unable to establish an adjacency on an interface.
• The level of event logging can be set from various places with the Routing and Remote Access snap-in.
• Logging consumes system resources and should be used sparingly.