Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | gisela-randall |
View: | 35 times |
Download: | 0 times |
2
Objectives
• Configure Windows Server 2003 as a router• Create and configure demand-dial connections
for routing• Configure Network Address Translation (NAT)
for Internet connectivity• Install Internet Connection Sharing (ICS)• Configure Internet Connection Firewall (ICF)
3
Router Installation and Configuration
• Windows Server 2003– Can be used as a router– Can perform routing for TCP/IP and AppleTalk– Does not support IPX/SPX for routing
• Implementing Windows Server 2003 as a router – Main benefit is cost– Server must be connected to at least two
networks
4
Router Installation and Configuration (Continued)
• Internet Security and Acceleration Server (ISA)– Provides proxy services
• Routing and Remote Access snap-in– Used to add routing
7
Routing Tables
• Routers– Make decisions about how to move packets from
one network to another in the fastest way possible
• Routing table– List of networks that are known to the router – Each entry contains
• IP address of the network• Subnet mask of the network• Gateway used to reach the network• Router interface used to reach the gateway• Metric that measures how far away the network is
8
Routing Tables (Continued)
• ROUTE PRINT command– Used to view routing table
• Static routing– Entries that are added manually
– Used when security is required
– Addition of new network means routing table of each server must be changed
– Introduction of error each time a change is made
9
Routing Tables (Continued)
• Dynamic routing– Entries that are added automatically based on a
routing protocol
– Routers talk to each other to build their routing tables
10
Routing Protocols• Responsible for
– Calculating best path from one network to another
– Advertising routes for dynamic routing• Routing Information Protocol (RIP)
– No configuration necessary under most circumstances
– Hops• Number of routers through which the data must
pass– Distance-vector routing
• Path with the least number of hops
11
Routing Protocols (Continued)
– Does not differentiate between different link speeds
– Each RIP router sends broadcast packet every 30 seconds
• Open Shortest Path First (OSPF)– Determines the best path from one network to
another based on cost
– Not normally implemented on Windows routers
– Each interface on a router is assigned a cost
12
Routing Protocols (Continued)
– Routing table• Builds a picture of the entire network
– When communicating with other routers• Only sends changes in its routing table
• Changes sent only when they occur, not every 30 seconds
13
Configuring RIP
• RIP properties– Can configure type of events to be logged– Can configure IP addresses from which router
accepts updates – General tab
• Periodic update mode removes entries from routing table if router that advertised them is disabled or unreachable
• Auto static update mode adds RIP learned routes to the routing table as static entries
14
Configuring RIP (Continued)
• RIP routers– Advertise routes learnt from other routers then
increment number of hops by 1• RIP properties
– Security tab• Allows you to configure which incoming and
outgoing routes are accepted on this interface– Neighbors tab
• Used only if broadcasts and multicasts are limited on the network
15
Configuring RIP (Continued)
– Advanced tab• Can adjust how often routing table announcements
are sent • Can adjust how long entries in the routing table
last before they expire• Can adjust how long after they expire before they
are removed from the routing table
• Split-horizon processing and poison-reverse processing– Used to prevent routing loops in the case of a
router failure
19
Demand-Dial Connections• Used to establish a connection between two
routers when there is data to be sent• Demand-dial connections
– Used to minimize the amount of phone time used on dial-up connections between routers
– Can be used to initiate VPN connections between Windows routers
– Can be created for Point-to-Point Protocol over Ethernet (PPPoE) connections
• PPPoE – Used by many high-speed Internet providers to
control access to their network – Authentication requires username and password
20
Creating Demand-dial Connections
• For demand-dial connection to function properly– Server must be enabled to perform demand-dial
routing
– Port must be configured to allow demand-dial routing
– Demand-dial interface must be created
• Demand-dial Interface Wizard– Creates demand-dial connections
24
Demand-dial Interface Properties• Can be used to configure
– Security settings– Idle timeout
• Options tab– If “Persistent connection” option is chosen,
servers are connected whenever RRAS is functional
– If “Demand dial” option chosen, you can set an idle timeout
• Security tab– Provides standard security options available on a
VPN connection
26
Dial-out Hours
• Controls when a demand-dial connection can be active
• Typical configuration of dial-out hours– Allows a connection every few hours
– Data is moved from one network to another in batches every few hours
• If users are expected to access resources using the demand-dial connection at all times– Dial-out hours should be left at the default of 24
hours per day, seven days per week
28
Demand-dial Filters
• Used to reduce amount of time a demand-dial connection is active
• Control which types of network traffic trigger a demand-dial connection
• Configuration is similar to a firewall rule• Can initiate a demand-dial connection
– For specific traffic– For all traffic except that specified by a rule
31
Network Address Translation (NAT)
• Uses a single Internet IP address to provide Internet access to all client computers
• Included with Windows Server 2003• Address ranges reserved for internal use
– 10.0.0.0 through 10.255.255.255
– 172.16.0.0 through 172.31.255.255
– 192.168.0.0 through 192.168.255.255
32
Network Address Translation (Continued)
• Proxy server– If implemented, clients must be configured to use
the proxy server– Provides caching to speed up Internet
connectivity
• Most implementations are FTP aware and translate FTP packets properly
33
How NAT Works
• Modifies IP headers of packets that are forwarded through a router
• Builds a table to keep track of translations• Table lists
– Original source IP address
– Original source port number
– New source port number
• New source IP address– Always the external interface on the router
– Does not need to be included in the table
36
Installing NAT
• NAT protocol– Automatically installed when RRAS is configured
to be a router• NAT Interface properties
– For proper NAT functionality• One interface must be configured as a public
interface • At least one interface must be configured as
private interface– Basic firewall
• Allows you to configure static packet filters
37
Installing NAT (Continued)
– Services and Ports tab• Allows you to host services behind NAT but
still allow access from Internet
– ICMP tab• Dictates the types of ICMP packets the
interface responds to
– Address Pool tab • Defines a range of IP addresses that are
handed out to client computers
39
Configuring NAT• NAT/Basic Firewall – Properties
– General tab• Controls the level of logging that is performed
– Translation tab• Configures how long mappings are kept in the NAT
table
– Address Assignment tab• Can configure NAT to act as a DHCP server
– Name Resolution tab• Configures the NAT router to act as a DNS proxy• Settings on this tab need not be enabled if internal DNS
servers exist
42
Internet Connection Sharing (ICS)
• Provides automated way for a small office to connect to the Internet using Windows Server 2003 as a router
• Automatically performs NAT• Configures network connections• Because NAT is used, server must have at least two
network cards• Configuration used by ICS cannot be changed
43
Internet Connection Sharing (Continued)
• The following changes are made– Internal network connection is configured with
• IP address 192.168.0.1 • Subnet mask 255.255.255.0
– Autodial enabled for dial-up/VPN/PPPOE connections
– Static route for default gateway enabled when dial-up/VPN/PPPOE connection is activated
– The ICS service is started– DHCP allocator is configured to distribute IP
addresses from 192.168.0.2 to 192.168.0.254– The DNS proxy is enabled
45
Internet Connection Sharing (Continued)
• ICS server can only have one internal IP address• Network bridging
– Allows interfaces to share a single IP address• Bridge
– Controls network traffic based on MAC addresses– Allows computers on two different physical
network segments to be on the same IP network• When network bridging is enabled
– Choose multiple network cards in a server to act as a single IP network
46
Internet Connection Firewall
• A stateful packet filter that can be used to protect any server running Windows Server 2003
• Stateful firewall– Requires only one rule for outbound traffic– Keeps track of TCP connections that are created
by internal clients– Automatically allows response packets to return
47
Internet Connection Firewall (Continued)
• Enabling ICF– ICF is configured per connection
– If ICF enabled on a server that is not a router• Only that server is protected
– If ICF enabled on a router• All computers on internal network are protected
49
Configuring ICF
• When ICF is enabled– All packets addressed to server are dropped
• Configuring services– Allows requests from the network to access services
on the server running ICF
– Services defined are the firewall rules for ICF
53
Summary
• Windows Server 2003 – Can be configured as a low-cost router for
TCP/IP and AppleTalk• Static routing
– Requires administrators to configure routing tables
• Dynamic routing – Allows routers to communicate– Automatically builds routing tables
• RIP– A distance-vector routing algorithm that
calculates paths based on hops
54
Summary (Continued)
• OSPF– A link-state routing algorithm that calculates paths
based on a configurable metric called cost• Demand-dial connections
– Activated when required – Requires static routes– Can be configured with dial-out hours to limit the
times they are active• NAT
– Many computers can access the Internet using a single IP address
– Modifies the IP headers of packets that are routed through the NAT router