Routing and Remote Access Service (RRAS)

11.1 © 2004 Pearson Education, Inc.

Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment

Lesson 11: Introducing WINS, DNS, and RRAS

Routing and Remote Access Service (RRAS) Can be configured on a Windows Server 2003 computer

to create a remote access service (RAS) server that can manage hundreds of concurrent dial-up connections or to receive Virtual Private Network (VPN) connections on the internal network

Can also be configured to provide shared Internet access using Network Address Translation (NAT) or to create a secure connection between two servers on the Internet connecting two LANs

(Skill 5)

Introducing Routing and Remote Access Service (RRAS)




Remote access service (RAS) server A computer running Windows Server 2003 and RRAS Configured specifically to function using a modem or modem

pool Users can dial in from a remote computer that is also configured

with a modem

A Virtual Private Network (VPN) server is a type of remote access server

Introducing Routing and Remote Access Service (RRAS) (2)

(Skill 5)




Connection methods used by clients Dial-up

Establishes a non-permanent connection between a remote access server and remote access client using an analog phone line or ISDN

Remote access server answers the call, authenticates and authorizes the caller, and transfers data

VPN Establishes a secure point-to-point connection across private

networks or a public network such as the Internet Creates a logical link called a tunnel between a remote user and

a private network


(Skill 5)




To establish a dial-up connection, Windows Server 2003 uses either PPP or SLIP WAN protocolsPoint-to-Point Protocol (PPP)

Allows remote clients to access network resourcesProvides error-checking to detect possible problems prior to

data transferSerial Line Internet Protocol (SLIP)

An older remote communications protocol used by UNIX computers

Does not provide securityTransfers data without checking for errors


(Skill 5)




PPP supports many networking and authentication protocols Password Authentication Protocol (PAP)

The least secure authentication protocol Uses plain text passwords for authentication

Shiva Password Authentication Protocol (SPAP) An authentication protocol used to connect to a Shiva server More secure than PAP; less secure than CHAP or MS-CHAP

Challenge Handshake Authentication Protocol (CHAP) Sends a challenge message to the client, the client applies an

algorithm to the message to calculate a hash value (a fixed-length number), and sends the value to the server

The server also calculates a value and compares it to the client’s If the values match, a connection is established


(Skill 5)




MS-CHAP Microsoft’s version of CHAP The challenge message is specifically designed for Windows operating

systems and one-way encryption is used MS-CHAP2

Authenticates both the client and the server A different encryption key is used to transmit and receive data

Extensible Authentication Protocol (EAP) Used to customize your method of remote access authentication for

PPP connections Supports multiple authentication methods

IEEE 802.1X New in Windows Server 2003 is support for IEEE 802.1X Allows wireless and Ethernet LAN connections


(Skill 5)




Figure 11-38 RAS

(Skill 5)




Figure 11-39 Dial-up connections

(Skill 5)




Figure 11-40 SLIP and PPP

(Skill 5)




Secure connections in VPNs are created using PPTP or L2TP Point-to-Point Tunneling Protocol (PPTP)

An extension of PPP Installed by default during the installation of RRAS

Layer 2 Tunneling Protocol (L2TP) with IPSec Also an extension of PPP Combines features from PPTP and Cisco’s Layer Two Forwarding (L2F) protocol

Bandwidth Allocation Protocol (BAP) Often referred to as Multilink PPP, is used with PPP to augment the use of

multilinked devices Multilinked devices are several ISDN lines or modem links combined to

obtain greater bandwidth Bandwidth Allocation Control Protocol (BACP) is the control protocol for BAP


(Skill 5)




Figure 11-41 Tunneling

(Skill 5)




Figure 11-42 Configuring BAP and BACP

(Skill 5)




Types of dial-up equipment used to establish a connection between a remote network and a remote access clientPOTS (Plain Old Telephone System) ISDN (Integrated Services Digital Network)DSL (Digital Subscriber Line)Cable modem linesFrame relayLeased telecommunication linesModems (asynchronous and synchronous)

Understanding Types of Remote Access Connections

(Skill 6)




Routing and Remote Access Service (RRAS) Installed automatically during the installation of Windows

Server 2003By default, RRAS is not enabled

You enable and configure RRAS to set upA remote access serverA VPNNetwork Address TranslationA secure connection between two serversA network router

Configuring Remote Access Services

(Skill 7)




Figure 11-43 The Add Server dialog box

(Skill 7)




Figure 11-44 The Configuration screen in the RRAS Setup Wizard

(Skill 7)




Figure 11-45 The Remote Access screen

(Skill 7)




Figure 11-46 The Network Selection screen

(Skill 7)

If there is more than one network connection configured on the server, this screen will open so that you can select the correct network interface




Figure 11-47 The RADIUS Server Selection screen

(Skill 7)

RADIUS servers are used to provide centralized authentication




Figure 11-48 The Managing Multiple Remote Access Servers screen

(Skill 7)




Figure 11-49 The Routing and Remote Access console

(Skill 7)



Lesson 11: Introducing WINS, DNS, and RRAS (Skill 7)

Figure 11-50 The DHCP Relay Agent Properties dialog box

Enter the IP address for the DHCP server in the Server address text box and click Add




Use the RAS Properties dialog box to configure your RAS server General tab is used to specify whether your computer will be

configured as a router, a remote access server, or both Security tab is used to choose one of two types of authentication

providers to validate remote access clients IP tab is used to specify settings for the IP protocol such as the

method for distributing IP addresses to remote clients PPP tab is used to configure PPP (Point-to-Point Protocol) to

specify whether a remote client can establish multilink connections

Logging tab is used to manage and monitor an RRAS server by selecting the types of events you want to record for accounting and security purposes

Configuring Remote Access Services (2)

(Skill 7)




Figure 11-51 The General tab in the <RAS_servername> Properties dialog box

(Skill 7)




Figure 11-52 The Security tab

(Skill 7)

Click to open the Authentication Methods dialog box to set the authentication protocols




Remote access policies Are used, along with user properties in some cases, to

control what connection attempts will be rejected or accepted by an RRAS server

You create them to determine which users can access the network and to prevent unauthorized access

A remote access policy consists of a set of rules and conditions that must be met by a connection before a user can gain access

Creating a Remote Access Policy

(Skill 8)




Components of a remote access policy Conditions are the criteria a user must meet in order to be

granted access Permissions are located on the Dial-in tab in the user account

Properties dialog box Allow access permission skips the remote access policy and

applies the remote access profile Deny access permission drops the caller Control access through Remote Access Policy permission

checks the permissions in the remote access policy; if they are set to Grant remote access permission, the profile is applied

Remote access profile is a list of settings offered to the client

Creating a Remote Access Policy (2)

(Skill 8)




Remote access profile settings Allowed dial-in days and times Connection limits Allowed dial-in media and phone numbers Authentication settings Encryption settings


(Skill 8)




Use the Edit Dial-in Profile dialog box to configure a remote access profile Dial-in Constraints tab is used to specify the dial-in number and

the type of media to be used for a connection IP tab is used to set the IP properties for a connection Multilink tab is used to configure the RRAS server to handle

multilink calls and to specify the number of ports a single remote client can use at one time

Authentication tab is used to set the authentication protocols (PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2, EAP)

Encryption tab is used to specify the type of encryption for remote access clients (no encryption, basic, strong, or strongest)

Advanced tab is used to configure connection attributes (RADIUS, frame types, AppleTalk zones, special filters, etc.)


(Skill 8)




Figure 11-53 The Select Attribute dialog box

(Skill 8)

Attributes that can be set as conditions for a remote access policy




Figure 11-54 The Dial-in tab in the Properties dialog box for a user

(Skill 8)

Only available in Windows 2000 native mode or Windows 2003 mode domains. When this option is set, the permissions configured in the remote access policy are checked. If they are set to Grant, the profile is applied. If they are set to Deny, the caller is disconnected.




Figure 11-55 The Dial-in Constraints tab on the Edit Dial-in Profile dialog box

(Skill 8)




Figure 11-56 The Inbound Filters dialog box

(Skill 8)

Click to open the Add IP Filter dialog box




Figure 11-57 The Add IP Filter dialog box

(Skill 8)

You can create an IP packet filter to control the allowed upper-layer protocols, and the remote IP addresses with which clients are allowed to communicate




Figure 11-58 The Multilink tab

(Skill 8)

Select to set Bandwidth Allocation Protocol (BAP) settings; you can dynamically drop a link if bandwidth usage by remote clients drops below a certain threshold




Figure 11-59 The Routing and Remote Access console

(Skill 8)

The default remote access policy denies remote access




Figure 11-60 The Policy Configuration Method screen

(Skill 8)




Figure 11-61 Setting Day and Time Restrictions

(Skill 8)




Figure 11-62 The Time of day constraints dialog box

(Skill 8)

Time during which the policy will permit users to connect to the remote access server




Figure 11-63 The Policy Conditions screen

Figure 11-64 The Permissions screen

(Skill 8)




Figure 11-65 The IP tab

(Skill 8)

Click to open the Inbound Filters dialog box to deny or permit particular IP packets to be processed by the network




Figure 11-66 The Encryption tab

(Skill 8)

Allows clients to connect using 40-bit encryption key MPPE or IPSec encryption



Allows clients to connect without using data encryption




If you have multiple remote access policies, the RRAS server evaluates them in the order in which they are listed in the Routing and Remote Access console; you can change the order

In RRAS, the properties of individual user accounts or the RRAS policy is used to set which users can access the RRAS server

Your domain must be in Windows 2000 native mode or Windows Server 2003 mode to use RRAS policies

The biggest advantage of RRAS policies is ease of administration


(Skill 8)




Creating a Remote Access Policy (6) In addition to setting remote access permissions on the Dial-in tab in

the Properties dialog box for a user account, you can also set callback options

Callback options define how a computer responds when a user dials in No callback

If you select this option, there will be no callbackOnce the connection is established, the computer stays connected and

allows access to resources Set by Caller (Routing and Remote Access Service only)

If you select this option, the server disconnects as soon as a user dials in and calls back on the number that the user indicates

Useful when users need to call in from different locations Always Callback to

If you select this option, the computer calls back a specified numberEnhances security as a user can establish a connection using only one

number

(Skill 8)




Figure 11-67 Dial-in properties for a user account

(Skill 8)

Select to allow the user to dial-in to the RRAS server

Select to allow the remote client to connect on the first call-in attempt

Select to set a callback number that must always be used




Virtual private network (VPN) A method of using the public telecommunication infrastructure to

securely connect two or more subnets Access is restricted to only certain clients who are authenticated by

their user account, subnet, or IP address A VPN encapsulates, authorizes, and routes data by creating

tunnels A tunnel is a secure, logical link that is established between a

remote user and a private network The Routing and Remote Access service can be used to configure a

computer to be a VPN server which can accept both remote access and demand-dial VPN connections from remote access clients

Creating a VPN Server

(Skill 9)




Figure 11-68 Creating a VPN

(Skill 9)




Figure 11-69 Creating a VPN server

(Skill 9)




Figure 11-70 Selecting the network interface that connects to the Internet

(Skill 9)




After configuring the properties for a VPN server, you can create remote access policies and a remote access profile just as you can for a RAS server

By default, if configured to support VPN connections, Windows Server 2003 automatically creates 128 PPTP and 128 L2TP ports for incoming VPN connections

You can change the number of ports if your VPN server needs to support more clients for either protocol

To configure VPN clients,you must enter the FQDN or IP address for the VPN server in the New Connection Wizard

Creating a VPN Server (2)

(Skill 9)




Figure 11-71 The Ports Properties dialog box

(Skill 9)

Click to open the Configure Device dialog box




Figure 11-72 The Configure Device dialog box

(Skill 9)

If your VPN server needs to support more than 128 VPN clients for this protocol, increase the number of ports




ICS is used to create an Internet connection access point with other computers on a home or small network

The ICS-enabled computer has both a public IP address and a private IP address

The clients sharing the connection request Internet access from the ICS-enabled computer, which accesses the Internet for them and passes the information to them

To set up ICS, you need two network connections: one for the LAN and one for the Internet

ICS is only suitable for small networks because only a limited range of private IP addresses can be used and it cannot be extended across subnets

Introducing Internet Connection Sharing (ICS)

(Skill 10)




ICS automatically assigns unregistered non-routable private IP addresses to the client computers on the network in the Class C subnet range 192.168.0.2-192.168.0.254

The address for the ICS computer will always be the Windows Server 2003 internal address 192.168.0.1 with a subnet mask of 255.255.255.0

Public IP addresses are assigned by a registrar and are unique on the Internet

Introducing Internet Connection Sharing (ICS) (2)

(Skill 10)




Figure 11-73 ICS

(Skill 10)




Figure 11-74 Disabling RRAS

(Skill 10)




Figure 11-75 Enabling ICS on the Advanced tab

(Skill 10)

Allows multiple users to connect through a single connection




Figure 11-76 The Advanced Settings dialog box

(Skill 10)

Select services configured on the internal network that can be accessed from the Internet




Figure 11-77 The Service Settings dialog box

(Skill 10)

Enter the IP address or FQDN of the server to which you are enabling access




Figure 11-78 Network Connections message box

(Skill 10)

The address for the ICS computer will always be the Windows internal address 192.168.0.1; unregistered non-routable private IP addresses in the Class C subnet range 192.168.0.2-192.168.0.254 will be assigned to the client computers on the network




The ICS server assigns IP addresses and subnet masks to the other computers on the LAN just like a DHCP server

The default gateway for the other computers on the LAN will be the IP address for the ICS-enabled network interface

ICS is generally not suitable for a domain-based network where there is a WINS server, a DNS server, or any other computer with a static IP address

If there is a DHCP server on the network, the DHCP service should be stopped because it may interfere with the DHCP allocator functionality included with ICS

Introducing Internet Connection Sharing (ICS) (3)

(Skill 10)




Figure 11-79 ICS

(Skill 10)




Figure 11-80 The Internet Options dialog box

(Skill 10)




Network Address Translation (NAT) also allows computers on a network to share a single Internet connection, but with greater flexibility

The NAT service translates private IP addresses to public IP addresses and vice versa as they are forwarded from client computers to a server or from the server to client computers

Using NAT, you can determine your own IP address range, making NAT extendable for a larger network that has multiple subnets over a routed network

NAT includes a basic firewall to help protect clients from intrusions from the Internet

You can also configure static packet filters to designate the kinds of traffic you will allow to both enter and leave the internal network

Introducing Network Address Translation (NAT)

(Skill 11)




Figure 11-81 NAT

(Skill 11)




Figure 11-82 Installing NAT

(Skill 11)




Figure 11-83 The NAT Internet Connection screen

(Skill 11)

In Windows Server 2003, NAT includes a basic firewall by default




Figure 11-84 The General tab on the NAT/Basic Firewall Properties dialog box

(Skill 11)




Figure 11-85 The Address Assignment tab

(Skill 11)

Select to automatically assign IP addresses to the client computers on the network using the DHCP allocator




Figure 11-86 The Name Resolution tab

(Skill 11)

Select so that DNS queries will be forwarded to the DNS server configured for the router




If you have already enabled a RRAS server, you can add NAT functionality by installing and configuring the NAT protocol

The NAT-configured RRAS server runs a DHCP allocator to assign IP addresses to clients

The NAT clients are configured as DHCP clients so that the RRAS server can allocate IP addresses and subnet masks to them

The IP address for the RRAS server is the default gateway for the NAT clients

A NAT-configured RRAS server can be configured to function as a DNS proxy server for the clients

Introducing Network Address Translation (NAT) (2)

(Skill 11)




Figure 11-87 The New Routing Protocol dialog box

(Skill 11)




Figure 11-88 The Network Address Translation Properties dialog box

(Skill 11)

Use to create IP filters to control data traffic based on the IP address of the source or destination, the source or destination port number, and the type of data packet

Date post:	21-Jan-2016
Category:	Documents
Upload:	gita
View:	70 times
Download:	0 times

Routing and Remote Access Service (RRAS)

Documents