Embed Size (px)
Citation preview
1
Chapter Overview
Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services
2
Using Remote Access Using Microsoft Windows 2000 remote
access technology, remote clients can connect to corporate networks or to the Internet.
As an administrator, you should understand Dial-in remote access connections Remote access protocols and security How to manage remote access The Remote Access Service (RAS)
The RAS is part of the Windows 2000 Routing and Remote Access feature.
3
Overview of Remote Access In Windows 2000 RAS, remote access
clients connect to either The RAS server and its resources only (called
point-to-point remote access connectivity), or The RAS server and the resources of its
network (called point-to-LAN remote access connectivity)
A Windows 2000 RAS server provides two remote access connection methods: Dial-in remote access Virtual private network (VPN) remote access
4
Dial-In Remote Access Connections A dial-in remote access connection consists
of A remote access client A remote access server A wide area networking (WAN) infrastructure
The connection between the remote access server and the remote access client is facilitated by Dial-in equipment installed at the client and
server sites The telecommunications infrastructure
5
Elements of a Dial-In Remote Access Connection
6
WAN Connections The most common type of WAN connection used by
RAS is the Public Switched Telephone Network (PSTN).
Dial-in equipment consists of two analog modems, one for the remote access client and one for the remote access server.
The maximum bit rate supported by PSTN is 33.6 Kbps. 5-Kbps modems require a digital connection at the server.
Integrated Services Digital Network (ISDN) and leased telephone lines provide all-digital WAN services that
Run at higher speeds Require permanent connections between the client and
server sites, and special equipment
7
Dial-In Equipment and WAN Infrastructure for PSTN Connections
8
Remote Access Protocols RAS connections almost always use the Point-to-
Point Protocol (PPP) for WAN communications because PPP provides
Security Support for multiple protocols at the network layer
Once the WAN connection is established between the RAS client and server, the client can use PPP to access server resources.
The server functions as a router, enabling the RAS client to access resources on the server’s network as though the client were directly connected to the local area network (LAN), except at a slower speed.
9
Remote Access Security
Windows 2000 remote access offers a wide range of security features, including Secure user authentication Mutual authentication Data encryption Callback Caller ID Remote access account lockout
10
Secure User Authentication Is obtained through the encrypted exchange of
user credentials Uses PPP with one of the following
authentication protocols: Extensible Authentication Protocol (EAP) Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP) version 1 and version 2 Challenge Handshake Authentication Protocol (CHAP) Shiva Password Authentication Protocol (SPAP)
If an RAS server requires a secure authentication method and the client cannot support the method, the connection is denied.
11
Mutual Authentication Involves authenticating both ends of the
connection through the exchange of encrypted user credentials
Uses PPP with EAP-Transport Level Security (EAP-TLS) or MS-CHAP version 2
Involves the following process:1. The remote access client authenticates
itself to the RAS server. 2. The RAS server authenticates itself to the
remote access client.
12
Data Encryption Data encryption encodes the data while it is on
the WAN link between the RAS client and server, but not at either end.
If end-to-end encryption is needed, you can use Internet Protocol Security (IPsec) to create an encrypted end-to-end connection after establishing the RAS connection.
On dial-in remote access links, data encryption requires PPP with EAP-TLS or MS-CHAP.
If an RAS server is configured to require data encryption and the client does not support it, the connection attempt is rejected.
13
Callback Callback uses the following process:
1. The remote client dials in to the RAS server, authenticates itself, and then terminates the connection.
2. The server then calls the client back and reestablishes the connection.
You can configure the server to call the client back at either A preset number, or A number specified by the client during the
initial call
14
Caller ID
RAS can use caller ID to verify that a call from a client is coming from a specified phone number.
You configure caller ID as part of the dial-in properties of the user account.
If the caller ID number of the incoming connection for that user account does not match the preconfigured caller ID, the connection is denied.
15
Remote Access Account Lockout
Specifies the number of failed remote access authentication attempts a user is permitted before the server denies remote access
Important for VPN connections over the Internet
Prevents malicious Internet users from hacking into the system by repeatedly sending credentials
16
Configuring Routing and Remote Access Routing and Remote Access is responsible
for all remote access functionality in Microsoft Windows 2000 Server.
Although Routing and Remote Access is installed by default with the operating system, you must configure and enable the service.
To configure Routing and Remote Access as a remote access server, click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
17
The IP Address Assignment Page in the Routing And Remote Access Server Setup Wizard
18
The Managing Multiple Remote Access Servers Page in the Routing And Remote Access Server Setup Wizard
19
Managing Remote Access
Consider factors such as Where to store user account data How to assign addresses to remote access
clients Who should be permitted to create remote
access connections Remote access management includes
Managing users Managing addresses Managing access
20
Managing Users for RAS
Instead of maintaining separate user accounts on separate servers, most administrators set up a master user account database in the Active Directory service or on a Remote Authentication Dial-In User Service (RADIUS) server.
This enables the RAS server to send the authentication credentials to a central authenticating device.
21
Managing Addresses for RAS clients
For PPP connections, addressing information must be allocated to remote access clients during the establishment of the connection.
You can configure an RAS server to allocate Internet Protocol (IP) addresses Internet Packet Exchange (IPX) network and
node addresses AppleTalk network and node addresses
22
Managing Access to RAS A Windows 2000 RAS server accepts
connections based on the dial-in properties of each user account and the server’s remote access policies.
A remote access policy is a set of conditions and parameters that define the connection and any constraints imposed on it.
You can create multiple remote access policies to apply different conditions and parameters to different users, groups, or types of connection attempts.
23
Managing Access to RAS (Cont.) To use a centralized set of remote access
policies on multiple Windows 2000 RAS or VPN servers, you can Configure one Internet Authentication Service
(IAS) server Configure each RAS or VPN server to be a
RADIUS client of the IAS server To administer remote access policies:
For Windows 2000 RAS servers, use the Routing And Remote Access snap-in
For Windows 2000 IAS servers, use the Internet Authentication Service snap-in
24
Access by User Account
Each Windows 2000 user account has a set of dial-in properties that a RAS server uses when processing a user’s connection attempt.
25
The Dial-in Tab of an Active Directory User’s Properties Dialog Box
26
Access by Policy To manage remote access by policy:
1. Select the Control Access Through Remote Access Policy option in the Dial-In tab of the user’s Properties dialog box.
2. Create remote access policies to meet your needs, either through Routing and Remote Access or a RADIUS authentication provider.
To create a remote access policy on a Windows 2000 RAS server, use the Routing And Remote Access console.
27
The Remote Access Policies Node in the Routing And Remote Access Console
28
The Conditions Page in the Add Remote Access Policy Wizard
29
The Permissions Page in the Add Remote Access Policy Wizard
30
Policy-Based Access
A typical use of policy-based access is to allow access through group membership. For example, you create a group named
DialUpUsers, whose members are users who are to be allowed dial-in remote access.
Then you create a remote access policy that grants dial-in remote access to members of the DialUpUsers group.
31
The Logic of Remote Access Policies and User Account Settings
32
Lesson Summary Windows 2000 remote access provides two
types of remote access: dial-in and VPN. A dial-in remote access connection consists of a
remote access client, a remote access server, and a WAN infrastructure.
RAS connections almost always use PPP for WAN communications.
Although Routing and Remote Access is installed by default with Windows 2000 Server, you must use the Routing And Remote Access console to configure and enable the service.
33
Using Virtual Private Networks
A VPN is a connection between two computers across an internetwork or the Internet.
In most cases a VPN is functionally similar to a WAN, except that the Internet functions as the network medium.
34
Virtual Private Networking
35
Implementing a VPN Remote users use VPNs to connect securely to
a remote corporate server over the Internet. From the user’s perspective, the VPN is a point-
to-point connection between the user’s computer and a corporate server.
Because a VPN uses the Internet, not a long-distance telephone line, phone charges are kept to a minimum.
To secure private communications over the Internet, VPNs use a security mechanism called tunneling.
36
Tunneling Basics Tunneling is a method of using an internetwork
infrastructure to transfer a payload, such as packets.
The packet is encrypted and encapsulated with an extra header generated by the tunneling protocol. The extra header provides routing information.
The encapsulated packet is routed between the endpoints over the transit internetwork.
At the destination, the packet is de-encapsulated and forwarded to its final destination.
37
A VPN Tunnel
38
Tunnel Maintenance and Data Transfer Tunnel maintenance is the process of
creating and managing the tunnel through the transit internetwork.
Data transfer is the transmission of encapsulated data through the tunnel.
Before data transfer can occur, a VPN client and server must create a tunnel. The client and server must use the same
tunneling protocol. Some tunneling protocols require tunnel
maintenance.
39
Tunneling Protocols
The most popular tunneling protocols used to create VPNs are Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IPsec IP-in-IP (IP-IP)
40
Point-to-Point Tunneling Protocol (PPTP) PPTP encapsulates PPP frames into IP datagrams
for transmission over an IP internetwork such as the Internet.
PPTP is also used in private LAN-to-LAN networking.
PPTP payloads can be encrypted and compressed.
PPTP tunnels must be authenticated. Windows 2000 PPTP encryption requires EAP-TLS
or MS-CHAP. If end-to-end security is needed, IPsec is the
preferred tunneling protocol.
41
A PPTP Packet
42
Layer 2 Tunneling Protocol (L2TP) L2TP combines the best features of PPTP and
Layer 2 Forwarding (L2F). L2TP encapsulates PPP frames for
transmission over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks.
When used with IP, L2TP can function as a tunneling protocol over the Internet, or it can be used in private LAN-to-LAN networking.
L2TP supports encryption and compression. Windows 2000 uses IPsec to encrypt data in
L2TP packets.
43
An L2TP Packet
44
PPTP vs. L2TP Both PPTP and L2TP use PPP for point-
to-point WAN connections, but there are differences between PPTP and L2TP. PPTP requires IP; L2TP can use IP, frame
relay, X.25, or ATM networks. L2TP provides header compression
capability; PPTP does not. L2TP provides tunnel authentication; PPTP
does not. PPTP uses PPP encryption; L2TP requires
IPsec for encryption.
45
Internet Protocol Security (IPsec) IPsec, a Layer 3 tunneling protocol, supports the
secure transfer of data across an IP internetwork. With IPsec in Tunnel mode, a complete IP
datagram is encapsulated and encrypted with ESP.
The result is encapsulated, using a plaintext IP header, and transmitted over the transit internetwork.
On receipt, the tunnel server discards the plaintext IP header, authenticates and decrypts the ESP and IP packet, and then processes the IP packet normally.
46
IP-in-IP (IP-IP) An Open Systems Interconnection (OSI)
Layer 3 tunneling technique Creates a virtual network by encapsulating
an IP packet with an additional IP header Primarily used for tunneling multicast
traffic over sections of a network that do not support multicast routing
Packet structure consists of the outer IP header, the tunnel header, the inner IP header, and the IP payload
47
Integrating a VPN in a Routed Environment VPNs enable a LAN to be physically
connected to the corporate internetwork, but separated and protected by a VPN server.
In this situation, the VPN server does not act as a router.
Users with appropriate credentials can establish a VPN with the VPN server and access the protected resources.
To all other internetwork users, the department’s LAN is hidden from view.
48
Integrating VPN Servers with the Internet
49
Branch Office VPN Connections over the Internet
50
Managing Virtual Private Networking VPN security issues must be managed
carefully, particularly with Internet VPN connections.
To manage users, most administrators set up a master account database on a domain controller or a RADIUS server. Enables the VPN server to send
authentication credentials to the central authenticating device
Requires only one user account per user for both dial-in and VPN-based remote access
51
Managing Addresses and Name Servers for VPN Clients The VPN server must have IP addresses
available to assign to the server’s interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process.
By default, VPN clients of Windows 2000–based VPN servers obtain their IP addresses through Dynamic Host Configuration Protocol (DHCP).
The VPN server must be configured with the IP addresses of Domain Name System (DNS) and Windows Internet Name Service (WINS) servers on the network.
52
Managing Access for VPN Clients If you manage remote access on a user basis,
select the Allow Access option in the Dial-In tab of the user’s Properties dialog box to enable the user to establish VPN connections.
If you manage remote access on a group basis: Select the Control Access Through Remote Access
Policy option on all user accounts. Create a group of users who can create VPN
connections. Create an appropriate remote access policy. Assign the group to the remote access policy.
53
Lesson Summary A VPN mimics the properties of a dedicated private
network, enabling data to be transferred between two computers across an internetwork, such as the Internet.
VPNs use tunneling to transfer data. Primary protocols used by Windows 2000 for VPN
access are PPTP L2TP IPsec IP-IP
Branch offices can use dedicated lines or dial-up lines to establish VPN connections over the Internet.
54
Using NAT and ICS Network address translation (NAT) enables
private IP addresses to be translated into public IP addresses for traffic to and from the Internet.
Internet Connection Sharing (ICS) is a Windows 2000 Server feature that uses NAT to share a single Internet connection among all of the computers on a small office or home office (SOHO) network.
NAT and ICS are designed to connect SOHO networks to the Internet.
55
Network Address Translation Windows 2000 NAT enables computers on
a small network to share a single Internet connection with one public IP address.
The computer that NAT is installed on can act as a network address translator, a simplified DHCP server, a DNS proxy, and a WINS proxy.
NAT helps conserve the public IP address space and prevents unauthorized Internet users from intruding on a private network.
56
Understanding NAT
Component Function
Translation The NAT computer acts as a network address translator, translating IP addresses and TCP/UDP port numbers of packets forwarded between the private network and the Internet.
Addressing The NAT computer becomes a simplified DHCP server for the network.
Name resolution
The NAT computer becomes the DNS server for the network.
57
Routed and Translated Internet Connections
Connection Type
Description
Routed Requires a range of registered IP addresses and a router for computers to access and become part of the Internet.
Translated (or NAT)
Uses a router and a range of private IP addresses, which are hidden from Internet users.
This type of connection provides more security.
58
How NAT Works NAT enables networks to use private IP
addresses and still participate on the Internet. On a translated network, the router (called
the NAT computer) has a registered IP address and also runs the NAT service.
The NAT computer is the intermediary between clients on a private network and servers on the Internet.
Only the NAT computer is visible to Internet users; clients are hidden and protected from unauthorized access.
59
Using NAT to Transparently Connect an Intranet to the Internet
60
Static and Dynamic Address Mapping NAT can use either static or dynamic address
mapping. With static mapping, traffic is always mapped a
certain way. For example, mapping the private IP address of a
Web server to a specific public IP address Dynamic mappings are created when users on
the private network initiate traffic with Internet locations.
The NAT service adds these mappings to its mapping table so it can forward replies from the Internet server to the client.
61
Proper Translation of Header Fields A NAT server, by default, translates IP
addresses and TCP/UDP ports. The translation requires modification of
various fields in the IP, TCP, and UDP headers.
When applications and protocols carry IP or port addressing information in places other than their headers, the NAT server might require a NAT editor to properly translate the IP address.
62
NAT Editors When the NAT server must translate the
payload beyond the IP, TCP, and UDP headers, a NAT editor is required.
A NAT editor is an installable component that can properly modify otherwise nontranslatable payloads so they can be forwarded across a NAT.
Windows 2000 includes built-in NAT editors for File Transfer Protocol (FTP) Internet Control Message Protocol (ICMP) PPTP NetBIOS over TCP/IP
63
Implementing NAT
To implement NAT on a Windows 2000 server, you add NAT as a routing protocol in the Routing And Remote Access snap-in.
The process is simplified by the Routing And Remote Access Server Setup Wizard.
To access the Routing And Remote Access snap-in, click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
64
The Internet Connection Page in the Routing And Remote Access Server Setup Wizard
65
The Interface Name Page in the Demand Dial Interface Wizard
66
The Select A Device Page in the Demand Dial Interface Wizard
67
The Protocols And Security Page in the Demand Dial Interface Wizard
68
The Dial Out Credentials Page in the Demand Dial Interface Wizard
69
Internet Connection Sharing (ICS) ICS is a simplified implementation of NAT. ICS is not as customizable as NAT, but it
Is easy to set up Provides all required features to connect a small
network to the Internet by using a dial-up connection
ICS uses the following parameters: Single public IP address Fixed address range for hosts DNS proxy for name resolution Automatic IP addressing
70
Internet Connection Sharing (Cont.) When you enable ICS, you provide NAT, IP
addressing, and name resolution services for all computers on your network.
Before enabling ICS, consider the following: You should not use ICS on a network with other
Windows 2000 Server domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP.
When you enable ICS, the network interface adapter connected to the private network is assigned a new IP address, and existing TCP/IP connections are lost.
71
Internet Connection Sharing (Cont.) Before enabling ICS, consider the
following: (Cont.) Clients must be configured to use TCP/IP and
to obtain their TCP/IP settings from a DHCP server.
If the ICS computer uses a modem or ISDN to connect to the Internet, select the Enable On-Demand Dialing check box in the Sharing tab of the connection’s Properties dialog box.
Enable ICS for a connection by using Network And Dial-Up Connections.
72
Enabling ICS in the Sharing Tab in a Dial-In Connection’s Properties Dialog Box
73
Internet Connection Sharing and NAT
In Windows 2000 Server, you can use either ICS or NAT to configure a translated connection to the Internet.
ICS Features NAT Features
Single check box configuration
Manual configuration
Single public IP address Multiple public IP addresses
Fixed address range for internal hosts
Configurable address range for internal hosts
Single internal interface Multiple internal interfaces
74
Lesson Summary NAT enables computers with private IP addresses to
access the Internet, just as though they had registered IP addresses.
A NAT server modifies the headers of client request packets destined for the Internet.
Internet servers receive these packets and respond to the NAT server, which relays the response to the client.
Windows 2000 Server includes a NAT routing protocol as part of the Routing and Remote Access feature.
ICS is a Windows 2000 feature that provides the same basic functions as NAT but with a simplified configuration process and limited options.
75
Using Terminal Services Terminal Services is a Windows 2000
Server feature that provides thin-client access to Windows 2000 and the latest Windows-based applications for client computers.
You can use Terminal Services to Access your desktop and installed applications
from any supported remote client computer Increase flexibility in application deployment Control computer management costs Remotely administer network resources
76
Overview of Terminal Services Terminal Services is a client/server application that
consists of A service that runs on a computer running Windows 2000
Server A client that runs on a computer or terminal
Terminal Services enables all operating system functions, client application execution, data processing, and data storage on the server.
Terminal Services clients run a terminal emulation program that transmits keystrokes and mouse movements to the server, and clients receive display information in return.
Users can access Terminal Services over any Transmission Control Protocol/Internet Protocol (TCP/IP) connection.
77
Remote Administration Mode Using Terminal Services in Remote
Administration mode enables you to Use any TCP/IP connection to remotely administer
any Windows 2000 Server computer on the network
Perform tasks remotely as though you were sitting at the console
This mode installs only the remote access components of Terminal Services, not the application-sharing components.
Client licensing is not required in Remote Administration mode.
78
Application Server Mode
You can use Terminal Services in Application Server mode to deploy and manage all applications used by Terminal Services clients from a central location.
Clients can then run the applications by using any available TCP/IP connection.
Client licensing is required when deploying Terminal Services in Application Server mode.
79
Installing Terminal Services
By default, Terminal Services and Terminal Services Licensing are not installed during the installation of Windows 2000 Server.
You can install them by specifying them during the operating system installation, or afterward by using the Add/Remove Programs tool in Control Panel.
80
The Windows Components Page in the Windows Components Wizard
81
The Terminal Services Setup Permissions Selection Page in the Windows Components Wizard
82
The Terminal Services Setup Cautions Page in the Windows Components Wizard
83
Terminal Services Manager Terminal Services Manager is a Microsoft
Management Console (MMC) console that is installed during the installation of Terminal Services.
Use this console to Manage all of the Windows 2000 Terminal
Services installations on your network View current users, servers, and processes Send messages to specific users Use the Remote Control feature Terminate processes
84
The Terminal Services Manager Console
85
Terminal Services Configuration Terminal Services Configuration is an MMC
console you can use to manage your Remote Desktop Protocol (RDP) configuration.
Modifications made with this tool are global unless you choose to inherit information from the same options located in the user configuration.
Of the many configurable options, the three most commonly used are Logon settings Time-outs Remote control options
86
Terminal Services Client Creator
The Terminal Services Client Creator is a utility that creates floppy disk sets for installing the Terminal Services Client software on other Microsoft Windows computers.
Making the client files available on an internal network is recommended.
The default location for these files is C:\Winnt\System32\Clients.
87
Using Terminal Services Client Creator
88
Terminal Services Licensing Terminal Services has its own method for
licensing clients that log on to Terminal Services servers.
This licensing is separate from the licensing for Windows 2000 Server clients.
Terminal Services licensing includes four components: Microsoft Clearinghouse Terminal Services Licensing server Terminal Services server Client licenses
89
Microsoft Clearinghouse
Microsoft Clearinghouse is the database Microsoft maintains to Activate license servers Issue client license key packs to license
servers that request them You can access the Microsoft
Clearinghouse through the Licensing Wizard in the Terminal Services Licensing snap-in.
90
Terminal Services Licensing Server
The Terminal Services Licensing server is separate from Terminal Services.
It stores all of the Terminal Services client licenses that have been installed and tracks the licenses issued to client computers.
A Terminal Services server must be able to connect to an activated Terminal Services Licensing server before clients can be issued licenses.
91
Terminal Services Server
A Terminal Services server is the computer running Windows 2000 Server that Terminal Services is enabled on and running on.
When clients log on to a Terminal Services server, the server validates the client license.
If the client does not have a license, the Terminal Services server requests one from the Terminal Services Licensing server.
92
Client Licenses
Each client computer or terminal that connects to a Terminal Services server must have a valid client license.
The client license is stored locally and is presented to the Terminal Services server each time the client connects to the server.
93
Deploying a Terminal Services Licensing Server The deployment process includes installing
the server, activating the server, and installing the licenses.
The license server must be activated through the Microsoft Clearinghouse and loaded with client access licenses.
Terminal Services Licensing is installed separately from Terminal Services.
It is often preferable to run Terminal Services Licensing on a different server than Terminal Services.
94
Deploying a Terminal Services Licensing Server (Cont.)
There are two types of license servers: Domain license server Enterprise license server
Use the Add/Remove Programs tool in Control Panel to install Terminal Services Licensing.
95
The Terminal Services Licensing Setup Page in the Windows Components Wizard
96
Activating a License Server
You must enable a Windows 2000 Terminal Services Licensing server within 90 days of enabling Terminal Services in Application Server mode.
Use the Licensing Wizard in the Terminal Services Licensing console to activate the license server.
97
Installing Licenses
You must purchase Windows 2000 Terminal Services client access licenses or Internet connector licenses.
Install the licenses by using the Licensing Wizard in the Terminal Services Licensing console.
After you install the licenses, the Terminal Services Licensing server can begin deploying them.
98
Deploying Terminal Services Clients Client computers or terminals connect to a
Terminal Services server by using Terminal Services client software.
Ensure that client computers or terminals are physically capable of hosting the client software and connecting over the network.
There are two ways to deploy Terminal Services client software:
Create a file share to do the installation over the network.
Create client installation disks, using the Terminal Services Client Creator.
99
Lesson Summary Terminal Services enables all operating system
functions, client application execution, data processing, and data storage on the server.
Terminal Services clients run a terminal emulation program that transmits keystrokes and mouse movements to the server, and clients receive display information in return.
Terminal Services can be enabled in Remote Administration mode or Application Server mode.
Terminal Services clients require an access license, which is maintained by a Terminal Services Licensing server.
