Objectives

• Configure routing in Windows Server 2008

• Configure Routing and Remote Access Services in Windows Server 2008

• Network Address Translation

1

Configuring Routing in 2008• Routing and Remote Access Services (RRAS)

– A Server Role service used to configure and manage network routing

– Recommended for use in small networks that require simple routing directions

– Not recommended for large and complex environments (use Cisco)

2

Configuring RRAS as a Router• Routers

– Responsible for forwarding packets between subnets, or networks with differing IP addressing schemes

3

Working with Routing Tables

• Routing tables are composed of routes

• Routes – Direct data traffic to its destination

• Routing tables – A list of routes– Can be managed in the RRAS console or from the

command line using the route command

4

Configuring Routes

• Static Routing Limitations:– Requires manual creation and management– Require reconfiguration if the network changes– Used in small network with less than 10 subnet

• Dynamic protocols– Route traffic based on information they discover about

remote networks from other routers

• Routing Information Protocol version 2 (RIPv2)– Uses partner routers, or RIP neighbors, in determining

the dynamic routes it can use for forwarding packets of data

5

Configuring a DHCP Relay Agent

• DHCP relay agent – Manages the communication between a network’s

DHCP server and clients on subnets without a DHCP server

• With RRAS– Network adapters are added and configured to listen

for DHCP broadcast messages

6

Configuring Dial-on-Demand Routing

• Demand-dial routing– Allows a server to initiate a connection only when it

receives data traffic bound for a remote network– Can use dial-up networks instead of more expensive

leased lines

7

Configuring Remote Access Services in Windows Server 2008

• Dial-up networking– Connects remote users to their networks using a

standard phone line

• Virtual Private Networks– Allow client connections to your network from remote

locations– Works by creating a secure tunnel for transmitting

data packets between two points– VPN tunneling protocols: Point-to-Point Tunneling

Protocol, Layer 2 Tunneling Protocol, Secure Socket Tunneling Protocol

8

9

10

VPN Remote Access

• Uses Internet to transmit private information

• Encryption is used

• High speed and reduced maintenance

• Security risk presented by allowing access to network resources from the Internet

• Windows Server 2008 uses RRAS as a VPN server

• Remote computers are configured as VPN clients

Enable and Configure a VPN Server

Enabling packet filters should only be chosen if the server has multiple network cards with the filtered card connected to the Internet and the unfiltered cards connected to VPN traffic

VPN Protocols

• PPTP and L2TP are supported by Win. Server 2003

• By default, 128 PPTP ports and 128 L2TP ports available– Can increase the number of ports or – Disable a protocol by setting the number of ports to

zero

• PPTP is the most popular and can function through NAT

• L2TP requires IPSec to function

VPN Protocols (continued)

Configuring Remote Access Servers

• Control authentication and logging

• Specify whether or not the server is a router for IP, and if it allows IP-based remote access connections

• Enable broadcast name resolution

Authentication Methods

• Windows Server 2003 can use a number of different authentication methods:– No Authentication– Password Authenticated Protocol– Shiva Password Authentication Protocol– Challenge Handshake Authentication Protocol– Microsoft Challenge Handshake Authentication Protocol– Microsoft Challenge Handshake Authentication Protocol

version 2– Extensible Authentication Protocol

• Server and Client must support common protocol to authenticate and connect

IP Address Management

• When dial-up and VPN clients connect to Windows Server 2003, they are assigned an IP address

• Options for DNS and WINS server are taken from the configuration of a specified interface on the remote access server

• Windows 2000 and newer clients can send a DHCPINFORM packet after a remote access connection has been established

IP Address Management (continued)

Notice: Client DNS Option is taking from RAS server, not DHCP server

IP Address Management (continued)

Client DNS Option is changed by DHCPINFORM packets to DHCP server settings

Allowing Client Access

• By W2K3 Server default, none of the users are granted remote access permission

• Remote access permission is controlled by their user object– If RRAS does not participate in

Active Directory, the user object is stored in the local user account database

– If RRAS belongs to an Active Directory domain, the user object is stored in the Active Directory database located on the domain controller

Creating a VPN Client Connection

• Configure VPN clients on client machines, e.g. Win XP• Windows Server 2003 can be configured as a VPN client• Create VPN connections using the New Connection

Wizard

Configuring a VPN Client Connection

• Most configuration is done with the New Connection Wizard

• You can:– Configure the IP address of the VPN server to which

you are connecting– Configure whether or not an initial connection is created– Configure dialing and redialing options– Specify if password and data encryption are required– Configure the network configuration for VPN connection– Configure an Internet connection firewall and Internet

connection sharing

Remote Access Policies• Control who is allowed to access remotely

• Depends on the domain’s functional level (mixed, 2000 native or 2003 native)

• Depend on the machine user is connecting to

• To use remote access, you must understand:– Remote access policy components– Remote access policy evaluation– Default remote access policies

• Default Remote Access Policies

Remote Access Policy Components

• Composed of conditions, remote access permissions, and a profile– Conditions are criteria that must be met in order for

remote access policy to apply to a connection– Remote access permission set in a remote access

policy has only two options: Deny or Grant remote access permission

– The profile contains settings that are applied to a remote access connection if the conditions have been matched and permission has been allowed

Remote Access Policy Evaluation

• Evaluation conditions follows the same process for mixed mode domain and native mode domains

• After a condition match has been found, the permissions of the user attempting the connection must be evaluated

• Even if remote access permission is granted, it does not guarantee that a remote connection will be successful as some profile settings may interfere

Remote Access Policy Evaluation (continued)

Remote Access Policy Evaluation (continued)

Default Remote Access Policies

• Created by Microsoft

• First default policy listed is named Connections to Microsoft Routing and Remote Access Server

• Second default policy is named Connections to other access servers

Troubleshooting Remote Access

• Providing remote access is very complex

• Most problems are due to software configuration errors introduced by users and administrators

• Best troubleshooting tools include:– Log files– Error messages– Network Monitor– Ipconfig

• Hardware errors can also cause problems

Software Configuration Errors• Common software configuration errors:

– Incorrect phone numbers and IP addresses– Incorrect authentication settings– Incorrectly configured remote access policies– Name resolution is not configured– Clients receive incorrect IP options

• The fact that the remote access server leases 10 IP addresses from DHCP at startup is NOT an error

Hardware Errors

• Common hardware troubleshooting tips:– Ensure hardware is on the Microsoft hardware

compatibility list– Use ping to determine if the address is reachable– See if you can dial in to a different remote access

server– Ensure there is a link light on the network card

Troubleshooting Tools• Ping utility is used to determine if a host is

reachable

• Ipconfig utility used to confirm that the correct IP settings are being delivered to the remote access client

• Network Monitor can be used to perform packet captures which may provide some further clues as to the cause of some error

• Logging– Check event log if RRAS is unable to start or is not

performing as expected– Can configure detailed connection logs

Network Address Translation

• Allows you to shield internal IP address ranges from public networks by allowing internal clients to access the Internet through a shared IP address

33

Introduction to Network Policy Server• Network Policy Server (NPS)

– Role service that provides a framework for creating and enforcing network access policies for client health

– Can be used to perform:• Configure a RADIUS server

• Configure a RADIUS proxy

• Configure and implement Network Access Protection (NAP)

34

Windows Server 2008 Editions and the NPS Console

• NPS Console– Central utility for managing

• RADIUS clients and remote RADIUS servers

• Network health and access policies

• NAP settings for NAP scenarios

• Logging settings

35