Upload
networksguy
View
826
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Windows Network Administration
Chapter 10 Administering Routing and Remote Access
Introduction
• Routing and Remote Access Service (RRAS)– Enables users to connect to LAN from remote
computer
• Windows Dial-up Networking (DUN)– Allows modem dial-up connection/modem to work
like LAN interface– Allows servers to host one or more dial-up
network users– Infrastructure:
• Modem• POTS / ISDN
Point-to-Point Protocol (PPP)
• Allows two devices to establish TCP/IP connection over serial link
• Three phases• Protocols:
– Link Control Protocol (LCP)– Challenge Handshake Authentication Protocol
(CHAP)– Callback Control Protocol (CBCP)– Compression Control Protocol (CCP)– IP Control Protocol (IPCP)– Internet Protocol (IP)
• Encapsulation• Multilink extensions
Three Phases of PPP
Virtual Private Networking
• VPN: Private networking using Internet connection
• Encrypted tunnels• Windows Server 2003 VPN support
– Point-to-Point Tunneling Protocol (PPTP)– Layer 2 Tunneling Protocol (L2TP)
Virtual Private Networking
How VPNs Work
• Connection process:1. Client establishes Internet connection2. Client sends VPN request to server
• Request Format varies (PPTP, L2TP)
3. Client authenticates to server• Authentication process varies (PPTP, L2TP)
4. Client/server negotiation for VPN session• Encryption algorithm and strength
5. Client/server PPP negotiation
VPNs
• VPN packets– Encrypted by VPN software– Encapsulated inside regular IP packets
• VPN encapsulation1. Data packet created2. IP stack adds TCP and IP headers: IP datagram3. Add PPP header: PPP frame4. VPN software encrypts PPP frame5. Add GRE header: Encapsulated PPTP packet6. PPTP stack adds IP header and PPP header7. Packet sent
VPN Encapsulation
PPTP and L2TP
• PPTP– Encryption using Microsoft Point-to-Point
Encryption (MPPE)– Authenticates to server with
challenge/response process• L2TP
– More general purpose than PPTP– No native encryption or authentication– Used with IPsec for security
• ISAKMP, Oakley protocols for creating encrypted channel before establishing tunnel
Configuring Routing
• Windows Server 2003 RRAS– Fully functional multiprotocol router– To use as additional router
• Activate and configure RRAS
– To use as IP router• Add demand-dial interfaces for demand-dialing• Give each routable interface network address • Install and configure routing protocols on
interfaces
– RRAS Setup Wizard
RRAS Snap-in: Network Interfaces Node
Local Area Connection Properties
Setting Up Demand-Dial Interfaces
• Demand-Dial Interface Wizard– Interface Name page– Connection Type page
• Physical device or VPN connection– Depending on connection type
• Select a Device page• VPN Type page
– Network Address / Phone Number page– Protocols and Security page– Dial-In Credentials page– Dial-Out Credentials page
Demand-Dial Interface Wizard
Demand-Dial Interface Wizard
Demand-Dial Interface Wizard
Configuring IP Routing Properties
Managing Static Routes
• Create static routes to populate routing table
• Static routes:– Combine network address with subnet
mask to provide list of destinations
• To create static route:– Static Route dialog box, or– route add command
route add destination mask netmask gateway metric interface
Managing Static Routes
Configuring Remote Access
• General configuration of RAS• Server Properties dialog box
– General tab: Whether to allow remote connections
– Protocol specific tabs: What protocols to support and their settings
– Security tab: Security settings– PPP tab: Which PPP protocols clients may
use– Logging tab: Level of log detail
Configuring Remote Access
Configuring Remote Access
Configuring VPN Access
• VPN: – Sits between internal network and
Internet
• VPN server:– Should be outside any firewalls or
network security measures
Configuring VPN Access
Configuring VPN Access
• Common configuration: Two NICs:– One connects to Internet– Other connects either to:
• Private network, OR • Intermediate network connected to private
network
• Converting RRAS server to handle VPN traffic
Configuring VPN Access
Configuring a VPN
• Adjust number and kind of VPN ports• Enable or disable PPTP or L2TP• Ports Properties dialog box
– List of hardware ports– Two WAN miniport devices (virtual ports)
• PPTP• L2TP
– Configure Device dialog box
Configuring a VPN
Remote Access Security
• To control who uses remote access services– Set up remote access profiles on
individual accounts– Create and manage remote access
policies that apply to groups of users
Configuring User Access
• Profile: – User account information– Typically stored in Active Directory
• Two user management snap-ins– If RRAS is part of Active Directory domain:
• Active Directory Users and Computers
– If RRAS is not part of Active Directory domain
• Local Users and Groups
• Dial-in tab of user’s Properties dialog box
Configuring User Access
Remote Access Policies
• Remote access policies– To determine who can connect– Each user has single policy applied when
connecting– Three components
• Conditions• Permissions• Profile
– Ordering and application of policies• Caller must match all conditions of policy• First policy to match caller is used
Configuring Remote Access Policies
• RRAS snap-in– Remote Access Policies folder– New Remote Access Policy Wizard
• Policy Configuration Method page• Policy Conditions page
– Select Attribute dialog box
• Permissions page
Configuring Remote Access Policies
Configuring Remote Access Policies
Configuring Remote Access Policies
Using Remote Access Profiles
• Remote Access profiles– Settings to determine what happens during call setup
and completion
• Each policy has associated profile– Profile determines settings for connections that meet
policy conditions
• Profile Properties dialog box– Dial-In Constraints tab– IP tab– Multilink tab– Authentication tab– Encryption tab– Advanced tab
Using Remote Access Profiles
Using Remote Access Profiles
Using Remote Access Profiles