Overview of Routing and Remote Access Service RRAS

1
Chapter 10 Routing and Remote Access Service
2
Lesson 1 - Introduction to RRAS (pgs 542-543)
The combined features of Windows 2000 RRAS allow
a Windows 2000 Server computer to function as a
Multiprotocol Router - The computer running
RRAS can route IP,IPX, and AppleTalk
simultaneously. All routable protocols are
configured from the same administrative
utility Demand-Dial Router - IP and IPX can be
routed over on-demand or persistant WAN links
such as analog phone lines or ISDN, or over VPN
connections Remote Access Server - provides
remote access connectivity to dial-up or VPN
remote access clients that use IP,IPX, AppleTalk,
or NetBEUI
3
Implementation of RRAS

• When RRAS was implemented in Microsoft Windows NT
  4.0, it added support for a number of features
  (pg 541)
• Microsoft Windows 2000 builds on RRAS in
  Windows NT 4.0 and adds a number of new features
  (pg 542)

4
Combining Routing and Remote Access Service

• Routing services and remote access services used
  to work separately. Point-to-Point Protocol
  (PPP), which is the protocol suite that is
  commonly used to negotiate point-to-point
  connections, has allowed them to be combined.
• Demand-dial routing connections also use PPP to
  provide the same kinds of services as remote
  access connections.
• The PPP infrastructure of Windows 2000 Server
  supports several types of access. (pg 543)

5
Installation and Configuration
RRAS is not installed via Add/Remove Programs
applet. It is automaticalled installed in a
disabled state. Select the server from the RRAS
snap-in, from the Action menu select Configure
and Enable Routing and Remote Access.
Disable using the snap-in. To refresh the
configuration, disable the service and
then re-enable (note pg 552)
6
Authentication and Authorization
Know the difference between authentication and
authorization to understand how communication
attempts are either accepted or
denied. Definitions pg 552
7
Lesson 2 - Features of RRAS

• Unicast IP Support (pg 555) In unicasting, two
  computers establish a two-way, point-to-point
  connection in order to exchange data.
• IP Multicast Support (pg 556) Multicast traffic
  is sent to a single host but is processed by
  multiple hosts who listen for traffic destined
  for a single host.
• IPX Support (pg 557) The Windows 2000 Server
  router is a fully functional IPX router.
• AppleTalk (pg 558) Windows 2000 RRAS can operate
  as an AppleTalk router by forwarding AppleTalk
  packets and supporting the use of RTMP.

8
Features of RRAS (cont.)

• Demand-Dial Routing (pg 558) Allows you to
  connect to the Internet, to connect to branch
  offices, or to implement router-to-router VPN
  connections. RRAS automatically creates a PPP
  connection to the configured endpoint when
  traffic matching a static route is received.
• Remote Access (pg 558) enables a computer to be a
  remote access server RRAS accepts remote access
  connections from remote access clients that use
  traditional dial-up technologies.
• VPN Server (pg 559) enables a computer to be a
  virtual private network (VPN) server.
• RADIUS Client-Server (pg 559) Remote
  Authentication Dial-In User Service enables
  RADIUS clients to submit authentication and
  accounting requests, can check remote access
  authentication credentials

9
SNMP MIB Support

• RRAS provides Simple Network Management Protocol
  (SNMP) agent functionality with support for
  Internet MIB II.
• Routing and Remote Access Service includes
  support for additional MIB enhancements beyond
  Internet MIB II.
• MIB support is also provided for Windows 2000
  functions, legacy LAN Manager MIB functions, and
  the WINS, DHCP, and IIS services.

10
Lesson 3 - Remote Access

• Remote access clients are either connected to
  only the remote access servers resources, or
  they are connected to the RAS servers resources
  and beyond.
• A Windows 2000 remote access server provides two
  remote access connection methods dial-up remote
  access and VPN remote access.

11
Dial-Up Remote Access Connections
The connection consists of a remote access
client, remote access server, and WAN
infrastructure
12

• Remote Access Client (pg 563) - Windows 2000,
  Windows NT 3.5 or later, Windows 95/98, Windows
  for Workgroups, MS-DOS, and MS LAN Manager
  clients can all connect to a RAS server
• Remote Access Server(pg 563) - accepts dial-up
  connections and forwards packets between remote
  access clients and the network to which the
  remote access server is attached.
• Dial-up Equipment and WAN Infrastructure (pg 564)
• Public Switched Telephone Network (PSTN)
• Digital links and V.90
• Integrated Services Digital Network (ISDN)
• X.25
• ATM over ADSL

13
Public Switched Telephone Network (PSTN)
14
Digital Links and V.90
15
Integrated Services Digital Network (ISDN)
16
X.25
17
Asynchronous Transfer Mode (ATM) over Asymmetric
Digital Subscriber Line (ADSL)
18
Protocols

• REMOTE ACCESS PROTOCOLS (PG 568)
• Remote access protocols control the establishment
  of connections and the transmission of data over
  WAN links.
• Windows 2000 remote access supports three types
  of remote access protocols PPP, SLIP, and
  Asynchronous NetBEUI.
• LAN PROTOCOLS (PG 569)
• LAN protocols are the protocols used by remote
  access clients to access resources on the network
  connected to the RAS server.
• Windows 2000 remote access supports TCP/IP, IPX,
  AppleTalk, and NetBEUI.

19
Remote Access Security Features (pgs 569 - 572)

• Secure user authentication - obtained through the
  encrypted exchange of user credentials.
• Mutual authentication - obtained by
  authenticating both ends of the connection
  through the encrypted exchange of user
  credentials.
• Data encryption - encrypts the data sent between
  the remote access client and the RAS server.
• Callback - The RAS server calls the remote access
  client after the user credentials have been
  verified.
• Caller ID - can be used to verify that the
  incoming call is coming from a specified phone
  number.
• Remote access account lockout - used to specify
  how many times a remote access authentication can
  fail against a valid user account before access
  is denied.

20
Overview of Access Management

• Remote access connections are accepted based on
  the dial-in properties of a user account and the
  remote access policies.
• Different remote access conditions can be applied
  to different remote access clients or to the same
  remote access client based on the parameters of
  the connection attempt.
• Multiple remote access policies can be used to
  meet various conditions.
• RRAS and IAS use remote access policies to
  determine whether to accept or reject connection
  attempts.

21
Access by User Account
22
Access by Policy
23
Managing Account Lockout

• Changing settings in the registry on the
  authenticating computer configures the account
  lockout feature.
• If the RAS server is configured for Windows
  authentication, modify the registry on the RAS
  server computer.
• If the RAS server is configured for RADIUS
  authentication and IAS is being used, modify the
  registry on the IAS server.

24
Managing Authentication

• Windows authentication
• RADIUS authentication
• Windows and RADIUS accounting

25
Lesson 4 - Virtual Private Networks (pg 589)

• VPNs allow remote users to connect securely to a
  remote corporate server by using the routing
  infrastructure provided by a public internetwork,
  such as the Internet.
• VPN is a point-to-point connection between the
  users computer and a corporate server.
• VPN allows a corporation to connect with its
  branch offices or with other companies over a
  public internetwork.
• The secure connection across the internetwork
  appears to the user as a virtual network
  interface.

26
Connecting Networks over the Internet ( pg 590)

• Dedicated lines
• Dial-up lines

27
Connecting Computers over an Intranet

• VPNs allow a departments LAN to be physically
  connected to the corporate internetwork but
  separated by a VPN server.
• The VPN server is not acting as a router between
  the corporate internetwork and the department LAN.

28
Overview of Tunneling

• Tunneling is a method of using an internetwork
  infrastructure to transfer a payload.
• Instead of sending the frame as produced by the
  originating node, the frame is encapsulated with
  an additional header, which provides routing
  information.
• The process of encapsulation and transmission of
  packets is known as tunneling.
• The logical path through which the encapsulated
  packets travel the transit internetwork is called
  a tunnel.

29
Tunnel Maintenance and Data Transfer (pg 591-592)

• Tunnel maintenance protocol
• Tunnel data transfer protocol

30
Tunnel Types (pg 593)

• Voluntary tunnels
• Compulsory tunnels

31
PPTP vs. L2TP (pg 597)

• PPTP requires that the transit internetwork be an
  IP internetwork. L2TP requires only that the
  tunnel media provide packet-oriented
  point-to-point connectivity.
• When header compression is enabled, L2TP operates
  with 4 bytes of overhead, compared to 6 bytes for
  PPTP.
• L2TP provides tunnel authentication, while PPTP
  does not.
• PPTP uses PPP encryption and L2TP does not.

32
IPSec

• Overview of IPSec
• ESP tunnel mode vs. ESP transport mode
• IPSec ESP tunnel mode packet structure

33
IP-IP

• IP-IP is a simple OSI layer 3 tunneling
  technique.
• A virtual network is created by encapsulating an
  IP packet with an additional IP header.
• The primary use of IP-IP is for tunneling
  multicast traffic over sections of a network that
  does not support multicast routing.
• The IP payload includes everything above IP.

34
Managing Users

• A master account database is usually set up on a
  domain controller or on a RADIUS server.
• The same user account is used for both dial-in
  remote access and VPN remote access.

35
Managing Addresses and Name Servers

• The VPN server must have IP addresses available
  in order to assign them to the VPN servers
  virtual interface and to VPN clients.
• By default, the IP addresses assigned to VPN
  clients are obtained through DHCP.

36
Managing Access

• Configure the properties on the Dial-In tab of
  the users properties and modify remote access
  policy as necessary.

37
Managing Authentication

• The VPN server can be configured to use either
  Windows or RADIUS authentication.
• If Windows is selected, the user credentials are
  authenticated by using Windows authentication and
  remote access policy.
• If RADIUS is selected, user credentials and
  parameters are sent as a series of RADIUS request
  messages to the RADIUS server.

38
Troubleshooting (pg 601)

• Connection attempt is rejected when it should be
  accepted.
• Connection attempt is accepted when it should be
  rejected.
• Unable to reach locations beyond the VPN server.
• Unable to establish a tunnel.

39
Lesson 5 - RRAS Tools
Routing and Remote Access Snap-In allows you to
enable RRAS, manage routing interfaces, configure
IPX routing, create static IP address pool,
configure policies.
40
Net Shell Command-Line Utility

• The Net Shell utility includes a number of
  options.
• Commands can be abbreviated to the shortest
  unambiguous string.
• Commands can be either global or context
  specific.
• Global commands can be issued in any context and
  are used for general netsh functions.
• Netsh has two command modes.
• You can run a script either by using the -f
  option or by typing the exec global command while
  in the Net Shell command window.
• To create a script of the current configuration,
  type the global dump command.
• The Net Shell command includes context-specific
  commands.

41
Authentication and Accounting Logging

• RRAS supports the logging of authentication and
  accounting information for PPP-based connection
  attempts when Windows authentication or
  accounting is enabled.
• The authentication and accounting information is
  stored in a configurable log file or files.
• You can configure the type of activity to log and
  log file settings.

42
Event Logging

• The Windows 2000 Router performs extensive error
  logging in the system event log.
• Four levels of logging are available.
• Take specific steps if an OSPF router is unable
  to establish an adjacency on an interface.
• The level of event logging can be set from
  various places with the Routing and Remote Access
  snap-in.
• Logging consumes system resources and should be
  used sparingly.

43
Tracing

• RRAS has an extensive tracing capability that you
  can use to troubleshoot complex network problems.
• Tracing records internal component variables,
  function calls, and interactions.
• You can enable tracing for each routing protocol
  by setting the appropriate registry values.
• Tracing consumes system resources and should be
  used sparingly.
• To enable file tracing for each component, you
  must set specific values within the registry.