Remote Access in Windows 2000

1
Chapter 6

• Remote Access in Windows 2000

2
Learning Objectives

• Describe the use of Routing and Remote Access
  Service (RRAS)
  
• Install RRAS
• Configure Inbound RRAS Connections
• Create a remote access policy
• Configure a remote access profile
• Configure a Virtual Private Network

continued
3
Learning Objectives

• Configure remote access security, including
  encryption and authentication protocols
  
• Configure multilink connections
• Configure routing and remote access for DHCP
  integration
  
• Manage, monitor, and troubleshoot remote access

4
Routing and Remote Access Service (RRAS)

• Runs on a Windows 2000 server
• Enables other servers or client computers that
  are not connected to the network via a permanent
  cable to establish temporary connections over
  phone lines, ISDN lines, or services such as
  X.25
• Once a computer establishes a connection with the
  RRAS server, it can access the resources on it

5
Remote Access Overview

• Brief history of remote access
• Routing and remote access concepts
• Remote access features
• Remote access security

6
Brief History ofRemote Access

• Remote Access Service (RAS)
• First introduced Windows with NT 3.51 Service
  Pack 2 as a simple, inexpensive way for remote
  users to dial in to a server and access network
  resources
• Supported only NetBEUI provided translation in
  the form of a NetBIOS gateway for clients using
  other protocols
  
• Routing and Remote Access Service (RRAS)
• Introduced the capability of multiprotocol
  routing to remote access

7
Brief History ofRemote Access

• New features in Windows 2000 Server
• Internet Group Management Protocol (IGMP)
  support
  
• Network Address Translation (NAT) allows
  computers on a LAN to share a single Internet
  connection
  
• Integrated AppleTalk routing
• Layer-Two Tunneling Protocol (L2TP) over IP
  Security (IPSec) support for router-to-router
  Virtual Private Networking (VPN) connections
  
• Improved support for Remote Authentication
  Dial-In User Support (RADIUS)

8
Routing and Remote Access Concepts

• Remote access versus remote control
• Remote access connection types
• Protocols
• Remote access clients

9
Remote Access

• A client computer connects to a remote access
  server using a dial-up or other type of on-demand
  connection
  
• Once connected to the network, the client can
  access network resources
  
• All applications still run on the client computer

10
Remote Control

• A client computer connects to a remote server and
  actually takes control over that server in a
  separate window on the client computer
  
• All applications run on the server
• Not supported by RRAS
• Requires use of Windows Terminal Service or
  third-party software like Symantecs pcAnywhere

11
Remote AccessConnection Types

• Dial-Up Networking
• Virtual Private Network

12
Dial-Up Networking

• Client makes a temporary, dial-up connection to a
  physical port on the RRAS server
  
• Uses services of a public telecommunications
  provider

13
Virtual Private Network

• Makes a secure, private connection from the
  client to the server over a public network
  
• Connection is logical, not necessarily direct
• Advantages
• Remote users who are not in the same local
  calling area as the remote access server need not
  make long distance calls to connect to the
  network make local calls to an ISP
• More remote users can connect at the same time,
  assuming a fairly high-bandwidth Internet
  connection

14
Protocols

• Remote access (or line) protocols
• Govern how information is broken up and
  transmitted over wide area network (WAN)
  connections
  
• Networking (or LAN) protocols
• Govern how information is transmitted between
  devices on a local area network (LAN)

15
Remote Access Protocols Supported by RRAS

• Point-to-Point Protocol (PPP)
• Serial Line Interface Protocol (SLIP)
• RAS Protocol
• NetBIOS Gateway

16
Networking Protocols Supported by RRAS

• NetBEUI
• Transmission Control Protocol/Internet Protocol
  (TCP/IP)
  
• Internetwork Packet eXchange (IPX)

17
Remote Access Clients

• Windows 2000
• Windows NT 4.0
• Windows NT 3.5
• Windows 95/98/ME
• Windows for Workgroups 3.1x

• MS-DOS
• Microsoft LAN Manager remote access clients
• UNIX and Apple Macintosh clients using
  third-party client software

18
Remote Access Features

• Router discovery
• Provides a method for detecting default gateways
• Network Address Translation
• Translates IP addresses on a private network into
  valid Internet IP addresses
  
• Multicast routing
• A targeted form of network broadcasting that
  sends information to a select group of users
  instead of all users connected to a network

continued
19
Remote Access Features

• Remote access policies
• Granting remote access privileges is more
  flexible and more complex
  
• Each User object has certain dial-in properties
• Conditions can be configured under which a user
  may connect using a specific remote access
  connection

20
Remote Access Security

• User authentication
• Connection control
• Access control

21
User Authentication Protocols Supported by
Windows 2000

• Password Authentication Protocol (PAP)
• Shiva Password Authentication Protocol (SPAP)
• Challenge Handshake Authentication Protocol
  (CHAP)
  
• Microsoft CHAP (MS-CHAP)
• Extensible Authentication Protocol (EAP)
• EAP MD5-CHAP
• EAP Transport Level Security (TLS)

22
Connection Control

• Callback Control Protocol
• Allows your RRAS servers or clients to negotiate
  a callback with the other end
  
• Configure an RRAS server to accept or reject
  calls based on Caller ID or Automatic Number
  Identification (ANI) information

23
Access Control

• Enable or disable permission to dial in on
  individual user accounts
  
• Set a number of conditions on the access allows
  you to extend control over whether users can dial
  in or not

24
Installing and Configuring Routing and Remote
Access

• Cannot be installed using Add/Remove Programs
• Installed by default along with Windows 2000 you
  must enable it
  
• To enable it, use the RRAS snap-in located on the
  Start menu
  
• Make sure all dial-up equipment, interfaces, and
  protocols that you intend to use with the server
  are installed and configured correctly

25
Installing and Configuring Routing and Remote
Access

• Log on to the server with Administrator
  privileges
  
• Open the Routing and Remote Access utility from
  the Administrative Tools program group on the
  Start menu

26
Installing and Configuring Routing and Remote
Access
27
Installing and Configuring Routing and Remote
Access

• Right-click the name of the server
• Choose the Configure and Enable Routing and
  Remote Access command to begin the Routing and
  Remote Access Server Setup Wizard

28
Installing and Configuring Routing and Remote
Access
29
Installing and Configuring Routing and Remote
Access

• Select the type of configuration you want to
  install
  
• Verify that the protocols you wish to use on the
  server are already installed and configured
  
• Configure network options
• Select the network adapter you want to use on
  your internal network
  
• Decide whether to use DHCP or to define a static
  pool of IP addresses
  
• Decide whether to use Windows authentication or
  RADIUS

30
Installing and ConfiguringRouting and Remote
Access
31
Installing and ConfiguringRouting and Remote
Access
32
Configuring Remote Access

• Most configuration of inbound connections happens
  at the server level using the RRAS snap-in
  
• Use servers property page to control whether
  server allows connections at all, what protocols
  it supports and how, security options, and event
  logging
• Set policies and profiles and monitor status of a
  remote access server

33
Configuring Remote Access

• Use property pages for individual users in the
  Active Directory Users and Computers snap-in to
  grant dial-in permissions for individual users as
  well as set callback and other dial-in options
• Configure each client with dial-up networking

34
Configuring Inbound Connections on the Server

• General properties
• Security properties
• PPP properties
• Property pages that control networking protocols
  
  
• IP properties
• IPX properties
• NetBEUI and AppleTalk pages
• Event Logging page

35
General Properties

• Remote access server
• Allows RRAS Service to operate as a remote access
  server
  
• Switch remote access on/off without actually
  stopping RRAS service, which causes service to
  erase all settings
  
• Router
• Choose whether clients accessing RRAS Server can
  also access rest of network

36
Security Properties

• Specify authentication method RRAS uses
• Windows Authentication
• RADIUS Authentication
• Specify accounting method RRAS uses
• Windows Accounting option
• RADIUS accounting option

37
PPP Properties

• PPP Multilink Protocol (MP)
• Bandwidth Allocation Protocol (BAP) and Bandwidth
  Allocation Control Protocol (BACP)
  
• Link control protocol (LCP)
• Compression Control Protocol (CCP)

38
IP Properties

• Enable IP Routing
• Allow IP-based remote access and demand-dial
  connections
  
• IP address assignment

39
IPX Properties

• Allow IPX-based remote access and demand-dial
  connections
  
• Enable network access for remote clients and
  demand-dial connections
  
• IPX Network Number Assignment

40
NetBEUI and AppleTalk Pages

• NetBEUI
• Has an option for enabling the protocol
• Has an option for whether clients can access only
  the server or the rest of the network as well
  
• AppleTalk page
• Has only a setting for enabling the protocol

41
Event Logging Page

• Lets you control the level at which events are
  logged either to the Windows Event Log or to a
  RADIUS server

42
Configuring a User for Remote Access

• User profiles
• Configuration settings associated with individual
  user accounts
  
• Remote access policies
• Connection rules that apply to groups of users
• Remote access profiles
• Associated with policies and containing settings
  that determine what happens during call setup and
  completion

43
Configuring User Profiles

• Remote Access Permission (Dial-in or VPN)
• Verify Caller-ID Option
• Callback Options
• Assign a Static IP Address
• Apply Static Routes

44
Policy

• A set of rules that the system evaluates when it
  determines whether a user can access the network
  or not
  
• Works together with user profile to provide
  dial-in capability
  
• Can define overall settings for a group of users,
  but individual settings in a users profile
  override any policies in effect when that user
  logs on

45
Configuring Remote Access Policies

• Manage remote access policies with the RRAS
  snap-in through a container named Remote Access
  Policies

46
Configuring Remote Access Policies
47
Creating a New Policy

• Launch the Add Remote Access Policy Wizard
• Name the policy and set the conditions

48
Creating a New Policy
49
Remote Access Policy Conditions
continued
50
Remote Access Policy Conditions
51
Creating a New Policy

• Choose whether the policy is to allow users to
  connect or deny them connection
  
• Modify the remote access profile attached to the
  policy, if desired

52
Configuring Existing Policies

• Order the policies (very important)
• Change the name of the policy
• Add new conditions to the policy
• Switch between granting and denying access based
  on those conditions
  
• Edit the remote access profile for a policy

53
Configuring Existing Policies
54
Remote Access Profiles

• Determine the remote access settings that apply
  to users when they meet the conditions in a
  policy and receive access
  
• Each policy has one associated profile

55
Configuring Remote Access Profiles

• Dial-In Constraints properties
• IP properties
• Multilink properties
• Authentication properties
• Encryption properties
• Advanced properties

56
Dial-In Constraints Properties

• Drop a user if a connection remains idle for a
  certain time
  
• Restrict maximum session length
• Restrict access to specified days and times
• Restrict access to a particular number
• Restrict dial-in media types allowed

57
IP Properties

• Control IP settings for incoming connections
• IP Address Assignment Policy
• IP Packet Filters

58
Multilink Properties

• Control how a client can connect using the
  Multilink Protocol and the Bandwidth Allocation
  Protocol

59
Authentication Properties

• Specify authentication methods used for the
  policy attached to the profile
  
• Enable selected methods at the server

60
Encryption Properties

• Enable certain types of encryption for use on the
  connection
  
• No Encryption
• Basic
• Strong
• Strongest

61
Advanced Properties

• Configure the RRAS server to interact with a
  RADIUS server
  
• Add specific attributes to incorporate into the
  profile

62
Configuring a Virtual Private Networking
Connection

• Creates a logical connection between two
  computers over an existing IP routing
  infrastructure
  
• Two computers connected by a public network (eg,
  Internet) can create an additional private
  connection between them that runs TCP/IP (or
  other supported protocol) and also supports
  authentication and encryption
• Typical contexts
• To connect a client to a VPN server
• To connect two VPN servers

63
Features of a VPN

• Cost savings
• Easier to configure
• More secure than dial-up solutions

64
VPN Components

• A VPN server
• A VPN client
• A connection between the client and server (VPN
  connection)
  
• VPN protocols

65
A VPN Server

• A Windows 2000 server running the RRAS configured
  to support VPN connections
  
• Typically has one connection to the Internet and
  a separate connection to the local network

66
A VPN Client

• Any computer that can initiate a VPN connection
  to a VPN server

67
VPN Connection

• Transit internetwork
• Basic IP infrastructure over which a VPN is
  created
  
• Typically, the Internet itself

68
VPN Protocols

• Point-to-Point Tunneling Protocol (PPTP)
• Supports only encryption for a connection
• Layer 2 Tunneling Protocol (L2TP)
• Supports both authentication and encryption for a
  connection
  
• Always used with IPSec

69
Installing and Configuring a VPN Server

• To act as a VPN server, a computer must have a
  permanent and dedicated link to the Internet or
  to the IP network you create the VPN on
  
• Installing RRAS as a VPN server
• Enable RRAS on your server, activate it, and
  configure it for use with VPN
  
• Using VPN on an existing RRAS server
• Configure it as a VPN server by enabling the
  Remote Access Server option on the General page
  of the RRAS snap-in

70
Configuring VPN Ports

• VPN is primarily managed through the Ports
  container in the RRAS snap-in

71
Configuring VPN Ports
72
Configuring VPN Ports

• Configure settings for the ports

73
Configuring VPN Ports

• Configure the properties for a port type

74
Configuring a VPNDemand-dial Interface

• Enables your server to connect to another router
  or VPN server (when needed) in order to route
  information
  
• Preconfiguration requirements
• Name and IP address of the router to which you
  will connect
  
• Tunneling protocol (PPTP or L2TP) supported by
  the other router
  
• Username and password so that the server can
  connect to the other router

75
Configuring RAS forDHCP Integration

• DHCP automatically assigns IP addresses and other
  TCP/IP configuration parameters to clients on a
  network
  
• DHCP allows clients to broadcast requests for
  information received by DHCP servers on the same
  network
  
• In order to use DHCP, a client must be on same
  network with either a DHCP Server or a DHCP Relay
  Agent

76
Configuring RAS forDHCP Integration

• Choices for handling IP addressing for remote
  clients
  
• Configure your clients with static IP addresses
  by going to the actual computer
  
• Configure your RRAS Server as a DHCP Server
• Configure your RRAS Server as a DHCP Relay Agent

77
Installing theDHCP Relay Agent

• Done within the RRAS snap-in
• DHCP Relay Agent cannot be installed on a
  computer that
  
• Already acts as a DHCP Server
• Runs the Network Address Translation (NAT)
  protocol

78
Configuring the DHCP Relay Agent

• Configured from two different places
• Property pages of the DHCP Relay Agent itself
• Actual interface to which the agent is attached

79
Configuring theDHCP Relay Agent
80
Configuring theDHCP Relay Agent
81
Managing, Monitoring, and Troubleshooting RAS

• Use RRAS snap-in to
• Monitor general server and port activity
• Configure logging for the RRAS Server
• Use Net Shell (netsh) to
• Configure and monitor Windows 2000 networking
  components, including RRAS
  
• Use Network Monitor to
• Capture and examine network packets going in and
  out of a server for troubleshooting purposes

82
Monitoring Server Activity

• Server Status object provides a snapshot of
  overall server activity
  
• Status of the server (started or stopped)
• Kind of server
• Number of ports configured on it
• Number of ports in use
• How long the server has been up

83
Monitoring Ports

• Select Properties in the Ports container to
  determine whether or not a port is active and how
  much it is used
  
• Line speed of the port
• Amount of data transmitted and received over the
  port
  
• Network address for each protocol configured for
  use on the port

84
Logging

• Log errors only
• Log errors and warnings
• Log the maximum amount of information
• Disable event logging
• Enable Point-to-Point Protocol (PPP) logging

85
Logging

• Enable or disable the logging of accounting and
  authentication requests, as well as periodic
  status for the server

86
Logging

• Local File tab of Local File property pages
  controls physical aspects of how the file is
  written to disk

87
Using the Net Shell Tool

• A command-line and scripting tool that lets you
  configure and monitor Windows 2000 networking
  components
  
• Provides ability to access certain RRAS settings,
  routing settings, and interface settings
  
• Online mode
• Commands execute as soon as you type them
• Offline mode
• Saves commands as you type them and executes them
  in batches when you use a special commit command

88
Using Network Monitor

• Allows you to capture and view actual packets of
  information being transmitted over a network
  interface
  
• Enables you to build a solid picture of network
  traffic patterns and to spot potential problems
  before they occur

89
Chapter Summary

• Remote access overview
• Installing and configuring routing and remote
  access
  
• Configuring remote access
• RRAS snap-in
• Active Directory Users and Computers snap-in
• Configuring a virtual private networking
  connection
  
• Configuring RAS for DHCP integration
• Managing, monitoring, and troubleshooting RAS