1 / 73

Routing and Remote Access Service (RRAS)

(Skill 5). Introducing Routing and Remote Access Service (RRAS). Routing and Remote Access Service (RRAS)

gita
Download Presentation

Routing and Remote Access Service (RRAS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (Skill 5) Introducing Routing and Remote Access Service (RRAS) Routing and Remote Access Service (RRAS) • Can be configured on a Windows Server 2003 computer to create a remote access service (RAS) server that can manage hundreds of concurrent dial-up connections or to receive Virtual Private Network (VPN) connections on the internal network • Can also be configured to provide shared Internet access using Network Address Translation (NAT) or to create a secure connection between two servers on the Internet connecting two LANs

  2. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (2) • Remote access service (RAS) server • A computer running Windows Server 2003 and RRAS • Configured specifically to function using a modem or modem pool • Users can dial in from a remote computer that is also configured with a modem • A Virtual Private Network (VPN) server is a type of remote access server

  3. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (3) Connection methods used by clients • Dial-up • Establishes a non-permanent connection between a remote access server and remote access client using an analog phone line or ISDN • Remote access server answers the call, authenticates and authorizes the caller, and transfers data • VPN • Establishes a secure point-to-point connection across private networks or a public network such as the Internet • Creates a logical link called a tunnel between a remote user and a private network

  4. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (4) • To establish a dial-up connection, Windows Server 2003 uses either PPP or SLIP WAN protocols • Point-to-Point Protocol (PPP) • Allows remote clients to access network resources • Provides error-checking to detect possible problems prior to data transfer • Serial Line Internet Protocol (SLIP) • An older remote communications protocol used by UNIX computers • Does not provide security • Transfers data without checking for errors

  5. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (5) PPP supports many networking and authentication protocols • Password Authentication Protocol (PAP) • The least secure authentication protocol • Uses plain text passwords for authentication • Shiva Password Authentication Protocol (SPAP) • An authentication protocol used to connect to a Shiva server • More secure than PAP; less secure than CHAP or MS-CHAP • Challenge Handshake Authentication Protocol (CHAP) • Sends a challenge message to the client, the client applies an algorithm to the message to calculate a hash value (a fixed-length number), and sends the value to the server • The server also calculates a value and compares it to the client’s • If the values match, a connection is established

  6. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (6) • MS-CHAP • Microsoft’s version of CHAP • The challenge message is specifically designed for Windows operating systems and one-way encryption is used • MS-CHAP2 • Authenticates both the client and the server • A different encryption key is used to transmit and receive data • Extensible Authentication Protocol (EAP) • Used to customize your method of remote access authentication for PPP connections • Supports multiple authentication methods • IEEE 802.1X • New in Windows Server 2003 is support for IEEE 802.1X • Allows wireless and Ethernet LAN connections

  7. (Skill 5) Figure 11-38 RAS

  8. (Skill 5) Figure 11-39 Dial-up connections

  9. (Skill 5) Figure 11-40 SLIP and PPP

  10. (Skill 5) Introducing Routing and Remote Access Service (RRAS) (7) • Secure connections in VPNs are created using PPTP or L2TP • Point-to-Point Tunneling Protocol (PPTP) • An extension of PPP • Installed by default during the installation of RRAS • Layer 2 Tunneling Protocol (L2TP) with IPSec • Also an extension of PPP • Combines features from PPTP and Cisco’s Layer Two Forwarding (L2F) protocol • Bandwidth Allocation Protocol (BAP) • Often referred to as Multilink PPP, is used with PPP to augment the use of multilinked devices • Multilinked devices are several ISDN lines or modem links combined to obtain greater bandwidth • Bandwidth Allocation Control Protocol (BACP) is the control protocol for BAP

  11. (Skill 5) Figure 11-41 Tunneling

  12. (Skill 5) Figure 11-42 Configuring BAP and BACP

  13. (Skill 6) Understanding Types of Remote Access Connections • Types of dial-up equipment used to establish a connection between a remote network and a remote access client • POTS (Plain Old Telephone System) • ISDN (Integrated Services Digital Network) • DSL (Digital Subscriber Line) • Cable modem lines • Frame relay • Leased telecommunication lines • Modems (asynchronous and synchronous)

  14. (Skill 7) Configuring Remote Access Services • Routing and Remote Access Service (RRAS) • Installed automatically during the installation of Windows Server 2003 • By default, RRAS is not enabled • You enable and configure RRAS to set up • A remote access server • A VPN • Network Address Translation • A secure connection between two servers • A network router

  15. (Skill 7) Figure 11-43 The Add Server dialog box

  16. (Skill 7) Figure 11-44 The Configuration screen in the RRAS Setup Wizard

  17. (Skill 7) Figure 11-45 The Remote Access screen

  18. (Skill 7) If there is more than one network connection configured on the server, this screen will open so that you can select the correct network interface Figure 11-46 The Network Selection screen

  19. (Skill 7) RADIUS servers are used to provide centralized authentication Figure 11-47 The RADIUS Server Selection screen

  20. (Skill 7) Figure 11-48 The Managing Multiple Remote Access Servers screen

  21. (Skill 7) Figure 11-49 The Routing and Remote Access console

  22. (Skill 7) Enter the IP address for the DHCP server in the Server address text box and click Add Figure 11-50 The DHCP Relay Agent Properties dialog box

  23. (Skill 7) Configuring Remote Access Services (2) • Use the RAS Properties dialog box to configure your RAS server • General tab is used to specify whether your computer will be configured as a router, a remote access server, or both • Security tab is used to choose one of two types of authentication providers to validate remote access clients • IP tab is used to specify settings for the IP protocol such as the method for distributing IP addresses to remote clients • PPP tab is used to configure PPP (Point-to-Point Protocol) to specify whether a remote client can establish multilink connections • Logging tab is used to manage and monitor an RRAS server by selecting the types of events you want to record for accounting and security purposes

  24. (Skill 7) Figure 11-51 The General tab in the <RAS_servername> Properties dialog box

  25. (Skill 7) Click to open the Authentication Methods dialog box to set the authentication protocols Figure 11-52 The Security tab

  26. (Skill 8) Creating a Remote Access Policy Remote access policies • Are used, along with user properties in some cases, to control what connection attempts will be rejected or accepted by an RRAS server • You create them to determine which users can access the network and to prevent unauthorized access • A remote access policy consists of a set of rules and conditions that must be met by a connection before a user can gain access

  27. (Skill 8) Creating a Remote Access Policy (2) Components of a remote access policy • Conditions are the criteria a user must meet in order to be granted access • Permissions are located on the Dial-in tab in the user account Properties dialog box • Allow access permission skips the remote access policy and applies the remote access profile • Deny access permission drops the caller • Control access through Remote Access Policy permission checks the permissions in the remote access policy; if they are set to Grant remote access permission, the profile is applied • Remote access profile is a list of settings offered to the client

  28. (Skill 8) Creating a Remote Access Policy (3) Remote access profile settings • Allowed dial-in days and times • Connection limits • Allowed dial-in media and phone numbers • Authentication settings • Encryption settings

  29. (Skill 8) Creating a Remote Access Policy (4) • Use the Edit Dial-in Profile dialog box to configure a remote access profile • Dial-in Constraints tab is used to specify the dial-in number and the type of media to be used for a connection • IP tab is used to set the IP properties for a connection • Multilink tab is used to configure the RRAS server to handle multilink calls and to specify the number of ports a single remote client can use at one time • Authentication tab is used to set the authentication protocols (PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2, EAP) • Encryption tab is used to specify the type of encryption for remote access clients (no encryption, basic, strong, or strongest) • Advanced tab is used to configure connection attributes (RADIUS, frame types, AppleTalk zones, special filters, etc.)

  30. (Skill 8) Attributes that can be set as conditions for a remote access policy Figure 11-53 The Select Attribute dialog box

  31. (Skill 8) Only available in Windows 2000 native mode or Windows 2003 mode domains. When this option is set, the permissions configured in the remote access policy are checked. If they are set to Grant, the profile is applied. If they are set to Deny, the caller is disconnected. Figure 11-54 The Dial-in tab in the Properties dialog box for a user

  32. (Skill 8) Figure 11-55 The Dial-in Constraints tab on the Edit Dial-in Profile dialog box

  33. (Skill 8) Click to open the Add IP Filter dialog box Figure 11-56 The Inbound Filters dialog box

  34. (Skill 8) You can create an IP packet filter to control the allowed upper-layer protocols, and the remote IP addresses with which clients are allowed to communicate Figure 11-57 The Add IP Filter dialog box

  35. (Skill 8) Select to set Bandwidth Allocation Protocol (BAP) settings; you can dynamically drop a link if bandwidth usage by remote clients drops below a certain threshold Figure 11-58 The Multilink tab

  36. (Skill 8) The default remote access policy denies remote access Figure 11-59 The Routing and Remote Access console

  37. (Skill 8) Figure 11-60 The Policy Configuration Method screen

  38. (Skill 8) Figure 11-61 Setting Day and Time Restrictions

  39. (Skill 8) Time during which the policy will permit users to connect to the remote access server Figure 11-62 The Time of day constraints dialog box

  40. (Skill 8) Figure 11-63 The Policy Conditions screen Figure 11-64 The Permissions screen

  41. (Skill 8) Click to open the Inbound Filters dialog box to deny or permit particular IP packets to be processed by the network Figure 11-65 The IP tab

  42. (Skill 8) Allows clients to connect using 40-bit encryption key MPPE or IPSec encryption Allows clients to connect using 56-bit encryption key MPPE or IPSec encryption Allows clients to connect using 128-bit encryption key MPPE or IPSec encryption Allows clients to connect without using data encryption Figure 11-66 The Encryption tab

  43. (Skill 8) Creating a Remote Access Policy (5) • If you have multiple remote access policies, the RRAS server evaluates them in the order in which they are listed in the Routing and Remote Access console; you can change the order • In RRAS, the properties of individual user accounts or the RRAS policy is used to set which users can access the RRAS server • Your domain must be in Windows 2000 native mode or Windows Server 2003 mode to use RRAS policies • The biggest advantage of RRAS policies is ease of administration

  44. (Skill 8) Creating a Remote Access Policy (6) • In addition to setting remote access permissions on the Dial-in tab in the Properties dialog box for a user account, you can also set callback options • Callback options define how a computer responds when a user dials in • No callback • If you select this option, there will be no callback • Once the connection is established, the computer stays connected and allows access to resources • Set by Caller (Routing and Remote Access Service only) • If you select this option, the server disconnects as soon as a user dials in and calls back on the number that the user indicates • Useful when users need to call in from different locations • Always Callback to • If you select this option, the computer calls back a specified number • Enhances security as a user can establish a connection using only one number

  45. (Skill 8) Select to allow the user to dial-in to the RRAS server Select to allow the remote client to connect on the first call-in attempt Select to set a callback number that must always be used Figure 11-67 Dial-in properties for a user account

  46. (Skill 9) Creating a VPN Server Virtual private network (VPN) • A method of using the public telecommunication infrastructure to securely connect two or more subnets • Access is restricted to only certain clients who are authenticated by their user account, subnet, or IP address • A VPN encapsulates, authorizes, and routes data by creating tunnels • A tunnel is a secure, logical link that is established between a remote user and a private network • The Routing and Remote Access service can be used to configure a computer to be a VPN server which can accept both remote access and demand-dial VPN connections from remote access clients

  47. (Skill 9) Figure 11-68 Creating a VPN

  48. (Skill 9) Figure 11-69 Creating a VPN server

  49. (Skill 9) Figure 11-70 Selecting the network interface that connects to the Internet

  50. (Skill 9) Creating a VPN Server (2) • After configuring the properties for a VPN server, you can create remote access policies and a remote access profile just as you can for a RAS server • By default, if configured to support VPN connections, Windows Server 2003 automatically creates 128 PPTP and 128 L2TP ports for incoming VPN connections • You can change the number of ports if your VPN server needs to support more clients for either protocol • To configure VPN clients,you must enter the FQDN or IP address for the VPN server in the New Connection Wizard

More Related