Chapter 10 Routing and Remote Access Services Overview of Routing and Remote Access Service RRAS RRAS is fully integrated with Windows 2000 Server RRAS is extensible with application programming interfaces APIs that third party developers can use to create custom networking solutions and that vendors can use to participate in internetworking The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router a demand dial router and a remote access server Combining Routing and Remote Access Service Routing services and remote access services have been combined because of Point to Point Protocol PPP Used to negotiate point to point connections Used by Demand dial routing connections The PPP infrastructure of Windows 2000 Server supports several types of access Dial Up VPN On Demand or persistent dial up VPN demand routing Installation and Configuration Enable Disable Refresh netsh Private Addresses 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 Authentication and Authorization Authentication you are who you say you are Authorization verification of permission to make connection Windows RADIUS server Win2000 IAS Unicast IP Routing Support Windows 2000 provides extensive support for unicast IP routing In unicasting two computers establish a two way pointto point connection Routing and Remote Access Service includes a number of features to support unicast IP routing Multicast IP Support Windows 2000 supports the sending receiving and forwarding of IP multicast traffic Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic Routing and Remote Access Service includes a number of features to support multicast IP routing Other Features of R RAS NAT Network Address Translation Internet Connection Sharing alternative DHCP Relay DHCP server can exist on another netwrok IP Packet Filtering Source destination IP Address TCP UDP port number IP protocol codes ICMP route discovery Periodically advertise and respond to host router solicitations Static Routing Routing vs Routable Protocols Routing communications between routers OSPF RIP IPX SPX TCP IP Apple Talk Not NetBEui Demand Dial Routing Windows 2000 provides support for demand dial routing IP and IPX can be forwarded over demand dial interfaces over persistent or on demand wide area network WAN links Remote Access RRAS enables a computer to be a remote access server RRAS accepts remote access connections from remote access clients that use traditional dial up technologies Access to resources on RRAS server Access to LAN resources VPN Server RRAS enables a computer to be a virtual private network VPN server RRAS supports Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP IP Security IPSec RADIUS Client Server Internet Authentication Service IAS is the Microsoft implementation of a Remote Authentication Dial In User Service RADIUS server RADIUS is a client server protocol that enables RADIUS clients to submit authentication and accounting requests The RADIUS server has access to user account information and can check remote access authentication credentials RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location Authentication either thru RADIUS database or Domain Controller SNMP MIB Support RRAS provides Simple Network Management Protocol SNMP agent functionality with support for Internet MIB II Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II MIB support is also provided for Windows 2000 functions legacy LAN Manager MIB functions and the WINS DHCP and IIS services Dial Up Equipment and WAN Infrastructure Public Switched Telephone Network PSTN Digital links and V 90 Integrated Services Digital Network ISDN X 25 ATM over ADSL Remote Access Protocols Remote access protocols control the establishment of connections and the transmission of data over WAN links Windows 2000 remote access supports three types of remote access protocols PPP SLIP AsyBEUI LAN Protocols LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server Windows 2000 remote access supports TCP IP IPX AppleTalk NetBEUI Secure User Authentication Secure user authentication is obtained through the encrypted exchange of user credentials Secure authentication is possible through the use of PPP and one of the supported authentication protocols Mutual Authentication Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials It is possible for a RAS server not to request authentication from the remote access client Data Encryption Data encryption encrypts the data sent between the remote access client and the RAS server Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client Data encryption is possible over dial up remote access links when using PPP along with EAP TLS Extensible Authentication Protocol Transport Level Sdecurity MS CHAP Microsoft Point to Point Encryption MPPE More Security Options Callback Caller ID Remote Access Lockout Number of Failed Attempts How often to reset the Failed Attempts counter Managing Addresses For PPP connections IP IPX and AppleTalk addressing information must be allocated to remote access clients during the establishment of the connection The RAS server must be configured to allocate IP addresses IPX network and node addresses or AppleTalk network and node addresses Overview of Access Management Remote access connections are accepted based on the dialin properties of a user account and the remote access policies Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt Multiple remote access policies can be used to meet various conditions RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts Access Management Policy created in Policies Applied RRAS if Windows authentication IAS if RADIUS authentication Checked in order If no policies Reject the connection Check all policies until a match User Account Permissions Match up user account and profile properties Overview of Virtual Private Networks