CIS2153.gif (14009 bytes)

Resource Page   CIS 2153 Syllabus    Chapter Lesson Notes: 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

Chapter 5 Lesson Notes

Configuring, Managing, Monitoring, and Troubleshooting Remote Access

  1. Overview: Windows 2000 Routing and Remote Access Service

Windows 2000 has released the Routing and Remote Access Server (RRAS) to replace the previous versions with a single integrated service that provides both remote access and multiprotocol routing.

    1. Remote Access vs. Remote Control

RRAS (Remote Access) and Terminal Services (Remote Control) are not the same.

    1. Remote Access Connections

      2. Remote Access Connections are achieved through Dial-up networking (DUN) and Virtual Private Networking (VPN).

      1. Using DUN, remote users can make a nonpermanent connection to a remote host using various forms of communication (Analog line, ISDN, etc.). This connection is a direct point-to-point connection.
      2. VPN is a logical and indirect connection between a remote user and the connecting server. Data encryption is not required, but typically used. VPN is usually implemented using the Internet as the indirect connection between hosts.
    2. Remote Access Clients

The following clients can connect to a Windows 2000 server running RRAS:

Note: The Windows 2000 RRAS server does not support inbound SLIP connections (Serial Line Interface Protocol), which is reserved for connecting to UNIX servers that cannot support PPP.

    1. Remote Access Administration

Remote Access Administration is performed through:

      1. The Routing and Remote Access Snap-In
      2. Net Shell Command-Line Utility
  1. Installing and Configuring the Remote Access Service
    1. Hardware Requirements: Comply with the HCL (Hardware Compatibility List). Also, additional processing power will be required, especially if you intend to use data encryption.
      1. Dial-up Hardware and WAN Infrastructure
      2. Public Switched Telephone Network (PSTN) (also known as POTS [Plain Old Telephone Service]) has a low rate of speed.
      3. Digital Links and V.90 will improve the bit rate because of the reduction in noise. The remote access client must be using a V90 modem, and the RRAS server must be using a V90 digital switch on a digital link to the PSTN.
      4. Integrated Services Digital Network, or ISDN, offers fully digital transmission by using an ISDN adapter on both sides of the connection. The combination of two or more data channels produce better throughput, which is called a multilink. There are typically two 64-Kbps channels on ISDN.
      5. X.25 sends data across public packet-switching networks. The Windows 2000 Routing and Remote Access server will only support direct connections to X.25 networks by using an X.25 smart card.
      6. ATM over ADSL
        1. ATM (Asynchronous Transfer Mode) uses fixed-size packets.
        2. ADSL (Asymmetric Digital Subscriber Line) means that the bandwidth available for downstream connections is significantly larger than for upstream connections.
      7. Slower connections are also possible using RS-232C null modem cables, parallel, and infrared ports.
    2. Enabling the Routing and Remote Access Service

    RRAS is automatically installed with Windows 2000, but is disabled. Before it is enabled, ensure that all interfaces and protocols you need for RRAS are installed, configured, and working correctly.

  2. Configuring the Remote Access Server

    3. Several configuration options should be checked before allowing remote access clients to connect to your RAS server, including authentication, auditing, and IP address assignment.

    1. Testing Connectivity to the Remote Access Server - Ensure that the tester’s local or domain user account has dial-in permission.
    2. Managing and Monitoring the Remote Access Server
      1. Expand the Ports option to view the external ports available to RAS and obtain Active and Inactive information on that port.
      2. If your RAS is connected to the Internet, you can also view VPN ports listed as WAN Miniports.
      3. Send messages to individual users or to everyone connected to RAS.
      4. Use Event Log to obtain a history of activity on the RAS.
  3. Assigning Remote Access Permissions
    1. Remote Policies
      1. Routing and Remote Access uses remote access policies to allow greater flexibility for configurations and management.
      2. Remote access policies enable you to set the who, what, where, when, why, and how of connections. Example: Fred Smith can be connected only Monday through Friday between 8 a.m. and 5 p.m., and he can only be connected for an hour each time he connects.
    2. The Default Remote Access Policy

      3. This built-in policy states "Allow access if dial-in permission is enabled." This can be changed. Figure 5-2 on page 303 shows settings in the Default Policy and Figure 5-3 on page 304 shows the Time of Day constraints of the Default Policy.

    3. The Administrative Models for Remote Access Policy

      4. Microsoft recommends that you choose one of three Remote Access Policies:

      1. Access by User (based on user permissions, this is the simplest to administer.)
      2. Access by Policy in a Windows 2000 native-mode domain (only Windows 2000 servers with Active Directory. This is the easiest to administer for a large number of users.)
      3. Access by Policy in a Windows 2000 mixed-mode domain (when you have Windows NT 4.0 domains and Windows 2000 servers.)
    4. Remote Access Policy Conditions are listed in Table 5-4 on page 308.
    5. Remote Access Policy Profiles (see Figure 5-4 on page 310)
      1. Policy Profile Options - under the Dial-In Constraints tab, allows you to set conditions of days, times of day, number to be dialed, or the medium used to connect (such as ISDN or T1)
      2. Policy Profile Options - under the IP tab, allows the administrator to set an IP address assignment policy, IP packet filters, idle time period permitted, and session length
      3. Policy Profile Options - under the Multilink tab, allows the administrator to enable multilink and the Bandwidth Allocation Protocol (BAP). BAP allows multilinks to be automatically added, dropped, and managed as needed.
      4. Policy Profile Options - under the Authentication tab, can be used if authentication protocols are enabled on the server.
      5. Policy Profile Options – under the Encryption tab, offers various levels of data encryption: No encryption, Basic encryption (uses a 40-bit key), and Strong encryption (uses a 56-bit key).
      6. Policy Profile Options - under the Advanced tab, are not relevant to RRAS, but are important for RADIUS (Remote Authentication Dial-In User Service, available in one of the Option Packs for Windows NT 4.0.)
    6. Determining Access Permissions—Putting it all together

      7. This section offers an overview of the access permissions we’ve discussed in this certification objective.

    7. Troubleshooting Remote Access Connections:

    Pages 317-318 offer a list of possible snags in the configuration of your RRAS connections.
  4. Virtual Private Networking
    1. VPN Overview
      1. A VPN (Virtual Private Network) uses encapsulated, encrypted, and authenticated links across shared or public networks. This allows remote users to connect to a corporate server using a standard Internet connection.
      2. The advantages of using VPN instead of RRAS can reduce the costs of long distance calls between telecommuting employees or connections between branch offices.
    2. Encapsulation and Encryption

      3. Used to emulate a point-to-point link, encapsulated data travels across an internetwork, creating the virtual network. Security is provided using encryption, creating the virtual private network.

    3. Components of Windows 2000 VPN
      1. VPN Server.

        2. A VPN Server runs Routing and Remote Access and has a connection to the Internet and a separate connection to the corporate network.

      2. VPN Client.

        3. A VPN Client initiates the VPN connection to the VPN server. These clients can be running Windows NT 4.0, Windows 2000, Windows 9x, and any third-party dial-up client that supports Windows 2000 tunneling protocols.

      3. LAN Protocols

        4. LAN protocols can be different than the protocol used to establish the link with the ISP/Internet (TCP/IP). The LAN protocol used must be common between the client and the destination network for communication to occur.

      4. Tunneling Protocols.

        5. A VPN connection uses two tunneling protocols: PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol).

        1. PPTP

          2. Point-to-Point Tunneling Protocol is an extension of PPP for use over the Internet. While PPP is used for direct dial-up connections, PPTP is used for VPN

        2. L2TP

        Layer 2 Tunneling Protocol provides true end-to-end security by implementing IPSec.

      5. WAN Options and Internet Support
        1. Compulsory tunneling (where a user does not choose to connect over a tunnel) is an extension of realm-based tunneling (where the access concentrator makes decisions on the tunnel’s VPN Server based on additional information about the user). This information is called the realm.
      6. Access Concentrators and Network Access Servers
      7. Security involves filtering for only PPTP and/or L2TP packets on the VPN server, firewall, and router connecting to the Internet.
      8. Security when using PPTP offers user authentication and encryption with Microsoft’s Point-to-Point Encryption methods (MPPE).
      9. Security when using L2TP over IPSec offers user authentication, mutual computer authentication, encryption, data authentication, and data integrity.
    4. Installing and Configuring the VPN Server
      1. Figure 5-5 on page 327 shows the installation of a VPN Server, and Table 5-5 on page 328 shows where to set IPSec setting for a VPN Server.
    5. Configuring Firewalls with VPNs

      6. The typical setup involves attaching the firewall to the Internet, then the VPN server is positioned between the firewall and the intranet. The VPN server is then considered another Internet resource on the DMZ (demilitarized zone).

      1. Packet Filters for PPTP
        1. Input and Output Packet Filters for PPTP include those listed on pages 329 and 330.
      2. Packet Filters for L2PT over IPSec
        1. Input and Output Packet Filters for L2PT over IPSec are listed in the table on pages 330 and 331.
    6. Testing Connectivity to the VPN Server
      1. Have a valid Internet connection that is dialed first and connected
      2. Dial a second connection that specifies the VPN server’s address
      3. Log on and, once authenticated, connect to your internal network to access resources
    7. Troubleshooting VPNs
      1. Use the list on pages 333 and 334 to troubleshoot common problems with VPNs.
  5. Connections Using PPP Multilink and BAP
    1. PPP Multilink Protocol is used to combine multiple physical links into a single logical link to increase throughput.
      1. BAP (Bandwidth Allocation Protocol) and BACP (Bandwidth Allocation Control Protocol enable you to add links when greater throughput is required and to close links that are no longer required.
    2. Bandwidth Allocation Control Protocol (BACP)
  6. Integrating Remote Access and DHCP
    1. Obtaining DHCP Addresses via RRAS
      1. When the RRAS is set to automatically assign IP addresses, it gets a pool of 10 addresses from the DHCP server. The number of addresses RRAS reserves can be changed in the registry.
      2. When RRAS clients disconnect from the RAS server, their IP address is returned to the RAS server rather than the DHCP server so other remote clients can reuse that IP address.
      3. When all 10 addresses are used, 10 more are obtained. When remote access service is stopped, all addresses are released. You cannot release them manually on the server using the ipconfig /release all command.
    2. Obtaining DHCP Options via RRAS
      1. This uses the DHCPInform command as discussed in Chapter 4.
      2. RRAS clients do not receive options from the DHCP server directly. Instead the RRAS server can send this information when it receives the DHCPInform message.
    3. Location of the DHCP Server

      4. Generally the DHCP server is different than the one used to run RRAS, unless the network is very small.

      1. To install DHCP Relay Agent:
        1. Double-click on the IP Routing in the Routing and Remote Access snap-in
        2. Right-click the General tab, then select New Routing Protocol
        3. Select DHCP Relay Agent and choose Properties.
        4. In the General tab, add at least one address of a DHCP server.
    4. Automatic Private IP Address (APIPA)
      1. APIPA allows the server to assign IP addresses even when no DHCP server can be located if it is configured to automatically do so.
      2. APIPA uses the private address range 169.254.0.1 to 169.254.255.254.
    5. Multihomed Servers

      6. Multihomed Servers (a server with several adapters) may have an adapter which has no link to a DHCP server, in which case you will need to manually change the selected adapter (RRAS snap-in/<servername> /Properties/IP tab/Adapter dropdown box). Configure the server such that the only adapter that has a path to a DHCP server is allowed to assign IP addresses to remote computers.

    6. Off-Subnet Addressing and On-Subnet Addressing
      1. Off-Subnet Addressing is when the DHCP server allocates an IP address that is are on a different subnet than the remote access server itself.
      2. On-Subnet Addressing is when the DHCP server allocates IP addresses on the same subnet as the remote access server . On-subnet Addressing is the most common.
  7. Managing and Monitoring Remote Access
    1. Additional Routing and Remote Access Administration Tools include:
      1. Event Logging enters errors only, or errors and warnings. It will also log the maximum amount of information
      2. Authentication and Account Logging is helpful for troubleshooting Remote Access Policy problems.
      3. Network Monitor allows you to capture the PPP traffic sent between the remote client and the remote access server. It cannot interpret compressed or encrypted portions.
      4. PPP Tracing tracks down connecting problems
      5. Tracing helps diagnose complex network problems
      6. API (Application Program Interface) Support For Third-Party Components and Utilities

    Third-party developers, using API, can write their own routing protocols, interfaces, and management tools that directly interface with the RRAS architecture.

  8. Remote Access Security
    1. Secure Authentication

      2. Secure authentication is performed using either Windows authentication or RADIUS authentication.

      1. Windows Authentication: authenticated through normal Windows mechanisms
      2. RADIUS Authentication: matches remote access client against its database
      3. Authentication Protocols: Windows and RADIUS allow choice of authentication protocol.
      4. PAP (Password Authentication Protocol): least secure using plain text.
      5. SPAP (Shiva PAP): uses a reversible encryption mechanism
      6. CHAP (Challenge Handshake Authentication Protocol): more secure than PAP and SPAP that uses the industry-standard Message Digest 5 (MD5) one-way encryption scheme
      7. MS-CHAP: Microsoft CHAP is supported on all versions of Windows.
      8. MS-CHAPv2: more secure against server impersonation than MS-CHAP.
      9. EAP (Extensible Authentication Protocol): allows for arbitrary authentication mechanisms to be used to validate a PPP connection. Windows 2000 is the only Windows platform to support EAP.
      10. EAP-MD5: CHAP authentication with EAP
      11. EAP-TLS (Transport Layer Security): based on Secure Sockets Layer (SSL), allows applications to communicate securely.
      12. EAP-RADIUS: typically, the remote access server is configured to use EAP, and to use RADIUS as the authentication provider rather than Windows 2000.
    2. Data Encryption

      3. Similarly to requiring authentication, the server can require the encryption of data sent by remote access clients.

    3. Packet Filtering: typically configured at a firewall, but can be applied additionally in three places.
      1. Packet filtering on the server
      2. Packet filtering on individual adapters
      3. Packet filtering on individual access policies
    4. Secure Callback uses Callback Control Protocol (CBCP) to have the server call back the remote client after a successful authentication to avoid charging the client for long distance calls. Will not work with VPN solutions.
    5. Caller ID verifies that the incoming connection is from a specified telephone number.
    6. Remote Access Lockout (not to be confused with account lockouts) specifies how many times a remote access authentication is permitted to fail against a valid user account before denying the user remote access.
      1. Setting RAS Account Lockout
        1. Two Settings:
    1. Troubleshooting Remote Access Security is outlined on pages 364-365.

   VIII. Remote Access Best Practices and Tips

    1. Use the list on pages 365-367 to tweak your RAS server for optimal performance.
1