Windows NT Server 4.0 Notes


Module 12: RAS and Dial-Up Networking

WAN Connectivity
PSTNs and Modems:
  • Windows NT RAS uses standard Public Switched Telephone Networks (PSTN).
  • Advantage is worldwide availability.
X.25
  • X.25 networks transmit data using a packet-switching protocol.
  • Relies on data communications equipment (DEC's), which create elaborate worldwide network
  • Forwarding nodes that participate in delivering an X.25 packet.
  • DUN clients can directly access an X.25 network by using PAD.
  • Dial-up asynchronous PADs are practical choice for remote access clients because they don't require that an X.25 line be plugged into the back of the computer.
    • Note: ISDN adapter and X.25 adapter are treated as network adapter cards, thereby giving remote computers a direct data feed across a WAN to the LAN

  • RAS provides access to X.25 network in one of two configurations, depending on the operating system involved:

Client/server

Configuration

Client for Win95 or Windows NT PAD converts serially transmitted data into X.25 packets, or vice versa to make communication possible between the client and the X.25 network.
Server and client (NT only) A direct connection to the X.25 network can be made through a X.25 smart cards. This is a hardware card with a PAD embedded in it and acts like a modem
ISDN
  • This offers much faster communication than PSTN. ISDN lines must be installed at both the server and the remote side and an ISDN adapter must be installed in both.
  • (For more background and comparison b/w modems and ISDN adapters, see 399 Study Guide.
Point-to Point Tunneling Protocol (PPTP)
  • RAS Servers are usually accessed by modem, ISDN card or an X.25 PAD.
  • BUT They can also be accessed indirectly via Internet with PPTP.PPTP is a networking technology that supports multi-protocol virtual private networks (VPNs).
  • This support enables remote users to gain secure access to corporate networks across the Internet.
  • Using PPTP, first a connection to the Internet is established and the a connection to the RAS server on the Internet is established.

PPTP Advantages

Advantage

Description

Lower transmission costs
  • If local access is available through ISP, access to the remote network is less expensive than a long distance telephone call
Lower hardware costs
  • RAS Server needs only a connection to the Internet
  • Not necessary for RAS Server to have multiple modems, ISDN or X.25 cards.
Lower administration costs
  • a PPTP  network can be managed and secured from a single RAS server
Better Security 
  • PPTP provides security through data encryption and works with:
    • NetBEUI, 
    • TCP/IP and 
    • IPX
  • Data sent by means of PPTP consists of encapsulated PPP packets.

How PPTP works

  • PPTP provides a way to route IP, IPX, or NetBEUI PPP packets over a TCP/IP network.
  • Therefore,  it's possible for the Internet to be used as backbone for IPX and NetBEUI communication.
  • Therefore, the remote network being accessed can use any protocol.The network between client and remote network must be a TCP/IP network, such as the Internet.
  • Because PPTP supports multi-protocol encapsulation of any type of PPP packet,
    • BOTH IPX and NetBEUI can be routed over a TCP/IP network.

Comparing PPTP and Other WAN Protocols

  • PSTN, ISDN, or X25 a remote access client establishes a PPP connection with RAS server over switched network.
  • After connection is established, PPP packets are sent over the switched connection to RAS server for routing to the destination LAN.
  • PPTP uses a transport protocol such as TCP/IP to send PPP packets to the RAS server over virtual WAN. Resulting benefit is saving in transmission costs by using Internet rather than long distance dial-up connections.

PPTP Access Over the Internet

There are two methods:

Method for connecting to RAS server

Considerations

Direct connection to Internet
  • Client must have PPTP driver
  • RAS server must PPTP enabled adapter to establish tunnel via Internet
Connection through ISP
  • If an ISP provides the connection, and the ISP's Point of Presence (POP) supports PPTP, then PPTP does not have to be installed on the client.
  • The client establishes a connection to the ISP and calls the NT RAS server to establish the PPTP tunnel.
Remote Access Protocols:

LAN Protocols:

Windows NT RAS supports these protocols and therefore these networks by using the PPP remote access standard.

    Protocol: NetBEUI TCP/IP IPX
    Network: Microsoft-based UNIX  Novell Netware
    • Clients running Windows NT RAS can also connect to existing SLIP-based remote access servers (UNIX).
SLIP (Serial LIne Internet Protocol)
  • addresses TCP/IP connections made over serial lines.
  • supported by DUN.
  • gives access to Internet services.

 

Limitations

  • Requires static IP address for client, therefore cannot utilize DHCP or WINS
  • Relies on text-based logon sessions and requires a scripting system to automate logon process.
  • Supports only TCP/IP
  • transmits authentication passwords as CLEAR TEXT therefore, is NOT very secure.
  • Windows NT RAS does not have a SLIP server component, so it CANNOT be used as a SLIP server ð so you can't call into an NT RAS server using SLIP
PPP: Point to Point Protocol
  • Designed to enhance SLIP
  • Set of industry standard framing and authentication protocols that enable RAS clients and servers to interoperate in multivendor network.
  • Supports AppleTalk, DECnet, OSI, TCP/IP, and IPX.

    Windows NT Protocol Support Over PPP.

  • PPP support
  • enables computers running Windows NT to dial in to remote networks through any server that complies with PPP standard and
  • enables computers running NT Server to receive calls from, and provide access to, other vendors’ remote access software.
  • The PPP architecture enables clients to load any combination of NetBEUI, TCP/IP, and IPX. Applications written to the Windows Sockets (WinSock), NetBIOS, or IPX interface can be run on a remote computer running Windows NT Workstation.

Netware Points:

  • Windows NT RAS clients that have both the IPX interface and CSNW installed can connect directly to and  access NetWare servers.
  • If RAS client does not have IPX and CSNW installed, it can still access a NetWare server if GSNW is installed on a RAS server. The RAS server then functions as a gateway to a NetWare server.
Gateways and Routers

Windows NT RAS can act as a

  • NetBIOS Gateway
    • NT RAS includes a NetBIOS gateway that enables remote clients to access NetBIOS resources, such as file and print services, on a network.
    • This enables clients running NetBEUI to access remote servers regardless of which protocol is installed on the remote sever.
    • The NetBIOS gateway does this by translating the NetBEUI packets into IPX or TCP/IP formats that can be understood by remote servers.
  • IP and IPX Routers

    RAS servers that have IP and IPX routers installed can perform the following functions:

    • Act as a router to link LANs and WANs.
    • Connect LANs that have different network topologies such as Ethernet and Token Rings.
    • RAS server can be an IPX router and Service Advertising Protocol (SAP) agent for Dial-Up Networking clients. (SAP is similar in functionality to the NT Browser service.) Once configured, RAS servers enable remote clients to access NetWare file and print services and to take advantage of Windows Sockets applications.
Aspects of Windows NT RAS Security to validate remote client access to network
  • Integrated Domain Security
    • Windows NT Server provides organization wide security using a single network logon model (also for RAS users).
    • This means easier administration and remote clients have same privileges as when they are in the office.
    • To connect to a RAS server, user must have RAS dial-in permission (is authenticated) and a valid Windows NT user account.
    • Clients must first be authenticated by RAS before they can log on to NT network.
  • Encrypted Authentication and Logon Process
    • By default, all authentication and logon information is encrypted when transmitted over RAS.
    • However, it is possible to allow any authentication method, including clear text.
    • In addition, it is possible to configure RAS and Dial-Up Networking so that all data that passes between a client and server is encrypted.
  • Auditing
    • if auditing is enabled, RAS can generate audit information on remote connections including authentication and logon.
  • Intermediary Security Hosts
    • This is a third-party intermediary security host between DUN client and RAS server. Users must type password before establishing a connection with RAS Server.
  • Callback Security
    • When callback security is used, the server receives the call from the client computer, disconnects the connection, and then calls the client back either at a preset telephone number or at a number that was provided during the initial call.
    • This guarantees that the connection to the local network was made from a trusted site, such a branch office.
  • PPTP Filtering
    • when using PPTP, the RAS server must have a direct connection to the Internet and a company's corporate network.
    • this could pose security risk, because access to the network could be gained through RAS server.
    • PPTP filtering can be used to help ensure security on a corporate network.
    • When PPTP filtering is enabled, all other protocols other than PPTP are disabled on the selected network adapter.
    • Enable PPTP Filtering  in Advanced IP Addressing in Microsoft TCP/IP Properties dialog box.
Telephone API

Windows NT Telephony API (TAPI):

  • Provides a standard way for communication applications to control telephony functions for data, fax, and voice calls.
  • Virtualizes the telephone system by acting as a device driver for a telephone network.
  • Manages all signaling between computer and telephone network (establishing, answering and terminating calls).
  • Can also include supplementary functions such as hold, transfer, conference, and call park found in PBX and ISDN.

TAPI Settings:

Basic TAPI settings are set up when a TAPI-aware program (DUN) is run for the first time. If is has not been run before, the TAPI configuration will be automatically installed when DUN is installed.

  • Location in Windows NT DUN it is a set of information that TAPI uses to analyze telephone numbers in international format and to determine the correct sequence of numbers to be dialed. Can be named anything that can help the user remember them. Information includes:
    •  

    • Area or city code
    • Country code
    • Outside line access (for local and long distance calls)
    • Preferred calling card
  • Calling Cards
  • Creates the sequence of numbers to be dialed for a particular calling card.
  • Number is stored in scrambled form and will not be displayed after it is entered.
  • Multiple calling cards can be defined.
  • Drivers (TAPI Service Providers = TSPs)
  • Software components that control TAPI hardware (PBX, voice mail card)
  • Are installed with TAPI hardware except TAPI driver for modems (unimodem.tsp) is automatically installed with NT
  • ALL TSP's run in same memory space, so malfunctioning TSP can affect others.

Configuring a TAPI Location

Done through Dialing Properties dialog box and then choose My Locations tab:

Option

Use this option to

I am dialing from <list box> + New button Current location + additional
The area code is Enter area code for TAPI location
I am in  Current country name
To access an outside line   
Dialing using calling card  
Change button Change calling card used for this location
This location has call waiting. To disable it, dial turned of when dialing from a computer
The phone system at this location uses Tone or pulse
Installing RAS
  • RAS can be installed either during or after installation of Windows NT 4.0.
  • If Remote Access to the Network is selected during setup both RAS and DUN will be installed.
  • For both, the following information is required:
    • Modem model
    • Type of communication port used for RAS
    • Whether computer is used for dial in, dial out, or both
    • Protocols to be used
    • Modem setting (baud rate)
    • Security setting (including callback)
Note:
  • Windows NT Server 4.0 supports 256 RAS connections
  • NT Workstation supports only 1.
Configuring a RAS Server
  • Specify hardware that RAS will use including modem type and port.
  • This is done by Remote Access Setup dialog box in the Services tab of the Network program in Control Panel

Click Remote Access Service and click Properties. Following configuration options:
 

Option

Use this option to

Add Make port available to RAS and install 
  • modem,
  • X.25 PAD,
  • or a VPN for PPTP
Remove Make port unavailable to RAS
Configure Change RAS settings for the port such as intended usage
  • Dial out only  à enables DUN clients to use port to initiate calls
  • Receive call only àenables RAS server to receive calls from DUN clients on port
  • Dial out and receive calls à enables RAS server to use port for DUN client or server function
Clone Copy same modem setup from one port to another
Network 

Configure network protocol, multilink, and encryption settings

  • Dial out Protocols select dial out protocols
    • NetBEUI
    • TCP/IP
    • IPX
  • Server Settings 
    • select and configure the protocols that the RAS server can use for servicing remote clients
  • Encryption Settings 
    • select authentication level ranging from clear text to Microsoft encrypted authentication; 
    • if Require Microsoft encrypted authentication is selected, the Require data encryption can also be selected
  • Enable multilink
    • enable DUN PPP multilink protocol (client and server must have it enabled)
Configuring a RAS Server to Use NetBEUI
  • If NetBEUI protocol has been installed, the RAS Setup program enables NetBEUI and the NetBIOS gateway by default.
  • RAS servers use NetBEUI to provide remote clients with access to small workgroups or department sized LANs.
  • To configure a RAS server to use NetBEUI, in the Network Configuration dialog box, select NetBEUI checkbox, click Configure. RAS Server NetBEUI Configuration dialog box appears.

Use it to enable remote NetBEUI clients to gain access to:

  • Entire network
  • This computer only
Configuring a RAS Server to Use TCP/IP

Same as with NetBEUI but now you select TCP/IP and click Configure.
The RAS Server TCP/IP Configuration dialog box appears.

Option

Use this option to

Allow remote TCP/IP clients to access To entire network or This computer only
Use DHCP to assign remote TCP/IP client addresses
  • Use DHCP server to dynamically assign an IP address to the client.
  • DUN clients require an IP address on a TCP/IP network
Use static address pool
  • This uses a pre-assigned pool of IP addresses
  • Configure IP address range; designate beginning and ending values. 
  • Add and Remove buttons can be used to exclude any IP addresses
Allow remote clients to request a predetermined IP address  

 

Configuring a RAS Server to Use IPX
  • The RAS Server IPX Configuration dialog box appear after clicking IPX and then Configure.
  • DUN clients can gain access to NetWare server file and print sharing resources through RAS servers that support IPX.

Option

Use this option to

Allow remote IPX clients to access To entire network or This computer only
Allocate network number automatically Assign network numbers automatically to DUN clients
Allocate network numbers Assign network numbers manually to DUN clients
Assign same network number to all IPX clients Assign a single network number to all IPX clients
Allow remote clients to request IPX node number Enable DUN clients to request IPX node number
Installing Dial-Up Networking

 DUN is automatically installed during Windows NT installation if Remote access to the network is selected during setup.

  1. Automatically installed on computers running Windows NT Server/Workstation when RAS is installed.
  2. Manually installed by double clicking Dial-Up Networking icon in My Computer.
 Configuring Phonebook Entries
  •  DUN clients store all of its configuration data for a single connection in a phonebook file.
  • Specific to individual user or shared among all users on the computer (called a system phonebook). To create or edit phonebook entries, access DUN through My Computer or by Start, Programs, Accessories.
  • Configuration for a single connection is kept in a phonebook file

Rasphone.pbk

  • Use the New Phonebook Entry wizard to create the first phonebook entry.
    • Turning off the Wizard:
      • After gaining experience with phonebook entries, it may be more efficient to turn of the wizard by selecting the I know all about phonebook entries and would rather edit the properties directly check box.
    • Turning the Wizard back on again
      • To use the wizard again in My Computer, double click Dial-Up Networking, click More and then click User Preferences. Click Appearance tab and then Use Wizard to create new phonebook entries and click OK. Next time a new phonebook entry is created, the wizard will start.
New Phonebook Entry Configuration

To do this, in My Computer double click Dial-Up Networking and then click New.
The New Phonebook Entry dialog box appears with following configuration options:
 

Basic Tab
Use this tab to:
  • To configure a name for the phonebook entry
  • To enter the telephone number, alternated numbers, and to use Telephony dialing properties
  • To specify and configure the device used by phonebook entry

Server Tab

Use this tab to: To select and configure remote access protocols (PPP, SLIP or earlier) and network protocols Other options depend on server type but include selecting network protocol and selecting software data compression

In addition, the following TCP/IP settings (Server tab) may need to be configured by pressing the TCP/IP Settings buttons.

TCP/IP setting are only available for if you choose PPP or SLIP in the Servers tab.

PPP SLIP

Option

Description

IP address Automatically assigned by dial-up server or manually configured on clients.
Name Server addresses Assign DNS and WINS server addresses; assigned by DHCP server or manually configured
Use IP header compression Enable header compression for low-speed serial links
Use default gateway on remote network Select this if DUN client is using network card to connect simultaneously to a LAN. When this check box is selected, packets that cannot be routed on local network are forwarded to default gateway on remote network
Script Tab:
Use this tab to:
  • To specify terminal window or script file if manual intervention is required before or after dialing

Security Tab

Use this tab to: To select level of authentication and encryption
 

 
 
 

X.25 Tab

Use this tab to: To select X.25 network provider To configure connectivity information required by X.25 network provider
 

Logging On Through Dial-Up Networking
  • When DUN is installed users can select DUN phonebook entry that they will use to log on.
  • DUN establishes a connection to RAS server so that domain controller can validate logon request.

Dial-Up Settings

These are configured using Logon Preferences dialog box on DUN client (see table).
To access this box click More in Dial-Up Networking dialog box, and then on More menu click Logon preferences.
 

Dialing
  • Specify number of and interval between redial attempts 
  • To set idle connection timeout period
Callback
  • Configure the server to disconnect and to call the client back following authentication
Appearance
  • Configure DUN interface that appears during logon
Phonebook
  • Specify system phonebook or an alternate phonebook to be used during logon
User Profiles
  • NT uses the same logon process for logging on to a LAN directly or through DUN.
  • A copy of a user profile is cached on the client each time the user logs off.
  • Configure Windows NT to use the locally-cached profile through the User Profiles tab, which is accessible through the System program in Control Panel.
AutoDial (supported by Windows NT 4.0 DUN) and AutoDial Mapping Database
  • The NT client maintains network addresses and maps them to phonebook entries. This mapping allows automatic dialing when a user references the network address from an application or from the command line.
  • The AutoDial database can include IP addresses, Internet host names or NetBIOS names. Each address in the database is associated with a set of entries. RAS can use these entries to dial from a particular TAPI dialing location.
  • The following table describes the situation in which AutoDial automatically creates entries in its database.

Situation

AutoDial response

Failure to connect to a network address If there is no entry for address in mapping database, and computer is not connected to a network, AutoDial prompts the user to specify the information necessary to establish a dial-up connection. If it is successful AutoDial stores information in database
Connection to a network through RAS When a user connects to a network address, AutoDial creates an entry in the database. The entry maps the network address to the phonebook entry that was used to establish the RAS connection
Automatic Reconnection

AutoDial tracks all DUN connections so that clients can be automatically reconnected. AutoDial attempts to make a reconnection in following situations:

  • If a client is disconnected from the network and it is running an application that references a network connection.
  • If a client is connected to a network AutoDial attempts to create network connection for addresses it has previously learned.
Enabling and Disabling AutoDial
  • in User Preferences dialog box for a phonebook entry
  • to enable, in Dial-Up Networking dialog box, and then in Phonebook entry to dial list, select an entry. Click More and then click User Preferences. Click Dialing tab, and then in the Enable auto-dial by location list, select each location listed.
  • to disable, on Dialing tab, click to clear each location listed in the Enable auto-dial by location list.

AutoDial:

  • only works when Remote Access Autodial Manager is running
  • not supported by Windows 95 and Windows NT versions earlier than 4.0
  • does not support IPX connections; only supports TCP/IP and NetBEUI

 

Troubleshooting RAS

Logs and the Like

There are 4 ways to log RAS related activities:

    1. MODEMLOG.TXT
      1. records modem activities
      2. file is in the NT root directory
    2. DEVICE.LOG
      1. enabled only thru registry
      2. records ???
      3. stored in \winnt_root\system32\RAS
    3. Event Viewer
      1. is used to view the system log
      2. Contains events for all internal services and drivers
      3. Many RAS events are entered in the system log.
    4. PPP.LOG
      1. can be created to capture debugging information related to PPP authentication problems
      2. stored in \winnt_root\system32\RAS
      3. Enabled by setting registry value to 1 of

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

      Services\Rasman\PPP\Logging

Authentication Problems over RAS

  • try to change the authentication settings for that client.
  • Try lowest option on each side (i.e. allowing any authentication including clear text option)
  • Start increasing to determine the highest level that can be used between the two systems.

Dial-Up Networking Monitor

  • Can be accessed through Dial-Up Monitor program in Control Panel. It shows status of a session that is in progress.
  • Shows duration of a call, amount of data transmitted and received, number of errors
  • Shows which lines are in use for multilink sessions
  • can configure the user interface for sounds and for location of the status indicator

Multilink and Callback

  • put simply, CALLBACK doesn't WORK with Multilink
  • If a client uses multilink enabled phonebook entry to call a server that is configured to call the user back, when callback is made it will be to one of the multilink devices. For one user account there is only one callback number to be stored. So no multilink functionality.
  • If the link is made using ISDN with two channels that have the same phone number, the Multilink WILL work with callback.

AutoDial Occurs During Logon

  • during logon, when NT Explorer initializes, any persistent network connections or desktop shortcuts that reference network locations will cause AutoDial to attempt to make a connection.
  • Avoid this by disabling AutoDial or remove shortcuts.
Additional NOTES
Configuring RAS

RAS Configuration Files

    Modem.inf

    • contains info describing each modem supported by RAS
    • used to configure initializations strings, compression, flow control, connect strings..and so on.
    • RAS supports over 200 modems
    • can modify this file to add entries for modems not currently supported by RAS ( But generally, modification is not recommended)

    Pad.inf

    • contains info describing each PAD supported by RAS
    • don't modify except to add new PAD not currently supported

    Switch.inf

    • contains info describing each intermediately device supported by RAS (e.g.. security hosts)
    • don't modify except to add new device not currently supported

    Serial.ini

    • contains info describing the currently configured COM port(s), including info on device attached to the port(s)
    • the file is created and maintained by the RAS Setup program accessed through Control Panel | Network
    • Don't edit manually: use Control Panel

Personal Phonebook

  • each user can have a personal phone book
  • this provides additional security because it's not available to all users
  • created using the user's logon name with a .pbk extension
  • it's stored in  \winnt_root\system32\RAS
How RAS Authenticates User Connections

There are three options shown:

Client Side Server Side

 

Accept any authentication including clear text
  • least secure
  • intended to support any third party dial-in clients that employ the Password Authentication Protocol (PAP)

    Password Authentication Protocol (PAP)

    • NT supports clear text authentication through PPP PAP
    • RAS supports both
      • domain\user name
      • user name

      formats for the PAP Peer ID

    • Clear-text authentication is the least sophisticated authentication method and should only be used when dialing into SLIP servers or PPP servers that don't support encrypted authentication
Accept only encrypted authentication

Authentication protocol options here include:

  • CHAP
  • SPAP
  • DES
  • MS-CHAP

RSA Message Digest 5 (MD5) Challenge Handshake Authentication (CHAP)

  • this is used on a RAS client ONLY
  • NT supports MD5 for outbound dialing allowing Windows NT clients to connect with virtually all third-party servers
  • Because RSA MD5 requires a clear text (no encryption) password at the server, NT does not support MD5 for inbound dialing

NOTE

  • if you use a packet analyzer to watch the traffic, you can read user names and passwords
  • for security purposes, the CHAP server sends a random challenge to client, which changes every time.
  • client encrypts the challenge with user's password and sends it back to the server

SPAP Shiva Password Authentication Protocol

  • a version of PAP implemented by Shiva
  • NT supports it to allow interoperability with Shiva LAN clients

Data Encryption Standard (DES)

  • designed by the National Bureau of Standards
  • supported for backward compatibility with LAN Manager-based system

RSA Message Digest 4 (MD4) or MS-CHAP

  • the only clients that currently support the MS-CHAP authentication method are the Windows NT and the Windows NT RAS clients. That is:
      • NT Server
      • NT Workstation
      • Win 95 (?)
    • When connecting, these two systems will ALWAYS use MS-CHAP when negotiating passwords
  • enabled on NT Server by default
  • most secure encryption algorithm
  • all data can also be encrypted
  • either the client or the server can require data encryption to be negotiate
Accept Only Microsoft encrypted authentication
  • This forces the use of MS-CHAP for authentication

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada