Routing and Remote Access

ADVANTAGE PRO Chennais Premier Networking Training Center

What is Routing and Remote Access?



Successor to Windows NT 4.0 Remote Access Service (RAS) AddAdd-on feature for Windows NT 4.0 also called Routing and Remote Access (RRAS) High performance service that allows one computer to handle remote users through dial-up or VPN, routing dialbetween branch offices, routing to the Internet, and routing between network segments

ADVANTAGE PRO Chennais Premier Networking Training Center

Configuring an RRAS Server



Open the Routing and Remote Access tool from Administrative Tools RightRight-click on your server name to run the wizard

ADVANTAGE PRO Chennais Premier Networking Training Center

Options for Configuring RRAS



The wizard will prompt to choose from one of the five options below, covered in the following slides

ADVANTAGE PRO Chennais Premier Networking Training Center

Internet Connection Server



This option walks you through setting up Network Address Translation If you are not in a domain, it will ask if you want to set up simple ICS instead Allows you to create a demand dial connection to your ISP Asks if you want to set up the DHCP Allocator and DNS Proxy

ADVANTAGE PRO Chennais Premier Networking Training Center

Address Pool


Configured after the wizard Properties of external network interface

ADVANTAGE PRO Chennais Premier Networking Training Center

Address Pool
IP to IP mapping Terminal Server, multipurpose server

ADVANTAGE PRO Chennais Premier Networking Training Center

Special Ports


Configured after wizard Properties of external network interface Port to IP mapping FTP server, WWW server

ADVANTAGE PRO Chennais Premier Networking Training Center

Remote Access Server



This option helps configure a RAS server If you are not in a domain, it will ask if you want to set up simple incoming connections instead Allows you to select how you want to handle IP address assignment Asks if you want to use a radius server for authentication (IAS)
ADVANTAGE PRO Chennais Premier Networking Training Center 9

Remote Access Server



It will set up all modem and ISDN devices for dial-in, and dialalso five PPTP and five L2TP connections (you can add more later) Configures DHCP relay agent automatically so RAS clients will use DHCP inform Configures IGMP so RAS clients can run multicast applications over their connection Configures a default Remote Access Policy
10

ADVANTAGE PRO Chennais Premier Networking Training Center

Virtual Private Network Server



This option helps configure a VPN server Asks similar questions to RAS server setup Asks for which interface is your Internet connection Must have an Internet connection through a network card Will not work if you have only one network card in the computer

ADVANTAGE PRO Chennais Premier Networking Training Center

11

Virtual Private Network Server



Configures 128 PPTP and 128 L2TP connections (you can change this later) Configures DHCP Relay, IGMP, and RAS policies just like RAS server Configures IP filters on the selected Internet interface so it accepts only PPTP and L2TP connections

ADVANTAGE PRO Chennais Premier Networking Training Center

12

Network Router


Configures a basic IP or IPX network router Allows you to configure for demand-dial connections demandYou must add and configure routing protocols later (IGMP, NAT, DHCP, RIP, OSPF)

ADVANTAGE PRO Chennais Premier Networking Training Center

13

Manually Configured Server



Use this option if you just want to start RRAS with default options Routing for LAN and demand-dial is turned on demandRAS server with default settings is installed Configures DHCP Relay, IGMP, and RAS policies, just like RAS server Configures for five PPTP and five L2TP connections
ADVANTAGE PRO Chennais Premier Networking Training Center 14

Important to Remember


After you have run the RRAS wizard and configured your server, you can still change it later


You can easily make a VPN-only server a RAS server VPNor router later on by removing the IP filters You can add additional routing protocols after you are configured for NAT

ADVANTAGE PRO Chennais Premier Networking Training Center

15

Remote Access Server

ADVANTAGE PRO Chennais Premier Networking Training Center

16

Troubleshooting Common Issues



General issues VPN/routing Issues NAT issues

ADVANTAGE PRO Chennais Premier Networking Training Center

17

General Issues


Manually configured server Remote registry service DOD static route Browsing

ADVANTAGE PRO Chennais Premier Networking Training Center

18

VPN/Routing Issues


Firewalls/routers must allow GRE traffic on port 1723 Use the same IP scheme as the local network for RRAS PPP logging - Q234014

ADVANTAGE PRO Chennais Premier Networking Training Center

19

VPN/Routing Issues


Set adapter to use internal interface

ADVANTAGE PRO Chennais Premier Networking Training Center

20

Troubleshooting NAT


NAT address assignment and name resolution

ADVANTAGE PRO Chennais Premier Networking Training Center

21

Troubleshooting NAT


Internet connection sharing cannot be used in conjunction with NAT Public and private interface


Obvious but common be sure the adapters selected are correct

ADVANTAGE PRO Chennais Premier Networking Training Center

22

Microsoft IAS RADIUS Server: Features and Advantages

ADVANTAGE PRO Chennais Premier Networking Training Center

Objectives

Understand the features and benefits of Microsofts Remote Authentication Dial-In User Service (RADIUS) Dialserver: Internet Authentication Services (IAS)

ADVANTAGE PRO Chennais Premier Networking Training Center

24

Agenda

Introduction Overview of the features of IAS Benefits of IAS Conclusion

ADVANTAGE PRO Chennais Premier Networking Training Center

25

Introduction

RADIUS definition Availability in Microsoft Windows 2000 Server and Microsoft Windows Server 2003 Interoperable through standards

ADVANTAGE PRO Chennais Premier Networking Training Center

26

Introduction
Client Gateway
3Co m

User Database

RADIUS
Network access control Any gateway to any database Single identity to any network
    

Allow or deny network access Specify restrictions for permitted connections Securely transfer keys used for data encryption Collect connection accounting and auditing information Federated control of network connection

ADVANTAGE PRO Chennais Premier Networking Training Center

27

Features


PolicyPolicy-based access Different authentication protocols Accounting Extensibility RADIUS proxy CommandCommand-line configuration
ADVANTAGE PRO Chennais Premier Networking Training Center 28

Features

ADVANTAGE PRO Chennais Premier Networking Training Center

29

Features
1- Policy-Based Access Policy-

Access control evolved through releases.



Windows NT 4.0 Server: User properties. Windows 2000/Windows Server 2003: User properties and remote access policies.

Policies are evaluated against connections. Policy restriction settings are applied to authorized connections.
ADVANTAGE PRO Chennais Premier Networking Training Center 30

Features
1- Policy-Based Access Policy-

ADVANTAGE PRO Chennais Premier Networking Training Center

31

Features
2- Different Authentication Protocols


Password based:


802.1x Protected Extensible Authentication ProtocolProtocolMicrosoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) (PEAPDialDial-up connection and virtual private network (VPN): MSCHAPv2 (also support previous protocols: PAP, CHAP, MSCHAPv1)

ADVANTAGE PRO Chennais Premier Networking Training Center

32

Ability to change passwords (MSCHAP family of protocols) EAPEAP-MD5

Certificates and smart cards: Extensible Authentication ProtocolProtocol-Transport Layer Security (EAPTLS) Token cards: EAP-SecureID EAPOther: third-party EAP third33

ADVANTAGE PRO Chennais Premier Networking Training Center

Features
2- Different Authentication Protocols

ADVANTAGE PRO Chennais Premier Networking Training Center

34

Features
3- Accounting


Three modes of logging:  Log files



SQL Server (Windows Server 2003) Server Event viewer

ADVANTAGE PRO Chennais Premier Networking Training Center

35

Features
3- Accounting

ADVANTAGE PRO Chennais Premier Networking Training Center

36

Features
4- Extensibility


Extensible authentication infrastructure



EAP software development kit (SDK)



Write authentication protocols

Internet Authentication Service



IAS SDK Write RADIUS extensions for authentication, authorization, and logging IAS SDO API to configure IAS
ADVANTAGE PRO Chennais Premier Networking Training Center 37

Features
5- Radius Proxy


RADIUS proxy available on Windows Server 2003. Requests can be routed to a different RADIUS server based on specific criteria. Load balancing and fail-over. fail-

ADVANTAGE PRO Chennais Premier Networking Training Center

38

Features
5- Radius Proxy

ADVANTAGE PRO Chennais Premier Networking Training Center

39

Features
6- Command-Line Configuration Command-

Netsh aaa:


Easy to use Save, copy, restore all or detailed IAS configuration

ADVANTAGE PRO Chennais Premier Networking Training Center

40

Benefits


Integrated identity management Single authentication model for all network entry points: wired, wireless, VPN, or dial-up dialIndustry leading  EAP, Protected-EAP Protected Flexible access policy  XML SQL logging

ADVANTAGE PRO Chennais Premier Networking Training Center

41

Standards based (RADIUS, EAP, Protected-EAP) Protected1-factor or 2-factor authentication 2

Passwords, certificates, or smart cards ThirdThird-party plug-ins: Security Dynamics plug-

Extensible platform Split authentication: authenticate remotely, authorize locally

ADVANTAGE PRO Chennais Premier Networking Training Center 42

Benefits


Works with Active Directory Low cost of ownership

ADVANTAGE PRO Chennais Premier Networking Training Center

43

Conclusion


IAS is:  Easy to use



Scalable High performance Flexible

ADVANTAGE PRO Chennais Premier Networking Training Center

44

ALL

THE

BEST

ADVANTAGE PRO Chennais Premier Networking Training Center

45