Successor to Windows NT 4.0 Remote Access Service (RAS) AddAdd-on feature for Windows NT 4.0 also called Routing and Remote Access (RRAS) High performance service that allows one computer to handle remote users through dial-up or VPN, routing dialbetween branch offices, routing to the Internet, and routing between network segments
Open the Routing and Remote Access tool from Administrative Tools RightRight-click on your server name to run the wizard
The wizard will prompt to choose from one of the five options below, covered in the following slides
This option walks you through setting up Network Address Translation If you are not in a domain, it will ask if you want to set up simple ICS instead Allows you to create a demand dial connection to your ISP Asks if you want to set up the DHCP Allocator and DNS Proxy
Address Pool
Address Pool
IP to IP mapping Terminal Server, multipurpose server
Special Ports
Configured after wizard Properties of external network interface Port to IP mapping FTP server, WWW server
This option helps configure a RAS server If you are not in a domain, it will ask if you want to set up simple incoming connections instead Allows you to select how you want to handle IP address assignment Asks if you want to use a radius server for authentication (IAS)
ADVANTAGE PRO Chennais Premier Networking Training Center 9
It will set up all modem and ISDN devices for dial-in, and dialalso five PPTP and five L2TP connections (you can add more later) Configures DHCP relay agent automatically so RAS clients will use DHCP inform Configures IGMP so RAS clients can run multicast applications over their connection Configures a default Remote Access Policy
10
This option helps configure a VPN server Asks similar questions to RAS server setup Asks for which interface is your Internet connection Must have an Internet connection through a network card Will not work if you have only one network card in the computer
11
Configures 128 PPTP and 128 L2TP connections (you can change this later) Configures DHCP Relay, IGMP, and RAS policies just like RAS server Configures IP filters on the selected Internet interface so it accepts only PPTP and L2TP connections
12
Network Router
Configures a basic IP or IPX network router Allows you to configure for demand-dial connections demandYou must add and configure routing protocols later (IGMP, NAT, DHCP, RIP, OSPF)
13
Use this option if you just want to start RRAS with default options Routing for LAN and demand-dial is turned on demandRAS server with default settings is installed Configures DHCP Relay, IGMP, and RAS policies, just like RAS server Configures for five PPTP and five L2TP connections
ADVANTAGE PRO Chennais Premier Networking Training Center 14
Important to Remember
After you have run the RRAS wizard and configured your server, you can still change it later
You can easily make a VPN-only server a RAS server VPNor router later on by removing the IP filters You can add additional routing protocols after you are configured for NAT
15
16
17
General Issues
Manually configured server Remote registry service DOD static route Browsing
18
VPN/Routing Issues
Firewalls/routers must allow GRE traffic on port 1723 Use the same IP scheme as the local network for RRAS PPP logging - Q234014
19
VPN/Routing Issues
20
Troubleshooting NAT
21
Troubleshooting NAT
Internet connection sharing cannot be used in conjunction with NAT Public and private interface
22
Objectives
Understand the features and benefits of Microsofts Remote Authentication Dial-In User Service (RADIUS) Dialserver: Internet Authentication Services (IAS)
24
Agenda
25
Introduction
RADIUS definition Availability in Microsoft Windows 2000 Server and Microsoft Windows Server 2003 Interoperable through standards
26
Introduction
Client Gateway
3Co m
User Database
RADIUS
Network access control Any gateway to any database Single identity to any network
Allow or deny network access Specify restrictions for permitted connections Securely transfer keys used for data encryption Collect connection accounting and auditing information Federated control of network connection
27
Features
PolicyPolicy-based access Different authentication protocols Accounting Extensibility RADIUS proxy CommandCommand-line configuration
ADVANTAGE PRO Chennais Premier Networking Training Center 28
Features
29
Features
1- Policy-Based Access Policy-
Windows NT 4.0 Server: User properties. Windows 2000/Windows Server 2003: User properties and remote access policies.
Policies are evaluated against connections. Policy restriction settings are applied to authorized connections.
ADVANTAGE PRO Chennais Premier Networking Training Center 30
Features
1- Policy-Based Access Policy-
31
Features
2- Different Authentication Protocols
Password based:
802.1x Protected Extensible Authentication ProtocolProtocolMicrosoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) (PEAPDialDial-up connection and virtual private network (VPN): MSCHAPv2 (also support previous protocols: PAP, CHAP, MSCHAPv1)
32
Certificates and smart cards: Extensible Authentication ProtocolProtocol-Transport Layer Security (EAPTLS) Token cards: EAP-SecureID EAPOther: third-party EAP third33
Features
2- Different Authentication Protocols
34
Features
3- Accounting
35
Features
3- Accounting
36
Features
4- Extensibility
IAS SDK Write RADIUS extensions for authentication, authorization, and logging IAS SDO API to configure IAS
ADVANTAGE PRO Chennais Premier Networking Training Center 37
Features
5- Radius Proxy
RADIUS proxy available on Windows Server 2003. Requests can be routed to a different RADIUS server based on specific criteria. Load balancing and fail-over. fail-
38
Features
5- Radius Proxy
39
Features
6- Command-Line Configuration Command-
Netsh aaa:
40
Benefits
Integrated identity management Single authentication model for all network entry points: wired, wireless, VPN, or dial-up dialIndustry leading EAP, Protected-EAP Protected Flexible access policy XML SQL logging
41
Benefits
43
Conclusion
44
ALL
THE
BEST
45