1 / 42

Chapter 10

Chapter 10. Routing and Remote Access Services. Overview of Routing and Remote Access Service (RRAS). RRAS is fully integrated with Windows 2000 Server.

naeva
Télécharger la présentation

Chapter 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 10 Routing and Remote Access Services

  2. Overview of Routing and Remote Access Service (RRAS) • RRAS is fully integrated with Windows 2000 Server. • RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking. • The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.

  3. Combining Routing and Remote Access Service • Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP) • Used to negotiate point-to-point connections. • Used by Demand-dial routing connections • The PPP infrastructure of Windows 2000 Server supports several types of access. • Dial Up • VPN • On Demand or persistent dial-up/ VPN demand routing

  4. Installation and Configuration • Enable • Disable • Refresh • netsh • Private Addresses10.0.0.0 –10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255

  5. Authentication and Authorization • Authentication – you are who you say you are • Authorization – verification of permission to make connection • Windows • RADIUS – server • Win2000 IAS

  6. Unicast IP – Routing Support • Windows 2000 provides extensive support for unicast IP routing. • In unicasting, two computers establish a two-way, point-to-point connection. • Routing and Remote Access Service includes a number of features to support unicast IP routing.

  7. Multicast IP Support • Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic. • Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic. • Routing and Remote Access Service includes a number of features to support multicast IP routing.

  8. Other Features of (R)RAS • NAT • Network Address Translation • Internet Connection Sharing - alternative • DHCP Relay • DHCP server can exist on another netwrok • IP Packet Filtering • Source/destination IP Address • TCP/UDP port number • IP protocol codes • ICMP route discovery • Periodically advertise and respond to host router solicitations • Static Routing

  9. Routing – communications between routers OSPF RIP IPX/SPX TCP/IP Apple Talk Not NetBEui Routing vs Routable Protocols

  10. Demand-Dial Routing • Windows 2000 provides support for demand-dial routing. • IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.

  11. Remote Access • RRAS enables a computer to be a remote access server. • RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies. • Access to resources on RRAS server • Access to LAN resources

  12. VPN Server • RRAS enables a computer to be a virtual private network (VPN) server. • RRAS supports • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • IP Security (IPSec).

  13. RADIUS Client-Server • Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. • RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests. • The RADIUS server has access to user account information and can check remote access authentication credentials. • RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location. • Authentication either thru RADIUS database or Domain Controller

  14. SNMP MIB Support • RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II. • Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II. • MIB support is also provided for Windows 2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS services.

  15. Dial-Up Equipment and WAN Infrastructure • Public Switched Telephone Network (PSTN) • Digital links and V.90 • Integrated Services Digital Network (ISDN) • X.25 • ATM over ADSL

  16. Remote Access Protocols • Remote access protocols control the establishment of connections and the transmission of data over WAN links. • Windows 2000 remote access supports three types of remote access protocols: • PPP • SLIP • AsyBEUI.

  17. LAN Protocols • LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server. • Windows 2000 remote access supports • TCP/IP • IPX • AppleTalk • NetBEUI.

  18. Secure User Authentication • Secure user authentication is obtained through the encrypted exchange of user credentials. • Secure authentication is possible through the use of PPP and one of the supported authentication protocols.

  19. Mutual Authentication • Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials. • It is possible for a RAS server not to request authentication from the remote access client.

  20. Data Encryption • Data encryption encrypts the data sent between the remote access client and the RAS server. • Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client. • Data encryption is possible over dial-up remote access links when using PPP along with • EAP-TLS – Extensible Authentication Protocol – Transport Level Sdecurity • MS‑CHAP • Microsoft Point-to-Point Encryption (MPPE).

  21. More Security Options • Callback • Caller ID • Remote Access Lockout • Number of Failed Attempts • How often to reset the Failed Attempts counter

  22. Managing Addresses • For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection. • The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.

  23. Overview of Access Management • Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies. • Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt. • Multiple remote access policies can be used to meet various conditions. • RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.

  24. Access Management • Policy created in • RRAS if Windows authentication • IAS if RADIUS authentication • Policies Applied • Checked in order • If no policies Reject the connection • Check all policies until a match • User Account Permissions • Match up user account and profile properties

  25. Overview of Virtual Private Networks (VPNs) • VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet. • VPN is a point-to-point connection between the user’s computer and a corporate server. • VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork. • The secure connection across the internetwork appears to the user as a virtual network interface.

  26. VPN VPN ServerDedicated Dial UpSeparate intranet using VPN Server

  27. Overview of Tunneling • Tunneling is a method of using an internetwork infrastructure to transfer a payload. • Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information. • The process of encapsulation and transmission of packets is known as tunneling. • The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.

  28. Tunnel Maintenance and Data Transfer • Tunnel maintenance protocol • Manage the tunnel • When PPTP - • Generic Routing Encapsulation – DATA transfer • TCP – TUNNEL maintenance • When L2TP • UDP • Tunnel data transfer protocol • Client appends data transfer header to the payload • Server accepts the packet and strips of header

  29. Tunnel Types • Voluntary tunnels • Created and configured by the user at client end • Compulsory tunnels • Created automatically • Access Concentrator • Static Compulsory • Automatic • Dial in accesses concentrator • Dedicated equipment • Manual (realm Based) • User Name determines tunnel • Dynamic Compulsory • Choice of tunnel made when used connects to access server

  30. PPTP L2TP

  31. PPTP vs. L2TP • PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity. • PPTP transport IP networkL2TP transport IP, X.25, FRAME RELAY, or ATM • When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP. • L2TP provides tunnel authentication, while PPTP does not. • PPTP uses PPP encryption and L2TP uses IPsec

  32. IPSec • Overview of IPSec • Layer 3 • Supports Encapsulation and Encryption of IP datagram • ESP (Encapsulated Security Payload) tunnel mode • Entire Payload encrypted • Encryption removed at VPN Server • ESP transport mode • Only layer 4 and above encrypted • Encryption removed at destination host

  33. IPSec ESP Tunnel Packet • IP datagram EsP trailer added then encrypted • Encapsulated with an ESP header ESP authentication trailer • Encapsulated with new IP header • Source and Destination address of tunnel endpoints • Data link encapsulation

  34. IP-IP • IP in IP is a simple OSI layer 3 tunneling technique. • A virtual network is created by encapsulating an IP packet with an additional IP header. • The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing • The IP payload includes everything above IP.

  35. Managing Addresses and Name Servers • The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients. • By default, the IP addresses assigned to VPN clients are obtained through DHCP.

  36. Net Shell Command-Line Utility • The Net Shell utility includes a number of options. • Commands can be abbreviated to the shortest unambiguous string. • Commands can be either global or context specific. • Global commands can be issued in any context and are used for general netsh functions. • Netsh has two command modes. • Online • Offline • You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window. • To create a script of the current configuration, type the global dump command. • The Net Shell command includes context-specific commands.

  37. Authentication and Accounting Logging • RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled. • The authentication and accounting information is stored in a configurable log file or files. • %systemroot%\System32\LogFiles • You can configure the type of activity to log and log file settings.

  38. Event Logging • The Windows 2000 Router performs extensive error logging in the system event log. • Four levels of logging are available. • Errors only • Errors and Warnings • Maximum amount of information • Disable • Logging consumes system resources and should be used sparingly.

  39. Tracing • RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems. • Tracing records internal component variables, function calls, and interactions. • You can enable tracing for each routing protocol by setting the appropriate registry values. • Tracing consumes system resources and should be used sparingly. • To enable file tracing for each component, you must set specific values within the registry.

More Related