420 likes | 570 Vues
Chapter 10. Routing and Remote Access Services. Overview of Routing and Remote Access Service (RRAS). RRAS is fully integrated with Windows 2000 Server.
E N D
Chapter 10 Routing and Remote Access Services
Overview of Routing and Remote Access Service (RRAS) • RRAS is fully integrated with Windows 2000 Server. • RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking. • The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.
Combining Routing and Remote Access Service • Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP) • Used to negotiate point-to-point connections. • Used by Demand-dial routing connections • The PPP infrastructure of Windows 2000 Server supports several types of access. • Dial Up • VPN • On Demand or persistent dial-up/ VPN demand routing
Installation and Configuration • Enable • Disable • Refresh • netsh • Private Addresses10.0.0.0 –10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255
Authentication and Authorization • Authentication – you are who you say you are • Authorization – verification of permission to make connection • Windows • RADIUS – server • Win2000 IAS
Unicast IP – Routing Support • Windows 2000 provides extensive support for unicast IP routing. • In unicasting, two computers establish a two-way, point-to-point connection. • Routing and Remote Access Service includes a number of features to support unicast IP routing.
Multicast IP Support • Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic. • Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic. • Routing and Remote Access Service includes a number of features to support multicast IP routing.
Other Features of (R)RAS • NAT • Network Address Translation • Internet Connection Sharing - alternative • DHCP Relay • DHCP server can exist on another netwrok • IP Packet Filtering • Source/destination IP Address • TCP/UDP port number • IP protocol codes • ICMP route discovery • Periodically advertise and respond to host router solicitations • Static Routing
Routing – communications between routers OSPF RIP IPX/SPX TCP/IP Apple Talk Not NetBEui Routing vs Routable Protocols
Demand-Dial Routing • Windows 2000 provides support for demand-dial routing. • IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.
Remote Access • RRAS enables a computer to be a remote access server. • RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies. • Access to resources on RRAS server • Access to LAN resources
VPN Server • RRAS enables a computer to be a virtual private network (VPN) server. • RRAS supports • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • IP Security (IPSec).
RADIUS Client-Server • Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. • RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests. • The RADIUS server has access to user account information and can check remote access authentication credentials. • RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location. • Authentication either thru RADIUS database or Domain Controller
SNMP MIB Support • RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II. • Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II. • MIB support is also provided for Windows 2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS services.
Dial-Up Equipment and WAN Infrastructure • Public Switched Telephone Network (PSTN) • Digital links and V.90 • Integrated Services Digital Network (ISDN) • X.25 • ATM over ADSL
Remote Access Protocols • Remote access protocols control the establishment of connections and the transmission of data over WAN links. • Windows 2000 remote access supports three types of remote access protocols: • PPP • SLIP • AsyBEUI.
LAN Protocols • LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server. • Windows 2000 remote access supports • TCP/IP • IPX • AppleTalk • NetBEUI.
Secure User Authentication • Secure user authentication is obtained through the encrypted exchange of user credentials. • Secure authentication is possible through the use of PPP and one of the supported authentication protocols.
Mutual Authentication • Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials. • It is possible for a RAS server not to request authentication from the remote access client.
Data Encryption • Data encryption encrypts the data sent between the remote access client and the RAS server. • Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client. • Data encryption is possible over dial-up remote access links when using PPP along with • EAP-TLS – Extensible Authentication Protocol – Transport Level Sdecurity • MS‑CHAP • Microsoft Point-to-Point Encryption (MPPE).
More Security Options • Callback • Caller ID • Remote Access Lockout • Number of Failed Attempts • How often to reset the Failed Attempts counter
Managing Addresses • For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection. • The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.
Overview of Access Management • Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies. • Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt. • Multiple remote access policies can be used to meet various conditions. • RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.
Access Management • Policy created in • RRAS if Windows authentication • IAS if RADIUS authentication • Policies Applied • Checked in order • If no policies Reject the connection • Check all policies until a match • User Account Permissions • Match up user account and profile properties
Overview of Virtual Private Networks (VPNs) • VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet. • VPN is a point-to-point connection between the user’s computer and a corporate server. • VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork. • The secure connection across the internetwork appears to the user as a virtual network interface.
VPN VPN ServerDedicated Dial UpSeparate intranet using VPN Server
Overview of Tunneling • Tunneling is a method of using an internetwork infrastructure to transfer a payload. • Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information. • The process of encapsulation and transmission of packets is known as tunneling. • The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.
Tunnel Maintenance and Data Transfer • Tunnel maintenance protocol • Manage the tunnel • When PPTP - • Generic Routing Encapsulation – DATA transfer • TCP – TUNNEL maintenance • When L2TP • UDP • Tunnel data transfer protocol • Client appends data transfer header to the payload • Server accepts the packet and strips of header
Tunnel Types • Voluntary tunnels • Created and configured by the user at client end • Compulsory tunnels • Created automatically • Access Concentrator • Static Compulsory • Automatic • Dial in accesses concentrator • Dedicated equipment • Manual (realm Based) • User Name determines tunnel • Dynamic Compulsory • Choice of tunnel made when used connects to access server
PPTP L2TP
PPTP vs. L2TP • PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity. • PPTP transport IP networkL2TP transport IP, X.25, FRAME RELAY, or ATM • When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP. • L2TP provides tunnel authentication, while PPTP does not. • PPTP uses PPP encryption and L2TP uses IPsec
IPSec • Overview of IPSec • Layer 3 • Supports Encapsulation and Encryption of IP datagram • ESP (Encapsulated Security Payload) tunnel mode • Entire Payload encrypted • Encryption removed at VPN Server • ESP transport mode • Only layer 4 and above encrypted • Encryption removed at destination host
IPSec ESP Tunnel Packet • IP datagram EsP trailer added then encrypted • Encapsulated with an ESP header ESP authentication trailer • Encapsulated with new IP header • Source and Destination address of tunnel endpoints • Data link encapsulation
IP-IP • IP in IP is a simple OSI layer 3 tunneling technique. • A virtual network is created by encapsulating an IP packet with an additional IP header. • The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing • The IP payload includes everything above IP.
Managing Addresses and Name Servers • The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients. • By default, the IP addresses assigned to VPN clients are obtained through DHCP.
Net Shell Command-Line Utility • The Net Shell utility includes a number of options. • Commands can be abbreviated to the shortest unambiguous string. • Commands can be either global or context specific. • Global commands can be issued in any context and are used for general netsh functions. • Netsh has two command modes. • Online • Offline • You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window. • To create a script of the current configuration, type the global dump command. • The Net Shell command includes context-specific commands.
Authentication and Accounting Logging • RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled. • The authentication and accounting information is stored in a configurable log file or files. • %systemroot%\System32\LogFiles • You can configure the type of activity to log and log file settings.
Event Logging • The Windows 2000 Router performs extensive error logging in the system event log. • Four levels of logging are available. • Errors only • Errors and Warnings • Maximum amount of information • Disable • Logging consumes system resources and should be used sparingly.
Tracing • RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems. • Tracing records internal component variables, function calls, and interactions. • You can enable tracing for each routing protocol by setting the appropriate registry values. • Tracing consumes system resources and should be used sparingly. • To enable file tracing for each component, you must set specific values within the registry.