Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Chapter 12

advertisement 
Chapter 12
Chapter 12:
Remote Access and Virtual
Private Networks
Learning Objectives
Chapter 12



Explain how remote access and virtual
private network (VPN) services work
Explain how to implement remote
access communications devices and
protocols
Configure remote access services,
security, dial-up connectivity, and client
access
Learning Objectives (continued)
Chapter 12


Configure VPN services, security, dialup connectivity, and client access
Troubleshoot remote access, VPN
services, and client connectivity
Early Remote Access Methods
Chapter 12

An early method for accessing a
network, which is still used, is to
connect to a workstation through remote
access software such as Carbon Copy
Accessing a Workstation
Remotely
Chapter 12
Modem
Telephone line
Workstation
Server
Modem
Ethernet
Workstation
Workstation
Figure 12-1 Remotely accessing a workstations on a network
Microsoft Remote Access
Chapter 12

A modern way to access a network
remotely is by using Microsoft Remote
Access Services (RAS) in Windows
2000 Server
Using RAS
Chapter 12
Figure 12-2
Remotely accessing a
network through
Microsoft RAS
Modem
Telephone line
NetWare server
Windows 2000 server
with RAS
Modem
Ethernet
Modem
Telephone line
Client
workstation
Client
workstation
Modem
Virtual Private Network
Chapter 12

Virtual private network: A private
network that is like a tunnel through a
larger network – such as the Internet, an
enterprise network, or both – that is
restricted only to designated member
clients
Planning Tip
Chapter 12

Use a VPN to save money on modems
and telephone lines for remote access to
a network
VPN Architecture
Chapter 12
Figure 12-3
VPN network
architecture
VPN tunnels
Modem
177.28.44.129
Internet
Windows 2000 Server
with VPN/IIS
Windows 2000
servers
re
me
Fra
T-3
Subnet 177.28.44
Telephone line
lay
line
line
Subnet 177.28.19
Internet
Router
Router
Router
VPN Tunnels
Telephone line
Modem
Subnet 177.28.7
Subnet 177.28.23
VPN tunnel
Web server
177.28.23.10
Operating Systems Than Can
Connect to RAS
Chapter 12






MS-DOS
Windows 3.1 and 3.11
Windows NT (all versions)
Windows 95
Windows 98
Windows 2000 Server and Professional
Connection Types
Supported by RAS
Chapter 12





Asynchronous modems
Synchronous modems through an access
server
Null modem connections
Regular dial-up telephone lines
Leased telecommunications lines, such
as T-carrier
Connection Types
Supported by RAS (continued)
Chapter 12




ISDN lines (and digital modems)
X.25 lines
DSL lines
Frame relay lines
T-Carrier
Chapter 12


T-carrier: A dedicated leased telephone
line that can be used for data
communications over multiple channels
for speeds of up to 44.736 Mbps and
beyond
Two common varieties of T-carrier are:
 T-1
at 1.544 Mbps
 T-3 at 44.736 Mbps
Frame Relay
Chapter 12

Frame relay: A WAN communications
technology that relies on packet
switching and virtual connection
techniques to transmit at from 56 Kbps
to 45 Mbps
ISDN
Chapter 12

Integrated Services Digital Network
(ISDN): A telecommunications standard
for delivering data services over digital
telephone lines with a current practical
limit of 1.536 Mbps and a theoretical
limit of 622 Mbps
X.25
Chapter 12

An older packet-switching protocol for
connecting remote networks at speeds
up to 2.048 Mbps
DSL
Chapter 12

Digital subscriber line (DSL): A
technology that uses advanced
modulation technologies on regular
telephone lines for high-speed
networking at speeds of up to 60 Mbps
between subscribers and a
telecommunications company
Telephony Interfaces
Chapter 12

RAS supports telephony interfaces that
include:
 Universal
Modem Driver: A modem driver
standard used on recently developed modems
 Telephone Application Programming Interface:
An interface for communication line devices
(such as modems) that provides line device
functions, such as call holding, call receiving,
call hang-up, and call forwarding
Transport and Remote
Communication Protocols
Chapter 12

RAS supports protocols such as:
 TCP/IP
 NWLink
 NetBEUI
 PPP
 PPTP
 L2TP
Using Modems
Chapter 12


One of the most common ways to
connect through RAS is by using
modems either at the RAS server end,
the client end, or both
Cable TV modems are another
possibility, but verify that the end-to-end
connections can be made secure
ISDN Connectivity
Chapter 12


Digital “modems” can be used to
connect a RAS server to ISDN, but
these are really terminal adapters (TAs)
and not modems, because ISDN is
digital and does not use
modulation/demodulation
A design advantage of ISDN is that you
can aggregate multiple lines to appear
as one super fast connection
Access Server
Chapter 12


An effective way to connect different
telecommunications and WAN media to RAS
is through an access server
For example, an access server can provide
the following types of connectivity:
 Modems
 ISDN
 X.25
 T-carrier
Access Server Architecture
Chapter 12
Windows 2000 Server
with RAS
Ethernet
Figure 12-4
Using an
access server
T-1 line
Modular access server
X.2
ne
e
lin
Leased
telecommunications
connection
ISD
Nl
ine
DN
IS
5 li
Telecommunications
network
Telecommunications
network
Modem
Modem
Leased
telecommunications
connection
Remote Access Protocols
Chapter 12


Serial Line Internet Protocol (SLIP): An
older remote communications protocol that
is used by UNIX computers. The modern
compressed SLIP (CSLIP) version uses
header compression to reduce
communications overhead.
Point-to-Point Protocol (PPP): A widely used
remote communication protocol that
supports IPX/SPX, NetBEUI, and TCP/IP for
point-to-point communication.
SLIP and PPP Compared
Chapter 12
Feature
Network protocol support
Asynchronous communications support
Synchronous communications support
Simultaneous network configuration
negotiation and automatic connection with
multiple levels of the OSI model between the
communicating nodes
Support for connection authentication to guard
aginst eavesdroppers
SLIP
PPP
TCP/IP TCT/IP, IPX/SPX, and
NetBEUI
Yes
Yes
No
Yes
No
Yes
No
Yes
Table 12-1 SLIP and PPP Compared
Remote Access Protocols
(continued)
Chapter 12

Point-to-Point Tunneling Protocol
(PPTP): A remote communication
protocol that enables connectivity to a
network through the Internet and
connectivity through intranets and VPNs
Remote Access Protocols
(continued)
Chapter 12

Layer Two Tunneling Protocol (L2TP): A
protocol that transports PPP over a VPN,
intranet, or Internet. L2TP works similarly
to PPTP, but unlike PPTP, L2TP uses an
additional network communications
standard, called Layer Two Forwarding,
that enables forwarding on the basis of
MAC addressing
General RAS
Configuration Steps
Chapter 12





Configure a Windows 2000 server with
RAS, including the appropriate protocols
Configure a DHCP Relay Agent (if IP
addresses are assigned via DHCP)
Configure RAS security
Configure a dial-up and remote
connection
Configure RAS on client workstations
Configuring RAS
Chapter 12

Use the Routing and Remote Access tool
to install RAS
Installing RAS
Chapter 12
Figure 12-5 Configuring routing and RAS
Installing RAS (continued)
Chapter 12
Figure 12-6 Selecting the option to install RAS
Routing and Remote
Access Options
Chapter 12
Option
Description
Internet connection server
Use this option so that networked computers in addition to the server can connect to the
Internet, which is especially useful in a small office environment in which all users need
Internet access, but there is only one dial-up, ISDN, or other outside line to an ISP
Remote access server
Use this option to set up remote access services to the network through the Windows
2000 server
Virtual private network
Use this option when you have an intranet (VPN) that you want users to be able to
(VPN) server
access through a remote connection or the Internet
Network router
Use this option to have Windows 2000 Server function as a router on the network –
directing traffic to other networks or subnetworks
Manually configure the
server
Use this option when you want to customize the routing and remote access capabilities
Installing RAS (continued)
Chapter 12
Figure 12-7 IP address assignment options
RAS Installation Tip
Chapter 12

If you configure RAS for AppleTalk, then
users access RAS through the Guest
account, which cannot have a password
RAS Properties
Chapter 12

You can configure RAS properties after
RAS is installed by right-clicking the
RAS server in the tree of the Routing
and Remote Access tool and then
clicking Properties
Viewing a RAS
Server’s Properties
Chapter 12
Figure 12-8 RAS server properties
DHCP Relay Agent
Chapter 12

If you configure RAS to use DHCP to
assign IP addresses, then you must
configure a DHCP Relay Agent:
 Double-click
the RAS server in the tree of
the Routing and Remote Access tool
 Click IP Routing in the tree
 Right-click DHCP Relay Agent and click
Properties
 Enter the IP address of the RAS server,
click Add, and then click OK
Multilink
Chapter 12

If you plan to use an aggregated
connection, such as for ISDN or multiple
modems, configure Multilink and
Bandwidth Allocation Protocol in the RAS
Properties PPP tab
Multilink and BAP
Chapter 12


Multilink: A capability of RAS to aggregate multiple
data streams into one logical network connection for
the purpose of using more than one modem, ISDN
channel, or other communication line in a single
logical connection
Bandwidth Allocation Protocol (BAP): A protocol that
works with Multilink in Windows 2000 Server that
enables the bandwidth or speed of a remote
connection to be allocated on the basis of the needs
of an application, with the maximum allocation equal
to the maximum speed of all channels aggregated
via Multilink
BACP
Chapter 12

Bandwidth Allocation Control Protocol:
Similar to BAP, but BACP is able to select a
preferred client when two or more clients vie
for the same bandwidth
Configuring Multilink
and BAP/BACP
Chapter 12
Figure 12-9 Configuring Multilink and BAP
Security Set at the Client
Chapter 12

Set up security on the client’s account
properties via the Dial-in tab, including
whether to use a remote access policy for
security and callback security
Callback Options
Chapter 12



No Callback: access is allowed on the
first dial-up attempt
Set By Caller: the server calls back a
number provided by the remote
computer
Always Callback to: the server calls
back a number that has already been
entered in the Dial-in tab
Configuring Dial-in Security
Chapter 12
Figure 12-10 Configuring dial-in security for a user account
Remote Access Policies
Chapter 12

Configure remote access policies and a
profile to secure the RAS server and to
manage access including:
 Dial-in
constraints
 IP address assignment rules
 Authentication
 Encryption
 Allowing Multilink connections
Configuring Remote
Access Policies
Chapter 12
Figure 12-11 Granting remote access as a RAS policy
Authentication Options
Chapter 12

There are several authentication options
that can be set in a remote access
policies profile:
 Extensible Authentication
Protocol (EAP):
An authentication protocol employed by
network clients that use special security
devices such as smart cards, token cards,
and others that use certificate
authentication
Authentication Options
(continued)
Chapter 12
 Challenge
Handshake Authentication Protocol
(CHAP): An encrypted handshake protocol
designed for standard IP- or PPP-based exchange
of passwords. It provides a reasonably secure,
standard, cross-platform method for sender and
receiver to negotiate a connection.
 CHAP
with Microsoft extensions (MS-CHAP): A
Microsoft-enhanced version of CHAP that can
negotiate encryption levels and that uses the
highly secure RSA RC4 encryption algorithm to
encrypt communications between client and host
Authentication Options
(continued)
Chapter 12
 CHAP
with Microsoft extensions version 2 (MSCHAP v2): An enhancement of MS-CHAP that
provides better authentication and data encryption
and that is especially well suited for VPNs
 Password Authentication
Protocol (PAP): A nonencrypted plain-text password authentication
protocol. This represents the lowest level of
security for exchanging passwords via PPP or
TCP/IP
Authentication Options
(continued)
Chapter 12
 Silva’s
Password Authentication Protocol
(SPAP): A version of PAP that is used for
authenticating remote access devices and
network equipment manufactured by Silva (now
Intel Network Systems, Inc.)
Configuring Authentication
Chapter 12
Figure 12-12 Configuring authentication
Encryption Options
Chapter 12


The RAS encryption options incorporate
IPSec and Microsoft Point-to-Point
Encryption (MPPE)
MPPE: A starting to ending point
encryption technique that uses special
encryption keys varying in length from
40 to 128 bits
Encryption Selections
Chapter 12



No Encryption: Clients do not employ
data encryption
Basic: Intended for clients using 40-bit
encryption key MPPE or IPSec
Strong: Intended for clients using 56-bit
encryption key MPPE or IPSec
Encryption Note
Chapter 12

Originally the beta version of Windows
2000 Server included strongest
encryption for 128-key MPPE or IPSec
encryption, but this option is omitted in
the first release of Windows 2000
Server. Expect strongest encryption to
be included later in an update.
Dial-in and VPN
Remote Access Tabs
Chapter 12
Option
Advanced
Description
Used to designate connection attributes, such as RADIUS, frame types, AppleTalk zones, special
filters, and many others
Authentication
Dial-in constraints
Encryption
IP
Multilink
Used to select the type or types of authentication methods such as EAP, CHAP, MS-CHAP, MSCHAP v2, PAP, and SPAP (or no authentication)
Used to set dial-in limitations, such as times of the day and days of the week when the RAS servers
can be accessed, amount of time a connection can be idle before it is disconnected, maximum session
time, dial-in number, and media through which to dial in (such as ISDN, X.25, modem, and fax).
Used to designate encryption levels: no encryption, basic, strong
Used to define how TCP/IP dial-in clients obtain an IP address, such as by using the server user
account settings; and to set up packet filters to limit which IP addresses can access the RAS servers
Used to enable Multilink connections, when RAS is set up for Multilink and to specify Multilink
BAP settings
Configuring a Dial-up
Connection for a RAS Server
Chapter 12

Use the Network and Dial-up Connections
tool to configure a new dial-up connection
for a RAS server
Creating a New Connection
Chapter 12
Figure 12-13 Creating a new connection
General Steps to
Configure a VPN
Chapter 12




Set up the network connectivity, such as
through a WAN adapter, access server, or
router
Install the Routing and Remote Access Service,
configuring it as a VPN server
Establish the remote access policies and
profile, including setting up EAP authentication
Configure the number of PPTP and L2TP ports
Design Tip
Chapter 12

If you select to use a static pool of IP
addresses when you install the VPN
server, the upper limit of addresses that
can be assigned is 253
Static Address Set Up
Chapter 12
Figure 12-14 Providing a range of addresses for a VPN server
Configuring VPN Server Remote
Access Policies
Chapter 12

Configure VPN remote access policies
and a profile using the same steps as
for configuring a RAS server
Configuring Ports
Chapter 12

Configure the number of ports to equal
those available through the WAN
connection
Steps for Configuring Ports
Chapter 12

To configure the number of ports:
 Right-click
Ports in the tree under the
server in the Routing and Remote Access
tool
 Click Properties
 Double-click WAN Miniport (PPTP) and set
the number of ports
 Double-click WAN Miniport (L2TP) and set
the number of ports
Steps for Configuring Ports
(continued)
Chapter 12
Figure 12-15 Configuring the number of ports
Hardware Troubleshooting Tips
for RAS and VPN Servers
Chapter 12




Use the Add/Remove Hardware tool or the
Device Manager to test modems and WAN
adapters
Use the Network and Dial-up Connections
tool to check dial-up and WAN connections
Make sure access servers are working
Make sure modem lines are properly
connected and working
Software Troubleshooting Tips
for RAS and VPN Servers
Chapter 12




Make sure that the Remote Access Auto
Connection Manager and Remote Access
Connection Manager services are started
Make sure the RAS or VPN server is
enabled
Use the Ports option to check the status of
ports
Make sure all IP parameters are properly
configured
RAS and VPN Client
Troubleshooting Tips
Chapter 12




Check the dial-up networking and RAS
setup on the client
Make sure that clients are using the
right protocols
Check the dial-in security on the client’s
user account
Check the client’s modem to make sure
it is working and set for compatible
communications with the server
Chapter Summary
Chapter 12


RAS and VPN servers enable clients to
remotely access Windows 2000 Server,
such as those who telecommute
Remote access can be configured
through many types of WAN
connectivity, such as dial-up telephone
lines, high-speed lines, Internet
connections, and routers
Chapter Summary
Chapter 12


RAS and VPN servers are compatible
with remote access protocols such as
PPP, PPTP, and L2TP
Manage RAS and VPN servers using
remote access policies and profiles
Related documents
Computer and Network Security
Computer and Network Security
Recognition Ideas
Recognition Ideas
yale university of medicine - Bakersfield College Pre
yale university of medicine - Bakersfield College Pre
Homework - Mock Summer Internship Research Problem
Homework - Mock Summer Internship Research Problem
Ras is the key regulator of cell growth in all eukaryotic cells
Ras is the key regulator of cell growth in all eukaryotic cells
chap09
chap09
Download
advertisement