Overview of Routing and Remote Access Service (RRAS)

advertisement
Overview of Routing and
Remote Access Service
(RRAS)
•
When RRAS was implemented in Microsoft Windows NT 4.0, it
added support for a number of features.
•
Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and
adds a number of new features.
•
•
RRAS is fully integrated with Windows 2000 Server.
•
The combined features of Windows 2000 RRAS allow a Windows
2000 Server computer to function as a multiprotocol router, a
demand-dial router, and a remote access server.
RRAS is extensible with application programming interfaces
(APIs) that third-party developers can use to create custom
networking solutions and that vendors can use to participate in
internetworking.
Combining Routing and
Remote Access Service
•
Routing services and remote access services have been
combined because of Point-to-Point Protocol (PPP), which is the
protocol suite that is commonly used to negotiate point-to-point
connections.
•
Demand-dial routing connections also use PPP to provide the
same kinds of services as remote access connections.
•
The PPP infrastructure of Windows 2000 Server supports several
types of access.
Installation and
Configuration
Disabling Routing and
Remote Access Service
•
You can use the Routing and Remote Access snap-in to disable
RRAS.
•
You can refresh the RRAS configuration by first disabling the
service and then enabling it.
Authentication and
Authorization
Unicast IP Support
•
•
Windows 2000 provides extensive support for unicast IP routing.
•
Routing and Remote Access Service includes a number of
features to support unicast IP routing.
In unicasting, two computers establish a two-way, point-to-point
connection.
Multicast IP Support
•
Windows 2000 supports the sending, receiving, and forwarding
of IP multicast traffic.
•
Multicast traffic is sent to a single host but is processed by
multiple hosts who listen for this type of traffic.
•
Routing and Remote Access Service includes a number of
features to support multicast IP routing.
IPX Support
•
•
The Windows 2000 Server router is a fully functional IPX router.
Routing and Remote Access Service includes a number of
features to support IPX routing.
AppleTalk
•
Windows 2000 RRAS can operate as an AppleTalk router by
forwarding AppleTalk packets and supporting the use of RTMP.
•
Most large AppleTalk networks are AppleTalk internets that are
connected by routers.
•
A Windows 2000–based server can provide routing and seed
routing support.
Demand-Dial Routing
•
•
Windows 2000 provides support for demand-dial routing.
IP and IPX can be forwarded over demand-dial interfaces over
persistent or on-demand wide area network (WAN) links.
Remote Access
•
•
RRAS enables a computer to be a remote access server.
RRAS accepts remote access connections from remote access
clients that use traditional dial-up technologies.
VPN Server
•
RRAS enables a computer to be a virtual private network (VPN)
server.
•
RRAS supports Point-to-Point Tunneling Protocol (PPTP) and
Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec).
RADIUS Client-Server
•
Internet Authentication Service (IAS) is the Microsoft
implementation of a Remote Authentication Dial-In User Service
(RADIUS) server.
•
RADIUS is a client-server protocol that enables RADIUS clients to
submit authentication and accounting requests.
•
The RADIUS server has access to user account information and
can check remote access authentication credentials.
•
RADIUS supports remote access user authentication and
authorization and allows accounting data to be maintained in a
central location.
SNMP MIB Support
•
RRAS provides Simple Network Management Protocol (SNMP)
agent functionality with support for Internet MIB II.
•
Routing and Remote Access Service includes support for
additional MIB enhancements beyond Internet MIB II.
•
MIB support is also provided for Windows 2000 functions, legacy
LAN Manager MIB functions, and the WINS, DHCP, and IIS
services.
API Support for Third-Party
Components
•
RRAS has fully published API sets for unicast and multicast
routing protocol and administration utility support.
•
Developers can write additional routing protocols and interfaces
directly into RRAS architecture.
Overview of Remote Access
•
Remote access clients are either connected to only the remote
access server’s resources, or they are connected to the RAS
server’s resources and beyond.
•
A Windows 2000 remote access server provides two remote
access connection methods.
Dial-Up Remote Access
Connections
Remote Access Client
•
A number of remote access clients can connect to Windows
2000 remote access server.
•
Almost any third-party PPP remote access clients can connect to
a Windows 2000 remote access server.
•
The Microsoft remote access client can dial into a Serial Line
Interface Protocol (SLIP) server.
Remote Access Service
Server
•
•
The remote access server accepts dial-up connections.
The remote access server forwards packets between remote
access clients and the network to which the remote access
server is attached.
Dial-Up Equipment and
WAN Infrastructure
•
•
•
•
•
Public Switched Telephone Network (PSTN)
Digital links and V.90
Integrated Services Digital Network (ISDN)
X.25
ATM over ADSL
Public Switched Telephone
Network (PSTN)
Digital Links and V.90
Integrated Services Digital
Network (ISDN)
X.25
Asynchronous Transfer Mode
(ATM) over Asymmetric
Digital Subscriber Line (ADSL)
Remote Access Protocols
•
Remote access protocols control the establishment of
connections and the transmission of data over WAN links.
•
Windows 2000 remote access supports three types of remote
access protocols: PPP, SLIP, and AsyBEUI.
LAN Protocols
•
LAN protocols are the protocols used by remote access clients to
access resources on the network connected to the RAS server.
•
Windows 2000 remote access supports TCP/IP, IPX, AppleTalk,
and NetBEUI.
Secure User Authentication
•
Secure user authentication is obtained through the encrypted
exchange of user credentials.
•
Secure authentication is possible through the use of PPP and
one of the supported authentication protocols.
Mutual Authentication
•
Mutual authentication is obtained by authenticating both ends of
the connection through the encrypted exchange of user
credentials.
•
It is possible for a RAS server not to request authentication from
the remote access client.
Data Encryption
•
Data encryption encrypts the data sent between the remote
access client and the RAS server.
•
Data encryption on a remote access connection is based on a
secret encryption key known to the RAS server and remote
access client.
•
Data encryption is possible over dial-up remote access links
when using PPP along with EAP-TLS or MS-CHAP.
•
Microsoft Windows 2000, Windows NT 4.0, Windows 98, and
Windows 95 remote access clients and remote access servers
support Microsoft Point-to-Point Encryption (MPPE).
Callback
•
The RAS server calls the remote access client after the user
credentials have been verified.
•
Callback can be configured on the server to call the remote
access client back at a number specified by the user of the
remote access client.
•
Callback can be configured to always call back the remote
access client at a specific number.
Caller ID
•
Caller ID can be used to verify that the incoming call is coming
from a specified phone number.
•
Caller ID requires that the caller’s telephone line, phone system,
RAS server’s telephone line, and the Windows 2000 driver for
the dial-up equipment support caller ID.
Remote Access Account
Lockout
•
The remote access account lockout feature is used to specify
how many times a remote access authentication can fail against
a valid user account before access is denied.
•
The feature does not distinguish malicious attempts from
authentic users.
•
An administrator must decide on two remote access account
lockout variables.
Managing Users
•
Set up a master account database in the Active Directory store
or on a RADIUS server.
•
A master account database allows the RAS server to send the
authentication credentials to a central authenticating device.
Managing Addresses
•
For PPP connections, IP, IPX, and AppleTalk, addressing
information must be allocated to remote access clients during
the establishment of the connection.
•
The RAS server must be configured to allocate IP addresses, IPX
network and node addresses, or AppleTalk network and node
addresses.
Overview of Access
Management
•
Remote access connections are accepted based on the dial-in
properties of a user account and the remote access policies.
•
Different remote access conditions can be applied to different
remote access clients or to the same remote access client based
on the parameters of the connection attempt.
•
Multiple remote access policies can be used to meet various
conditions.
•
RRAS and IAS use remote access policies to determine whether
to accept or reject connection attempts.
Access by User Account
Access by Policy
Accepting a Connection
Attempt
When a user attempts a connection, the connection attempt is
accepted or rejected based on a specific logic.
Managing Account Lockout
•
Changing settings in the registry on the authenticating computer
configures the account lockout feature.
•
If the RAS server is configured for Windows authentication,
modify the registry on the RAS server computer.
•
If the RAS server is configured for RADIUS authentication and
IAS is being used, modify the registry on the IAS server.
Managing Authentication
•
•
•
Windows authentication
RADIUS authentication
Windows and RADIUS accounting
Overview of Virtual Private
Networks (VPNs)
•
VPNs allow remote users to connect securely to a remote
corporate server by using the routing infrastructure provided by
a public internetwork, such as the Internet.
•
VPN is a point-to-point connection between the user’s computer
and a corporate server.
•
VPN allows a corporation to connect with its branch offices or
with other companies over a public internetwork.
•
The secure connection across the internetwork appears to the
user as a virtual network interface.
Connecting Networks over
the Internet
•
•
Dedicated lines
Dial-up lines
Connecting Computers over
an Intranet
•
VPNs allow a department’s LAN to be physically connected to the
corporate internetwork but separated by a VPN server.
•
The VPN server is not acting as a router between the corporate
internetwork and the department LAN.
Overview of Tunneling
•
Tunneling is a method of using an internetwork infrastructure to
transfer a payload.
•
Instead of sending the frame as produced by the originating
node, the frame is encapsulated with an additional header,
which provides routing information.
•
The process of encapsulation and transmission of packets is
known as tunneling.
•
The logical path through which the encapsulated packets travel
the transit internetwork is called a tunnel.
Tunnel Maintenance and
Data Transfer
•
•
Tunnel maintenance protocol
Tunnel data transfer protocol
Tunnel Types
•
•
Voluntary tunnels
Compulsory tunnels
PPTP
L2TP
PPTP vs. L2TP
•
PPTP requires that the transit internetwork be an IP
internetwork. L2TP requires only that the tunnel media provide
packet-oriented point-to-point connectivity.
•
When header compression is enabled, L2TP operates with 4
bytes of overhead, compared to 6 bytes for PPTP.
•
•
L2TP provides tunnel authentication, while PPTP does not.
PPTP uses PPP encryption and L2TP does not.
IPSec
•
•
•
Overview of IPSec
ESP tunnel mode vs. ESP transport mode
IPSec ESP tunnel mode packet structure
IP-IP
•
•
IP-IP is a simple OSI layer 3 tunneling technique.
•
The primary use of IP-IP is for tunneling multicast traffic over
sections of a network that does not support multicast routing.
•
The IP payload includes everything above IP.
A virtual network is created by encapsulating an IP packet with
an additional IP header.
Managing Users
•
A master account database is usually set up on a domain
controller or on a RADIUS server.
•
The same user account is used for both dial-in remote access
and VPN remote access.
Managing Addresses and
Name Servers
•
The VPN server must have IP addresses available in order to
assign them to the VPN server’s virtual interface and to VPN
clients.
•
By default, the IP addresses assigned to VPN clients are
obtained through DHCP.
Managing Access
Configure the properties on the Dial-In tab of the users’ properties
and modify remote access policy as necessary.
Managing Authentication
•
The VPN server can be configured to use either Windows or
RADIUS authentication.
•
If Windows is selected, the user credentials are authenticated by
using Windows authentication and remote access policy.
•
If RADIUS is selected, user credentials and parameters are sent
as a series of RADIUS request messages to the RADIUS server.
Troubleshooting
•
•
•
•
Connection attempt is rejected when it should be accepted.
Connection attempt is accepted when it should be rejected.
Unable to reach locations beyond the VPN server.
Unable to establish a tunnel.
Routing and Remote Access
Snap-In
Net Shell Command-Line
Utility
•
•
•
•
The Net Shell utility includes a number of options.
•
•
Netsh has two command modes.
•
To create a script of the current configuration, type the global dump
command.
•
The Net Shell command includes context-specific commands.
Commands can be abbreviated to the shortest unambiguous string.
Commands can be either global or context specific.
Global commands can be issued in any context and are used for general
netsh functions.
You can run a script either by using the -f option or by typing the exec
global command while in the Net Shell command window.
Authentication and
Accounting Logging
•
RRAS supports the logging of authentication and accounting
information for PPP-based connection attempts when Windows
authentication or accounting is enabled.
•
The authentication and accounting information is stored in a
configurable log file or files.
•
You can configure the type of activity to log and log file settings.
Event Logging
•
The Windows 2000 Router performs extensive error logging in
the system event log.
•
•
Four levels of logging are available.
•
The level of event logging can be set from various places with
the Routing and Remote Access snap-in.
•
Logging consumes system resources and should be used
sparingly.
Take specific steps if an OSPF router is unable to establish an
adjacency on an interface.
Tracing
•
RRAS has an extensive tracing capability that you can use to
troubleshoot complex network problems.
•
Tracing records internal component variables, function calls, and
interactions.
•
You can enable tracing for each routing protocol by setting the
appropriate registry values.
•
Tracing consumes system resources and should be used
sparingly.
•
To enable file tracing for each component, you must set specific
values within the registry.
Download