Overview of Routing and Remote Access Service (RRAS)
description
Transcript of Overview of Routing and Remote Access Service (RRAS)
![Page 1: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/1.jpg)
Overview of Routing and Remote Access Service (RRAS)• When RRAS was implemented in Microsoft Windows NT
4.0, it added support for a number of features.
• Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features.
• RRAS is fully integrated with Windows 2000 Server.
• RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking.
• The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.
![Page 2: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/2.jpg)
Combining Routing and Remote Access Service
• Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP), which is the protocol suite that is commonly used to negotiate point-to-point connections.
• Demand-dial routing connections also use PPP to provide the same kinds of services as remote access connections.
• The PPP infrastructure of Windows 2000 Server supports several types of access.
![Page 3: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/3.jpg)
Installation and Configuration
![Page 4: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/4.jpg)
Disabling Routing and Remote Access Service
• You can use the Routing and Remote Access snap-in to disable RRAS.
• You can refresh the RRAS configuration by first disabling the service and then enabling it.
![Page 5: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/5.jpg)
Authentication and Authorization
![Page 6: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/6.jpg)
IPX Support
• The Windows 2000 Server router is a fully functional IPX router.
• Routing and Remote Access Service includes a number of features to support IPX routing.
![Page 7: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/7.jpg)
AppleTalk
• Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk packets and supporting the use of RTMP.
• Most large AppleTalk networks are AppleTalk internets that are connected by routers.
• A Windows 2000–based server can provide routing and seed routing support.
![Page 8: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/8.jpg)
Demand-Dial Routing
• Windows 2000 provides support for demand-dial routing.
• IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.
![Page 9: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/9.jpg)
Remote Access
• RRAS enables a computer to be a remote access server.
• RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.
![Page 10: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/10.jpg)
VPN Server
• RRAS enables a computer to be a virtual private network (VPN) server.
• RRAS supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec).
![Page 11: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/11.jpg)
RADIUS Client-Server
• Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server.
• RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests.
• The RADIUS server has access to user account information and can check remote access authentication credentials.
• RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.
![Page 12: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/12.jpg)
API Support for Third-Party Components
• RRAS has fully published API sets for unicast and multicast routing protocol and administration utility support.
• Developers can write additional routing protocols and interfaces directly into RRAS architecture.
![Page 13: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/13.jpg)
Overview of Remote Access
• Remote access clients are either connected to only the remote access server’s resources, or they are connected to the RAS server’s resources and beyond.
• A Windows 2000 remote access server provides two remote access connection methods.
![Page 14: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/14.jpg)
Dial-Up Remote Access Connections
![Page 15: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/15.jpg)
Remote Access Client
• A number of remote access clients can connect to Windows 2000 remote access server.
• Almost any third-party PPP remote access clients can connect to a Windows 2000 remote access server.
• The Microsoft remote access client can dial into a Serial Line Interface Protocol (SLIP) server.
![Page 16: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/16.jpg)
Remote Access Service Server
• The remote access server accepts dial-up connections.
• The remote access server forwards packets between remote access clients and the network to which the remote access server is attached.
![Page 17: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/17.jpg)
Dial-Up Equipment and WAN Infrastructure
• Public Switched Telephone Network (PSTN)
• Digital links and V.90
• Integrated Services Digital Network (ISDN)
• X.25
• ATM over ADSL
![Page 18: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/18.jpg)
Public Switched Telephone Network (PSTN)
![Page 19: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/19.jpg)
Digital Links and V.90
![Page 20: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/20.jpg)
Asynchronous Transfer Mode (ATM) over Asymmetric Digital Subscriber Line (ADSL)
![Page 21: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/21.jpg)
Remote Access Protocols
• Remote access protocols control the establishment of connections and the transmission of data over WAN links.
• Windows 2000 remote access supports three types of remote access protocols: PPP, SLIP, and AsyBEUI.
![Page 22: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/22.jpg)
LAN Protocols
• LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server.
• Windows 2000 remote access supports TCP/IP, IPX, AppleTalk, and NetBEUI.
![Page 23: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/23.jpg)
Secure User Authentication
• Secure user authentication is obtained through the encrypted exchange of user credentials.
• Secure authentication is possible through the use of PPP and one of the supported authentication protocols.
![Page 24: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/24.jpg)
Mutual Authentication
• Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials.
• It is possible for a RAS server not to request authentication from the remote access client.
![Page 25: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/25.jpg)
Data Encryption
• Data encryption encrypts the data sent between the remote access client and the RAS server.
• Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client.
• Data encryption is possible over dial-up remote access links when using PPP along with EAP-TLS or MS‑CHAP.
• Microsoft Windows 2000, Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support Microsoft Point-to-Point Encryption (MPPE).
![Page 26: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/26.jpg)
Callback
• The RAS server calls the remote access client after the user credentials have been verified.
• Callback can be configured on the server to call the remote access client back at a number specified by the user of the remote access client.
• Callback can be configured to always call back the remote access client at a specific number.
![Page 27: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/27.jpg)
Caller ID
• Caller ID can be used to verify that the incoming call is coming from a specified phone number.
• Caller ID requires that the caller’s telephone line, phone system, RAS server’s telephone line, and the Windows 2000 driver for the dial-up equipment support caller ID.
![Page 28: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/28.jpg)
Remote Access Account Lockout
• The remote access account lockout feature is used to specify how many times a remote access authentication can fail against a valid user account before access is denied.
• The feature does not distinguish malicious attempts from authentic users.
• An administrator must decide on two remote access account lockout variables.
![Page 29: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/29.jpg)
Managing Users
• Set up a master account database in the Active Directory store or on a RADIUS server.
• A master account database allows the RAS server to send the authentication credentials to a central authenticating device.
![Page 30: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/30.jpg)
Managing Addresses
• For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection.
• The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.
![Page 31: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/31.jpg)
Overview of Access Management
• Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies.
• Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt.
• Multiple remote access policies can be used to meet various conditions.
• RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.
![Page 32: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/32.jpg)
Access by User Account
![Page 33: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/33.jpg)
Access by Policy
![Page 34: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/34.jpg)
Accepting a Connection Attempt
When a user attempts a connection, the connection attempt is accepted or rejected based on a specific logic.
![Page 35: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/35.jpg)
Managing Account Lockout
• Changing settings in the registry on the authenticating computer configures the account lockout feature.
• If the RAS server is configured for Windows authentication, modify the registry on the RAS server computer.
• If the RAS server is configured for RADIUS authentication and IAS is being used, modify the registry on the IAS server.
![Page 36: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/36.jpg)
Managing Authentication
• Windows authentication
• RADIUS authentication
• Windows and RADIUS accounting
![Page 37: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/37.jpg)
Overview of Virtual Private Networks (VPNs)
• VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet.
• VPN is a point-to-point connection between the user’s computer and a corporate server.
• VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork.
• The secure connection across the internetwork appears to the user as a virtual network interface.
![Page 38: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/38.jpg)
Connecting Networks over the Internet
• Dedicated lines
• Dial-up lines
![Page 39: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/39.jpg)
Connecting Computers over an Intranet
• VPNs allow a department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server.
• The VPN server is not acting as a router between the corporate internetwork and the department LAN.
![Page 40: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/40.jpg)
Overview of Tunneling
• Tunneling is a method of using an internetwork infrastructure to transfer a payload.
• Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information.
• The process of encapsulation and transmission of packets is known as tunneling.
• The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.
![Page 41: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/41.jpg)
Tunnel Maintenance and Data Transfer
• Tunnel maintenance protocol
• Tunnel data transfer protocol
![Page 42: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/42.jpg)
Tunnel Types
• Voluntary tunnels
• Compulsory tunnels
![Page 43: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/43.jpg)
PPTP
![Page 44: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/44.jpg)
L2TP
![Page 45: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/45.jpg)
PPTP vs. L2TP
• PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity.
• When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP.
• L2TP provides tunnel authentication, while PPTP does not.
• PPTP uses PPP encryption and L2TP does not.
![Page 46: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/46.jpg)
IPSec
• Overview of IPSec
• ESP tunnel mode vs. ESP transport mode
• IPSec ESP tunnel mode packet structure
![Page 47: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/47.jpg)
IP-IP
• IP-IP is a simple OSI layer 3 tunneling technique.
• A virtual network is created by encapsulating an IP packet with an additional IP header.
• The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing.
• The IP payload includes everything above IP.
![Page 48: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/48.jpg)
Managing Users
• A master account database is usually set up on a domain controller or on a RADIUS server.
• The same user account is used for both dial-in remote access and VPN remote access.
![Page 49: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/49.jpg)
Managing Addresses and Name Servers
• The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients.
• By default, the IP addresses assigned to VPN clients are obtained through DHCP.
![Page 50: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/50.jpg)
Managing Access
Configure the properties on the Dial-In tab of the users’ properties and modify remote access policy as necessary.
![Page 51: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/51.jpg)
Managing Authentication
• The VPN server can be configured to use either Windows or RADIUS authentication.
• If Windows is selected, the user credentials are authenticated by using Windows authentication and remote access policy.
• If RADIUS is selected, user credentials and parameters are sent as a series of RADIUS request messages to the RADIUS server.
![Page 52: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/52.jpg)
Troubleshooting
• Connection attempt is rejected when it should be accepted.
• Connection attempt is accepted when it should be rejected.
• Unable to reach locations beyond the VPN server.
• Unable to establish a tunnel.
![Page 53: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/53.jpg)
Routing and Remote Access Snap-In
![Page 54: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/54.jpg)
Net Shell Command-Line Utility• The Net Shell utility includes a number of options.
• Commands can be abbreviated to the shortest unambiguous string.
• Commands can be either global or context specific.
• Global commands can be issued in any context and are used for general netsh functions.
• Netsh has two command modes.
• You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window.
• To create a script of the current configuration, type the global dump command.
• The Net Shell command includes context-specific commands.
![Page 55: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/55.jpg)
Authentication and Accounting Logging
• RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled.
• The authentication and accounting information is stored in a configurable log file or files.
• You can configure the type of activity to log and log file settings.
![Page 56: Overview of Routing and Remote Access Service (RRAS)](https://reader036.fdocuments.us/reader036/viewer/2022070403/568139f3550346895da1aca0/html5/thumbnails/56.jpg)
Event Logging
• The Windows 2000 Router performs extensive error logging in the system event log.
• Four levels of logging are available.
• Take specific steps if an OSPF router is unable to establish an adjacency on an interface.
• The level of event logging can be set from various places with the Routing and Remote Access snap-in.
• Logging consumes system resources and should be used sparingly.