70-291:
Download
1 / 50

Chapter 10 - PowerPoint PPT Presentation


  • 287 Views
  • Updated On :

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote Access. Objectives. Describe the purpose and features of Windows Server 2003 remote access capabilities Enable and configure Routing and Remote Access Service as a dial-up server

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 10' - Gabriel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

70-291:MCSE Guide to Managing a Microsoft Windows Server 2003 Network, EnhancedChapter 10:Remote Access


Objectives
Objectives

  • Describe the purpose and features of Windows Server 2003 remote access capabilities

  • Enable and configure Routing and Remote Access Service as a dial-up server

  • Enable and configure Routing and Remote Access Service as a VPN

  • Configure a remote access server

  • Allow remote clients access to network resources

  • Create and configure remote access policies

  • Troubleshoot remote access

Guide to MCSE 70-291, Enhanced


Remote access overview
Remote Access Overview

  • Allows mobile users access to network resources on the internal network: including files, printers, databases, and e-mail

  • Windows Server 2003 has the ability to be a remote access server

Guide to MCSE 70-291, Enhanced


Dial up remote access
Dial-up Remote Access

  • Oldest type of remote access

  • Allows two computers to connect and transfer information using modems and a phone line

  • V.90 standard allows uploads at 33.6 Kbps while v.92 allows uploads at 48 Kbps

  • Main advantage is availability

  • Main drawback is speed

Guide to MCSE 70-291, Enhanced


Vpn remote access
VPN Remote Access

  • Uses a public network to transmit private information

  • Encryption is used

  • Public network most commonly used is Internet

  • VPN is limited to the speed of the network access method

  • Advantage: high speed and reduced maintenance

  • Drawback: security risk presented by allowing access to network resources from the Internet

Guide to MCSE 70-291, Enhanced


Enabling and configuring a dial up server
Enabling and Configuring a Dial-up Server

  • Windows Server 2003 uses Routing and Remote Access Service to act as a dial-up server

  • A modem must be installed

  • Windows Server 2003 attempts to find a modem through Plug and Play by default

  • A modem can be manually configured

Guide to MCSE 70-291, Enhanced


Activity 10 1 installing a modem
Activity 10-1: Installing a Modem

  • Objective: Install a modem on your server

  • Use the Phone and Modem Options utility under Control Panel

  • You are only simulating the installation of a modem here

Guide to MCSE 70-291, Enhanced


Enabling rras for dial up connections
Enabling RRAS for Dial-up Connections

  • Management of RRAS is done with the Routing and Remote Access snap-in

  • A red arrow indicates that RRAS is not started

  • Routing and Remote Access Wizard is used to enable and configure RRAS for the first time

  • A green arrow indicates RRAS is started

Guide to MCSE 70-291, Enhanced


Activity 10 2 enabling rras as a dial up server
Activity 10-2: Enabling RRAS as a Dial-up Server

  • Objective: Configure RRAS on your server to act as a remote access server

  • Use Routing and Remote Access utility

  • Right click your server and choose the configuration option

  • Proceed as the wizard instructs

Guide to MCSE 70-291, Enhanced


Dial up protocols
Dial-up Protocols

  • LAN protocols supported by RRAS for dial-up networking are: TCP/IP, IPX/SPX, and AppleTalk

  • Remote access protocols supported by RRAS for dial-up networking are: PPP and SLIP

  • The same protocols required by LAN clients are also required by dial-up clients

  • Remote access protocols are only for dial-up and not VPN connections

  • PPP has a number of advantages over SLIP including the ability to automatically configure IP information

Guide to MCSE 70-291, Enhanced


Dial up protocols continued
Dial-up Protocols (continued)

Guide to MCSE 70-291, Enhanced


Dial up protocols continued1
Dial-up Protocols (continued)

  • PPP has several options that can be enabled to enhance performance:

    • Multilink Connections

    • Dynamic Bandwidth

    • LCP Extensions

    • Software Compression

Guide to MCSE 70-291, Enhanced


Dial up protocols continued2
Dial-up Protocols (continued)

Guide to MCSE 70-291, Enhanced


Activity 10 3 creating a dial up connection
Activity 10-3: Creating a Dial-up Connection

  • Objective: Configure your server with a dial-up connection

  • Start the New Connection Wizard

  • Configure a SLIP: Unix Connection

Guide to MCSE 70-291, Enhanced


Enabling and configuring a vpn server
Enabling and Configuring a VPN Server

  • Windows Server 2003 uses RRAS as a VPN server

  • All connectivity accomplished through a regular network card

  • Enabling VPN accomplished using Routing and Remote Access Server Setup Wizard

  • Enabling packet filters should only be chosen if the server has multiple network cards with the filtered card connected to the Internet and the unfiltered cards connected to VPN traffic

Guide to MCSE 70-291, Enhanced



Activity 10 4 enabling rras as a vpn server
Activity 10-4: Enabling RRAS as a VPN Server

  • Objective: Enable RRAS as a VPN server

  • Ensure your IP address is x.0.0.1 where x is student number and subnet mask is 255.0.0.0

  • Choose Disable Routing and Remote Access

  • Choose Configure and Enable Remote Access

  • Select VPN in the resulting wizard and proceed as instructed

Guide to MCSE 70-291, Enhanced


Vpn protocols
VPN Protocols

  • PPTP and L2TP are supported for VPN connections by Windows Server 2003

  • By default, 128 PPTP ports and 128 L2TP ports are provided

  • Can increase the number of ports or you can disable a protocol by setting the number of ports to zero

  • PPTP is the most popular, widely supported, and can function through NAT

  • L2TP cannot provide a VPN connection alone

Guide to MCSE 70-291, Enhanced


Vpn protocols continued
VPN Protocols (continued)

Guide to MCSE 70-291, Enhanced


Activity 10 5 modifying the default number of vpn ports
Activity 10-5: Modifying the Default Number of VPN Ports

  • Objective: Reduce the number of PPTP and L2TP ports to 10 each

  • Use Routing and Remote Access Utility

  • Set maximum ports for WAN miniport (PPTP) to ten

  • Set maximum ports for WAN miniport (L2TP) to ten

Guide to MCSE 70-291, Enhanced


Configuring remote access servers
Configuring Remote Access Servers

  • Default configuration is generally sufficient for day-to-day operations

  • Can specify whether or not the server is a remote access server

  • Can control authentication and logging

  • Can specify whether or not the server is a router for IP, and if it allows IP-based remote access connections

  • Can enable broadcast name resolution

Guide to MCSE 70-291, Enhanced


Authentication methods
Authentication Methods

  • Windows Server 2003 can use a number of different authentication methods:

    • No Authentication

    • Password Authenticated Protocol

    • Shiva Password Authentication Protocol

    • Challenge Handshake Authentication Protocol

    • Microsoft Challenge Handshake Authentication Protocol

    • Microsoft Challenge Handshake Authentication Protocol version 2

    • Extensible Authentication Protocol

Guide to MCSE 70-291, Enhanced


Ip address management
IP Address Management

  • When dial-up and VPN clients connect to Windows Server 2003, they are assigned an IP address

  • Options for DNS and WINS server are taken from the configuration of a specified interface on the remote access server

  • Windows 2000 and newer clients can send a DHCPINFORM packet after a remote access connection has been established

Guide to MCSE 70-291, Enhanced


Ip address management continued
IP Address Management (continued)

Guide to MCSE 70-291, Enhanced


Ip address management continued1
IP Address Management (continued)

Guide to MCSE 70-291, Enhanced


Allowing client access
Allowing Client Access

  • When remote access is first configured on Windows Server 2003, none of the users are granted remote access permission

  • Remote access permission is controlled by their user object

    • If RRAS does not participate in Active Directory, the user object is stored in the local user account database

    • If RRAS belongs to an Active Directory domain, the user object is stored in the Active Directory database located on the domain controller

Guide to MCSE 70-291, Enhanced


Allowing client access continued
Allowing Client Access (continued)

Guide to MCSE 70-291, Enhanced


Activity 10 6 allowing a user remote access permission
Activity 10-6: Allowing a User Remote Access Permission

  • Objective: Create a new user and allow it remote access permission

  • Use the Computer Management tool

  • Add a new user

  • Allow the newly created user dial-in access

Guide to MCSE 70-291, Enhanced


Creating a vpn client connection
Creating a VPN Client Connection

  • VPN clients are usually configured on client operating systems such as Windows XP

  • Windows Server 2003 can be configured as a VPN client

  • VPN connections are created using the New Connection Wizard

Guide to MCSE 70-291, Enhanced


Creating a vpn client connection continued
Creating a VPN Client Connection (continued)

Guide to MCSE 70-291, Enhanced


Activity 10 7 creating a client vpn connection
Activity 10-7: Creating a Client VPN Connection

  • Objective: Create a client VPN connection and then test it

  • Use the New Connection Wizard

  • Select Virtual Private Network Connection

  • Allow all users to use this connection

  • Enter proper user name and password as instructed

Guide to MCSE 70-291, Enhanced


Configuring a vpn client connection
Configuring a VPN Client Connection

  • Most configuration is done with the New Connection Wizard

  • You can:

    • Configure the IP address of the VPN server to which you are connecting

    • Configure whether or not an initial connection is created

    • Configure dialing and redialing options

    • Specify if password and data encryption are required

    • Configure the network configuration for VPN connection

    • Configure an Internet connection firewall and Internet connection sharing

Guide to MCSE 70-291, Enhanced


Remote access policies
Remote Access Policies

  • Critical in controlling and allowing remote access

  • How the policies are applied depends on whether the domain is in mixed or native mode

  • Policies applied to a user may vary depending on the machine you are connecting to

  • To use remote access, you must understand:

    • Remote access policy components

    • Remote access policy evaluation

    • Default remote access policies

Guide to MCSE 70-291, Enhanced


Remote access policies continued
Remote Access Policies (continued)

Guide to MCSE 70-291, Enhanced


Remote access policy components
Remote Access Policy Components

  • Composed of conditions, remote access permissions, and a profile

  • Conditions are criteria that must be met in order for remote access policy to apply to a connection

  • Remote access permission set in a remote access policy has only two options: Deny or Grant remote access permission

  • The profile contains settings that are applied to a remote access connection if the conditions have been matched and permission has been allowed

Guide to MCSE 70-291, Enhanced


Activity 10 8 creating a remote access policy
Activity 10-8: Creating a Remote Access Policy

  • Objective: Create a new remote access policy on your server

  • Use the Computer Management utility

  • Add a new group

  • Start the New Remote Access Policy Wizard

  • Follow the instructions of the wizard

Guide to MCSE 70-291, Enhanced


Remote access policy evaluation
Remote Access Policy Evaluation

  • Evaluation conditions follows the same process for mixed mode domain and native mode domains

  • After a condition match has been found, the permissions of the user attempting the connection must be evaluated

  • Even if remote access permission is granted, it does not guarantee that a remote connection will be successful as some profile settings may interfere

Guide to MCSE 70-291, Enhanced


Remote access policy evaluation continued
Remote Access Policy Evaluation (continued)

Guide to MCSE 70-291, Enhanced


Remote access policy evaluation continued1
Remote Access Policy Evaluation (continued)

Guide to MCSE 70-291, Enhanced


Activity 10 9 testing remote policy evaluation
Activity 10-9: Testing Remote Policy Evaluation

  • Objective: Verify the process by which remote access permission is granted

  • Partner A tasks:

    • Verify that the existing VPN is functional

    • Verify the policy application

  • Partner B tasks:

    • Create a new low security policy and place it first in order

    • Verify remote access permission

    • Set the Ignore-User-Dialin-Properties attribute to true

    • Delete the LowSecurity remote access policy

Guide to MCSE 70-291, Enhanced


Default remote access policies
Default Remote Access Policies

  • Default policies are created to make managing remote access easier

  • They reduce the amount of configuration required to have a functional remote access server

  • First default policy listed is named Connections to Microsoft Routing and Remote Access Server

  • Second default policy is named Connections to other access servers

Guide to MCSE 70-291, Enhanced


Troubleshooting remote access
Troubleshooting Remote Access

  • Providing remote access is very complex

  • Most problems are due to software configuration errors introduced by users and administrators

  • Best troubleshooting tools include:

    • Log files

    • Error messages

    • Network Monitor

    • Ipconfig

  • Hardware errors can also cause problems

Guide to MCSE 70-291, Enhanced


Software configuration errors
Software Configuration Errors

  • The following are common software configuration errors:

    • Incorrect phone numbers and IP addresses

    • Incorrect authentication settings

    • Incorrectly configured remote access policies

    • Name resolution is not configured

    • Clients receive incorrect IP options

  • The fact that the remote access server leases 10 IP addresses from DHCP at startup is NOT an error

Guide to MCSE 70-291, Enhanced


Hardware errors
Hardware Errors

  • The following are common hardware troubleshooting tips:

    • Ensure hardware is on the Microsoft hardware compatibility list

    • Use ping to determine if the address is reachable

    • See if you can dial in to a different remote access server

    • Ensure there is a link light on the network card

Guide to MCSE 70-291, Enhanced


Logging
Logging

  • Can be configured in many places

  • Check event log if RRAS is unable to start or is not performing as expected

  • Can configure detailed connection logs

Guide to MCSE 70-291, Enhanced


Activity 10 10 modem logging
Activity 10-10: Modem Logging

  • Objective: Enable modem logging

  • Enable the Record a Log option under the modem properties

Guide to MCSE 70-291, Enhanced


Troubleshooting tools
Troubleshooting Tools

  • Ping utility is used to determine if a host is reachable

  • Ipconfig utility used to confirm that the correct IP settings are being delivered to the remote access client

  • Network Monitor can be used to perform packet captures which may provide some further clues as to the cause of some error

Guide to MCSE 70-291, Enhanced


Summary
Summary

  • RRAS in Windows Server 2003 can be configured as a remote access server for dial-up and VPN

  • RRAS supports several LAN protocols

  • A VPN server is easier to maintain than a dial-up server

  • VPN connections can use PPTP or L2TP/IPSec

  • L2TP does not perform encryption; IPSec is used to perform encryption

Guide to MCSE 70-291, Enhanced


Summary continued
Summary (continued)

  • Many authentication methods are supported by RRAS

  • Windows 2000 and newer remote access clients can receive IP configuration options from a DHCP server rather than the interface of a remote access server

  • In a mixed mode Active Directory domain, remote access permission is controlled using the properties of the user object in Active Directory

  • Remote access policies are composed of conditions, remote access permissions, and a profile

Guide to MCSE 70-291, Enhanced


Summary continued1
Summary (continued)

  • The most common problem with remote access connections is improper software configuration

  • A variety of logs can be configured to help you troubleshoot remote access problems

  • The most common troubleshooting tools for remote access are ipconfig, ping, and Network Monitor

Guide to MCSE 70-291, Enhanced


ad