chapter 10
Download
Skip this Video
Download Presentation
Chapter 10

Loading in 2 Seconds...

play fullscreen
1 / 42

Routing and Remote Access Services - PowerPoint PPT Presentation


  • 122 Views
  • Uploaded on

Chapter 10. Routing and Remote Access Services. Overview of Routing and Remote Access Service (RRAS). RRAS is fully integrated with Windows 2000 Server.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Routing and Remote Access Services' - naeva


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 10

Chapter 10

Routing and Remote Access Services

overview of routing and remote access service rras
Overview of Routing and Remote Access Service (RRAS)
  • RRAS is fully integrated with Windows 2000 Server.
  • RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking.
  • The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.
combining routing and remote access service
Combining Routing and Remote Access Service
  • Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP)
    • Used to negotiate point-to-point connections.
    • Used by Demand-dial routing connections
  • The PPP infrastructure of Windows 2000 Server supports several types of access.
    • Dial Up
    • VPN
    • On Demand or persistent dial-up/ VPN demand routing
installation and configuration
Installation and Configuration
  • Enable
  • Disable
  • Refresh
  • netsh
  • Private Addresses10.0.0.0 –10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255
authentication and authorization
Authentication and Authorization
  • Authentication – you are who you say you are
  • Authorization – verification of permission to make connection
  • Windows
  • RADIUS – server
    • Win2000 IAS
unicast ip routing support
Unicast IP – Routing Support
  • Windows 2000 provides extensive support for unicast IP routing.
  • In unicasting, two computers establish a two-way, point-to-point connection.
  • Routing and Remote Access Service includes a number of features to support unicast IP routing.
multicast ip support
Multicast IP Support
  • Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic.
  • Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic.
  • Routing and Remote Access Service includes a number of features to support multicast IP routing.
other features of r ras
Other Features of (R)RAS
  • NAT
    • Network Address Translation
    • Internet Connection Sharing - alternative
  • DHCP Relay
    • DHCP server can exist on another netwrok
  • IP Packet Filtering
    • Source/destination IP Address
    • TCP/UDP port number
    • IP protocol codes
  • ICMP route discovery
    • Periodically advertise and respond to host router solicitations
  • Static Routing
demand dial routing
Demand-Dial Routing
  • Windows 2000 provides support for demand-dial routing.
  • IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.
remote access
Remote Access
  • RRAS enables a computer to be a remote access server.
  • RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.
    • Access to resources on RRAS server
    • Access to LAN resources
vpn server
VPN Server
  • RRAS enables a computer to be a virtual private network (VPN) server.
  • RRAS supports
    • Point-to-Point Tunneling Protocol (PPTP)
    • Layer 2 Tunneling Protocol (L2TP)
    • IP Security (IPSec).
radius client server
RADIUS Client-Server
  • Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server.
  • RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests.
  • The RADIUS server has access to user account information and can check remote access authentication credentials.
  • RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.
  • Authentication either thru RADIUS database or Domain Controller
snmp mib support
SNMP MIB Support
  • RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II.
  • Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II.
  • MIB support is also provided for Windows 2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS services.
dial up equipment and wan infrastructure
Dial-Up Equipment and WAN Infrastructure
  • Public Switched Telephone Network (PSTN)
  • Digital links and V.90
  • Integrated Services Digital Network (ISDN)
  • X.25
  • ATM over ADSL
remote access protocols
Remote Access Protocols
  • Remote access protocols control the establishment of connections and the transmission of data over WAN links.
  • Windows 2000 remote access supports three types of remote access protocols:
    • PPP
    • SLIP
    • AsyBEUI.
lan protocols
LAN Protocols
  • LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server.
  • Windows 2000 remote access supports
    • TCP/IP
    • IPX
    • AppleTalk
    • NetBEUI.
secure user authentication
Secure User Authentication
  • Secure user authentication is obtained through the encrypted exchange of user credentials.
  • Secure authentication is possible through the use of PPP and one of the supported authentication protocols.
mutual authentication
Mutual Authentication
  • Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials.
  • It is possible for a RAS server not to request authentication from the remote access client.
data encryption
Data Encryption
  • Data encryption encrypts the data sent between the remote access client and the RAS server.
  • Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client.
  • Data encryption is possible over dial-up remote access links when using PPP along with
    • EAP-TLS – Extensible Authentication Protocol – Transport Level Sdecurity
    • MS‑CHAP
    • Microsoft Point-to-Point Encryption (MPPE).
more security options
More Security Options
  • Callback
  • Caller ID
  • Remote Access Lockout
    • Number of Failed Attempts
    • How often to reset the Failed Attempts counter
managing addresses
Managing Addresses
  • For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection.
  • The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.
overview of access management
Overview of Access Management
  • Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies.
  • Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt.
  • Multiple remote access policies can be used to meet various conditions.
  • RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.
access management
Access Management
  • Policy created in
    • RRAS if Windows authentication
    • IAS if RADIUS authentication
  • Policies Applied
    • Checked in order
    • If no policies Reject the connection
    • Check all policies until a match
  • User Account Permissions
    • Match up user account and profile properties
overview of virtual private networks vpns
Overview of Virtual Private Networks (VPNs)
  • VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet.
  • VPN is a point-to-point connection between the user’s computer and a corporate server.
  • VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork.
  • The secure connection across the internetwork appears to the user as a virtual network interface.
slide28
VPN

VPN ServerDedicated Dial UpSeparate intranet using VPN Server

overview of tunneling
Overview of Tunneling
  • Tunneling is a method of using an internetwork infrastructure to transfer a payload.
  • Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information.
  • The process of encapsulation and transmission of packets is known as tunneling.
  • The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.
tunnel maintenance and data transfer
Tunnel Maintenance and Data Transfer
  • Tunnel maintenance protocol
    • Manage the tunnel
    • When PPTP -
      • Generic Routing Encapsulation – DATA transfer
      • TCP – TUNNEL maintenance
    • When L2TP
      • UDP
  • Tunnel data transfer protocol
    • Client appends data transfer header to the payload
    • Server accepts the packet and strips of header
tunnel types
Tunnel Types
  • Voluntary tunnels
    • Created and configured by the user at client end
  • Compulsory tunnels
    • Created automatically
      • Access Concentrator
    • Static Compulsory
      • Automatic
        • Dial in accesses concentrator
        • Dedicated equipment
      • Manual (realm Based)
        • User Name determines tunnel
    • Dynamic Compulsory
      • Choice of tunnel made when used connects to access server
slide32
PPTP

L2TP

pptp vs l2tp
PPTP vs. L2TP
  • PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity.
  • PPTP transport IP networkL2TP transport IP, X.25, FRAME RELAY, or ATM
  • When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP.
  • L2TP provides tunnel authentication, while PPTP does not.
  • PPTP uses PPP encryption and L2TP uses IPsec
ipsec
IPSec
  • Overview of IPSec
    • Layer 3
    • Supports Encapsulation and Encryption of IP datagram
  • ESP (Encapsulated Security Payload) tunnel mode
    • Entire Payload encrypted
    • Encryption removed at VPN Server
  • ESP transport mode
    • Only layer 4 and above encrypted
    • Encryption removed at destination host
ipsec esp tunnel packet
IPSec ESP Tunnel Packet
  • IP datagram EsP trailer added then encrypted
  • Encapsulated with an ESP header ESP authentication trailer
  • Encapsulated with new IP header
    • Source and Destination address of tunnel endpoints
  • Data link encapsulation
ip ip
IP-IP
  • IP in IP is a simple OSI layer 3 tunneling technique.
  • A virtual network is created by encapsulating an IP packet with an additional IP header.
  • The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing
  • The IP payload includes everything above IP.
managing addresses and name servers
Managing Addresses and Name Servers
  • The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients.
  • By default, the IP addresses assigned to VPN clients are obtained through DHCP.
net shell command line utility
Net Shell Command-Line Utility
  • The Net Shell utility includes a number of options.
  • Commands can be abbreviated to the shortest unambiguous string.
  • Commands can be either global or context specific.
  • Global commands can be issued in any context and are used for general netsh functions.
  • Netsh has two command modes.
    • Online
    • Offline
  • You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window.
  • To create a script of the current configuration, type the global dump command.
  • The Net Shell command includes context-specific commands.
authentication and accounting logging
Authentication and Accounting Logging
  • RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled.
  • The authentication and accounting information is stored in a configurable log file or files.
    • %systemroot%\System32\LogFiles
  • You can configure the type of activity to log and log file settings.
event logging
Event Logging
  • The Windows 2000 Router performs extensive error logging in the system event log.
  • Four levels of logging are available.
    • Errors only
    • Errors and Warnings
    • Maximum amount of information
    • Disable
  • Logging consumes system resources and should be used sparingly.
tracing
Tracing
  • RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems.
  • Tracing records internal component variables, function calls, and interactions.
  • You can enable tracing for each routing protocol by setting the appropriate registry values.
  • Tracing consumes system resources and should be used sparingly.
  • To enable file tracing for each component, you must set specific values within the registry.
ad