Chapter 10
1 / 42

Chapter 10 - PowerPoint PPT Presentation

  • Uploaded on

Chapter 10. Routing and Remote Access Services. Overview of Routing and Remote Access Service (RRAS). RRAS is fully integrated with Windows 2000 Server.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Chapter 10' - naeva

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 10

Chapter 10

Routing and Remote Access Services

Overview of routing and remote access service rras
Overview of Routing and Remote Access Service (RRAS)

  • RRAS is fully integrated with Windows 2000 Server.

  • RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking.

  • The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.

Combining routing and remote access service
Combining Routing and Remote Access Service

  • Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP)

    • Used to negotiate point-to-point connections.

    • Used by Demand-dial routing connections

  • The PPP infrastructure of Windows 2000 Server supports several types of access.

    • Dial Up

    • VPN

    • On Demand or persistent dial-up/ VPN demand routing

Installation and configuration
Installation and Configuration

  • Enable

  • Disable

  • Refresh

  • netsh

  • Private Addresses10.0.0.0 – – –

Authentication and authorization
Authentication and Authorization

  • Authentication – you are who you say you are

  • Authorization – verification of permission to make connection

  • Windows

  • RADIUS – server

    • Win2000 IAS

Unicast ip routing support
Unicast IP – Routing Support

  • Windows 2000 provides extensive support for unicast IP routing.

  • In unicasting, two computers establish a two-way, point-to-point connection.

  • Routing and Remote Access Service includes a number of features to support unicast IP routing.

Multicast ip support
Multicast IP Support

  • Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic.

  • Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic.

  • Routing and Remote Access Service includes a number of features to support multicast IP routing.

Other features of r ras
Other Features of (R)RAS

  • NAT

    • Network Address Translation

    • Internet Connection Sharing - alternative

  • DHCP Relay

    • DHCP server can exist on another netwrok

  • IP Packet Filtering

    • Source/destination IP Address

    • TCP/UDP port number

    • IP protocol codes

  • ICMP route discovery

    • Periodically advertise and respond to host router solicitations

  • Static Routing

Routing vs routable protocols

Routing – communications between routers





Apple Talk

Not NetBEui

Routing vs Routable Protocols

Demand dial routing
Demand-Dial Routing

  • Windows 2000 provides support for demand-dial routing.

  • IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.

Remote access
Remote Access

  • RRAS enables a computer to be a remote access server.

  • RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.

    • Access to resources on RRAS server

    • Access to LAN resources

Vpn server
VPN Server

  • RRAS enables a computer to be a virtual private network (VPN) server.

  • RRAS supports

    • Point-to-Point Tunneling Protocol (PPTP)

    • Layer 2 Tunneling Protocol (L2TP)

    • IP Security (IPSec).

Radius client server
RADIUS Client-Server

  • Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server.

  • RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests.

  • The RADIUS server has access to user account information and can check remote access authentication credentials.

  • RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.

  • Authentication either thru RADIUS database or Domain Controller

Snmp mib support
SNMP MIB Support

  • RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II.

  • Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II.

  • MIB support is also provided for Windows 2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS services.

Dial up equipment and wan infrastructure
Dial-Up Equipment and WAN Infrastructure

  • Public Switched Telephone Network (PSTN)

  • Digital links and V.90

  • Integrated Services Digital Network (ISDN)

  • X.25

  • ATM over ADSL

Remote access protocols
Remote Access Protocols

  • Remote access protocols control the establishment of connections and the transmission of data over WAN links.

  • Windows 2000 remote access supports three types of remote access protocols:

    • PPP

    • SLIP

    • AsyBEUI.

Lan protocols
LAN Protocols

  • LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server.

  • Windows 2000 remote access supports

    • TCP/IP

    • IPX

    • AppleTalk

    • NetBEUI.

Secure user authentication
Secure User Authentication

  • Secure user authentication is obtained through the encrypted exchange of user credentials.

  • Secure authentication is possible through the use of PPP and one of the supported authentication protocols.

Mutual authentication
Mutual Authentication

  • Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials.

  • It is possible for a RAS server not to request authentication from the remote access client.

Data encryption
Data Encryption

  • Data encryption encrypts the data sent between the remote access client and the RAS server.

  • Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client.

  • Data encryption is possible over dial-up remote access links when using PPP along with

    • EAP-TLS – Extensible Authentication Protocol – Transport Level Sdecurity

    • MS‑CHAP

    • Microsoft Point-to-Point Encryption (MPPE).

More security options
More Security Options

  • Callback

  • Caller ID

  • Remote Access Lockout

    • Number of Failed Attempts

    • How often to reset the Failed Attempts counter

Managing addresses
Managing Addresses

  • For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection.

  • The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.

Overview of access management
Overview of Access Management

  • Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies.

  • Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt.

  • Multiple remote access policies can be used to meet various conditions.

  • RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.

Access management
Access Management

  • Policy created in

    • RRAS if Windows authentication

    • IAS if RADIUS authentication

  • Policies Applied

    • Checked in order

    • If no policies Reject the connection

    • Check all policies until a match

  • User Account Permissions

    • Match up user account and profile properties

Overview of virtual private networks vpns
Overview of Virtual Private Networks (VPNs)

  • VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet.

  • VPN is a point-to-point connection between the user’s computer and a corporate server.

  • VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork.

  • The secure connection across the internetwork appears to the user as a virtual network interface.

Routing and remote access services 1336088

VPN ServerDedicated Dial UpSeparate intranet using VPN Server

Overview of tunneling
Overview of Tunneling

  • Tunneling is a method of using an internetwork infrastructure to transfer a payload.

  • Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information.

  • The process of encapsulation and transmission of packets is known as tunneling.

  • The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.

Tunnel maintenance and data transfer
Tunnel Maintenance and Data Transfer

  • Tunnel maintenance protocol

    • Manage the tunnel

    • When PPTP -

      • Generic Routing Encapsulation – DATA transfer

      • TCP – TUNNEL maintenance

    • When L2TP

      • UDP

  • Tunnel data transfer protocol

    • Client appends data transfer header to the payload

    • Server accepts the packet and strips of header

Tunnel types
Tunnel Types

  • Voluntary tunnels

    • Created and configured by the user at client end

  • Compulsory tunnels

    • Created automatically

      • Access Concentrator

    • Static Compulsory

      • Automatic

        • Dial in accesses concentrator

        • Dedicated equipment

      • Manual (realm Based)

        • User Name determines tunnel

    • Dynamic Compulsory

      • Choice of tunnel made when used connects to access server

Routing and remote access services 1336088


Pptp vs l2tp

  • PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity.

  • PPTP transport IP networkL2TP transport IP, X.25, FRAME RELAY, or ATM

  • When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP.

  • L2TP provides tunnel authentication, while PPTP does not.

  • PPTP uses PPP encryption and L2TP uses IPsec


  • Overview of IPSec

    • Layer 3

    • Supports Encapsulation and Encryption of IP datagram

  • ESP (Encapsulated Security Payload) tunnel mode

    • Entire Payload encrypted

    • Encryption removed at VPN Server

  • ESP transport mode

    • Only layer 4 and above encrypted

    • Encryption removed at destination host

Ipsec esp tunnel packet
IPSec ESP Tunnel Packet

  • IP datagram EsP trailer added then encrypted

  • Encapsulated with an ESP header ESP authentication trailer

  • Encapsulated with new IP header

    • Source and Destination address of tunnel endpoints

  • Data link encapsulation

Ip ip

  • IP in IP is a simple OSI layer 3 tunneling technique.

  • A virtual network is created by encapsulating an IP packet with an additional IP header.

  • The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing

  • The IP payload includes everything above IP.

Managing addresses and name servers
Managing Addresses and Name Servers

  • The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients.

  • By default, the IP addresses assigned to VPN clients are obtained through DHCP.

Net shell command line utility
Net Shell Command-Line Utility

  • The Net Shell utility includes a number of options.

  • Commands can be abbreviated to the shortest unambiguous string.

  • Commands can be either global or context specific.

  • Global commands can be issued in any context and are used for general netsh functions.

  • Netsh has two command modes.

    • Online

    • Offline

  • You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window.

  • To create a script of the current configuration, type the global dump command.

  • The Net Shell command includes context-specific commands.

Authentication and accounting logging
Authentication and Accounting Logging

  • RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled.

  • The authentication and accounting information is stored in a configurable log file or files.

    • %systemroot%\System32\LogFiles

  • You can configure the type of activity to log and log file settings.

Event logging
Event Logging

  • The Windows 2000 Router performs extensive error logging in the system event log.

  • Four levels of logging are available.

    • Errors only

    • Errors and Warnings

    • Maximum amount of information

    • Disable

  • Logging consumes system resources and should be used sparingly.


  • RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems.

  • Tracing records internal component variables, function calls, and interactions.

  • You can enable tracing for each routing protocol by setting the appropriate registry values.

  • Tracing consumes system resources and should be used sparingly.

  • To enable file tracing for each component, you must set specific values within the registry.