Overview%20of%20Routing%20and%20Remote%20Access%20Service%20(RRAS)

1
Overview of Routing and Remote Access Service
(RRAS)

• When RRAS was implemented in Microsoft Windows NT
  4.0, it added support for a number of features.
• Microsoft Windows 2000 builds on RRAS in
  Windows NT 4.0 and adds a number of new features.
• RRAS is fully integrated with Windows 2000
  Server.
• RRAS is extensible with application programming
  interfaces (APIs) that third-party developers can
  use to create custom networking solutions and
  that vendors can use to participate in
  internetworking.
• The combined features of Windows 2000 RRAS allow
  a Windows 2000 Server computer to function as a
  multiprotocol router, a demand-dial router, and a
  remote access server.

2
Combining Routing and Remote Access Service

• Routing services and remote access services have
  been combined because of Point-to-Point Protocol
  (PPP), which is the protocol suite that is
  commonly used to negotiate point-to-point
  connections.
• Demand-dial routing connections also use PPP to
  provide the same kinds of services as remote
  access connections.
• The PPP infrastructure of Windows 2000 Server
  supports several types of access.

3
Installation and Configuration
4
Disabling Routing and Remote Access Service

• You can use the Routing and Remote Access snap-in
  to disable RRAS.
• You can refresh the RRAS configuration by first
  disabling the service and then enabling it.

5
Authentication and Authorization
6
Unicast IP Support

• Windows 2000 provides extensive support for
  unicast IP routing.
• In unicasting, two computers establish a two-way,
  point-to-point connection.
• Routing and Remote Access Service includes a
  number of features to support unicast IP routing.

7
Multicast IP Support

• Windows 2000 supports the sending, receiving, and
  forwarding of IP multicast traffic.
• Multicast traffic is sent to a single host but is
  processed by multiple hosts who listen for this
  type of traffic.
• Routing and Remote Access Service includes a
  number of features to support multicast IP
  routing.

8
IPX Support

• The Windows 2000 Server router is a fully
  functional IPX router.
• Routing and Remote Access Service includes a
  number of features to support IPX routing.

9
AppleTalk

• Windows 2000 RRAS can operate as an AppleTalk
  router by forwarding AppleTalk packets and
  supporting the use of RTMP.
• Most large AppleTalk networks are AppleTalk
  internets that are connected by routers.
• A Windows 2000based server can provide routing
  and seed routing support.

10
Demand-Dial Routing

• Windows 2000 provides support for demand-dial
  routing.
• IP and IPX can be forwarded over demand-dial
  interfaces over persistent or on-demand wide area
  network (WAN) links.

11
Remote Access

• RRAS enables a computer to be a remote access
  server.
• RRAS accepts remote access connections from
  remote access clients that use traditional
  dial-up technologies.

12
VPN Server

• RRAS enables a computer to be a virtual private
  network (VPN) server.
• RRAS supports Point-to-Point Tunneling Protocol
  (PPTP) and Layer 2 Tunneling Protocol (L2TP) over
  IP Security (IPSec).

13
RADIUS Client-Server

• Internet Authentication Service (IAS) is the
  Microsoft implementation of a Remote
  Authentication Dial-In User Service (RADIUS)
  server.
• RADIUS is a client-server protocol that enables
  RADIUS clients to submit authentication and
  accounting requests.
• The RADIUS server has access to user account
  information and can check remote access
  authentication credentials.
• RADIUS supports remote access user authentication
  and authorization and allows accounting data to
  be maintained in a central location.

14
SNMP MIB Support

• RRAS provides Simple Network Management Protocol
  (SNMP) agent functionality with support for
  Internet MIB II.
• Routing and Remote Access Service includes
  support for additional MIB enhancements beyond
  Internet MIB II.
• MIB support is also provided for Windows 2000
  functions, legacy LAN Manager MIB functions, and
  the WINS, DHCP, and IIS services.

15
API Support for Third-Party Components

• RRAS has fully published API sets for unicast and
  multicast routing protocol and administration
  utility support.
• Developers can write additional routing protocols
  and interfaces directly into RRAS architecture.

16
Overview of Remote Access

• Remote access clients are either connected to
  only the remote access servers resources, or
  they are connected to the RAS servers resources
  and beyond.
• A Windows 2000 remote access server provides two
  remote access connection methods.

17
Dial-Up Remote Access Connections
18
Remote Access Client

• A number of remote access clients can connect to
  Windows 2000 remote access server.
• Almost any third-party PPP remote access clients
  can connect to a Windows 2000 remote access
  server.
• The Microsoft remote access client can dial into
  a Serial Line Interface Protocol (SLIP) server.

19
Remote Access Service Server

• The remote access server accepts dial-up
  connections.
• The remote access server forwards packets between
  remote access clients and the network to which
  the remote access server is attached.

20
Dial-Up Equipment and WAN Infrastructure

• Public Switched Telephone Network (PSTN)
• Digital links and V.90
• Integrated Services Digital Network (ISDN)
• X.25
• ATM over ADSL

21
Public Switched Telephone Network (PSTN)
22
Digital Links and V.90
23
Integrated Services Digital Network (ISDN)
24
X.25
25
Asynchronous Transfer Mode (ATM) over Asymmetric
Digital Subscriber Line (ADSL)
26
Remote Access Protocols

• Remote access protocols control the establishment
  of connections and the transmission of data over
  WAN links.
• Windows 2000 remote access supports three types
  of remote access protocols PPP, SLIP, and
  AsyBEUI.

27
LAN Protocols

• LAN protocols are the protocols used by remote
  access clients to access resources on the network
  connected to the RAS server.
• Windows 2000 remote access supports TCP/IP, IPX,
  AppleTalk, and NetBEUI.

28
Secure User Authentication

• Secure user authentication is obtained through
  the encrypted exchange of user credentials.
• Secure authentication is possible through the use
  of PPP and one of the supported authentication
  protocols.

29
Mutual Authentication

• Mutual authentication is obtained by
  authenticating both ends of the connection
  through the encrypted exchange of user
  credentials.
• It is possible for a RAS server not to request
  authentication from the remote access client.

30
Data Encryption

• Data encryption encrypts the data sent between
  the remote access client and the RAS server.
• Data encryption on a remote access connection is
  based on a secret encryption key known to the RAS
  server and remote access client.
• Data encryption is possible over dial-up remote
  access links when using PPP along with EAP-TLS or
  MS-CHAP.
• Microsoft Windows 2000, Windows NT 4.0,
  Windows 98, and Windows 95 remote access clients
  and remote access servers support Microsoft
  Point-to-Point Encryption (MPPE).

31
Callback

• The RAS server calls the remote access client
  after the user credentials have been verified.
• Callback can be configured on the server to call
  the remote access client back at a number
  specified by the user of the remote access
  client.
• Callback can be configured to always call back
  the remote access client at a specific number.

32
Caller ID

• Caller ID can be used to verify that the incoming
  call is coming from a specified phone number.
• Caller ID requires that the callers telephone
  line, phone system, RAS servers telephone line,
  and the Windows 2000 driver for the dial-up
  equipment support caller ID.

33
Remote Access Account Lockout

• The remote access account lockout feature is used
  to specify how many times a remote access
  authentication can fail against a valid user
  account before access is denied.
• The feature does not distinguish malicious
  attempts from authentic users.
• An administrator must decide on two remote access
  account lockout variables.

34
Managing Users

• Set up a master account database in the Active
  Directory store or on a RADIUS server.
• A master account database allows the RAS server
  to send the authentication credentials to a
  central authenticating device.

35
Managing Addresses

• For PPP connections, IP, IPX, and AppleTalk,
  addressing information must be allocated to
  remote access clients during the establishment of
  the connection.
• The RAS server must be configured to allocate IP
  addresses, IPX network and node addresses, or
  AppleTalk network and node addresses.

36
Overview of Access Management

• Remote access connections are accepted based on
  the dial-in properties of a user account and the
  remote access policies.
• Different remote access conditions can be applied
  to different remote access clients or to the same
  remote access client based on the parameters of
  the connection attempt.
• Multiple remote access policies can be used to
  meet various conditions.
• RRAS and IAS use remote access policies to
  determine whether to accept or reject connection
  attempts.

37
Access by User Account
38
Access by Policy
39
Accepting a Connection Attempt

• When a user attempts a connection, the connection
  attempt is accepted or rejected based on a
  specific logic.

40
Managing Account Lockout

• Changing settings in the registry on the
  authenticating computer configures the account
  lockout feature.
• If the RAS server is configured for Windows
  authentication, modify the registry on the RAS
  server computer.
• If the RAS server is configured for RADIUS
  authentication and IAS is being used, modify the
  registry on the IAS server.

41
Managing Authentication

• Windows authentication
• RADIUS authentication
• Windows and RADIUS accounting

42
Overview of Virtual Private Networks (VPNs)

• VPNs allow remote users to connect securely to a
  remote corporate server by using the routing
  infrastructure provided by a public internetwork,
  such as the Internet.
• VPN is a point-to-point connection between the
  users computer and a corporate server.
• VPN allows a corporation to connect with its
  branch offices or with other companies over a
  public internetwork.
• The secure connection across the internetwork
  appears to the user as a virtual network
  interface.

43
Connecting Networks over the Internet

• Dedicated lines
• Dial-up lines

44
Connecting Computers over an Intranet

• VPNs allow a departments LAN to be physically
  connected to the corporate internetwork but
  separated by a VPN server.
• The VPN server is not acting as a router between
  the corporate internetwork and the department LAN.

45
Overview of Tunneling

• Tunneling is a method of using an internetwork
  infrastructure to transfer a payload.
• Instead of sending the frame as produced by the
  originating node, the frame is encapsulated with
  an additional header, which provides routing
  information.
• The process of encapsulation and transmission of
  packets is known as tunneling.
• The logical path through which the encapsulated
  packets travel the transit internetwork is called
  a tunnel.

46
Tunnel Maintenance and Data Transfer

• Tunnel maintenance protocol
• Tunnel data transfer protocol

47
Tunnel Types

• Voluntary tunnels
• Compulsory tunnels

48
PPTP
49
L2TP
50
PPTP vs. L2TP

• PPTP requires that the transit internetwork be an
  IP internetwork. L2TP requires only that the
  tunnel media provide packet-oriented
  point-to-point connectivity.
• When header compression is enabled, L2TP operates
  with 4 bytes of overhead, compared to 6 bytes for
  PPTP.
• L2TP provides tunnel authentication, while PPTP
  does not.
• PPTP uses PPP encryption and L2TP does not.

51
IPSec

• Overview of IPSec
• ESP tunnel mode vs. ESP transport mode
• IPSec ESP tunnel mode packet structure

52
IP-IP

• IP-IP is a simple OSI layer 3 tunneling
  technique.
• A virtual network is created by encapsulating an
  IP packet with an additional IP header.
• The primary use of IP-IP is for tunneling
  multicast traffic over sections of a network that
  does not support multicast routing.
• The IP payload includes everything above IP.

53
Managing Users

• A master account database is usually set up on a
  domain controller or on a RADIUS server.
• The same user account is used for both dial-in
  remote access and VPN remote access.

54
Managing Addresses and Name Servers

• The VPN server must have IP addresses available
  in order to assign them to the VPN servers
  virtual interface and to VPN clients.
• By default, the IP addresses assigned to VPN
  clients are obtained through DHCP.

55
Managing Access

• Configure the properties on the Dial-In tab of
  the users properties and modify remote access
  policy as necessary.

56
Managing Authentication

• The VPN server can be configured to use either
  Windows or RADIUS authentication.
• If Windows is selected, the user credentials are
  authenticated by using Windows authentication and
  remote access policy.
• If RADIUS is selected, user credentials and
  parameters are sent as a series of RADIUS request
  messages to the RADIUS server.

57
Troubleshooting

• Connection attempt is rejected when it should be
  accepted.
• Connection attempt is accepted when it should be
  rejected.
• Unable to reach locations beyond the VPN server.
• Unable to establish a tunnel.

58
Routing and Remote Access Snap-In
59
Net Shell Command-Line Utility

• The Net Shell utility includes a number of
  options.
• Commands can be abbreviated to the shortest
  unambiguous string.
• Commands can be either global or context
  specific.
• Global commands can be issued in any context and
  are used for general netsh functions.
• Netsh has two command modes.
• You can run a script either by using the -f
  option or by typing the exec global command while
  in the Net Shell command window.
• To create a script of the current configuration,
  type the global dump command.
• The Net Shell command includes context-specific
  commands.

60
Authentication and Accounting Logging

• RRAS supports the logging of authentication and
  accounting information for PPP-based connection
  attempts when Windows authentication or
  accounting is enabled.
• The authentication and accounting information is
  stored in a configurable log file or files.
• You can configure the type of activity to log and
  log file settings.

61
Event Logging

• The Windows 2000 Router performs extensive error
  logging in the system event log.
• Four levels of logging are available.
• Take specific steps if an OSPF router is unable
  to establish an adjacency on an interface.
• The level of event logging can be set from
  various places with the Routing and Remote Access
  snap-in.
• Logging consumes system resources and should be
  used sparingly.

62
Tracing

• RRAS has an extensive tracing capability that you
  can use to troubleshoot complex network problems.
• Tracing records internal component variables,
  function calls, and interactions.
• You can enable tracing for each routing protocol
  by setting the appropriate registry values.
• Tracing consumes system resources and should be
  used sparingly.
• To enable file tracing for each component, you
  must set specific values within the registry.