Chapter 12: Remote Access and Virtual Private Networks

1
Chapter 12Remote Access and Virtual Private
Networks
2
Learning Objectives

• Explain how remote access and virtual private
  network (VPN) services work
• Explain how to implement remote access
  communications devices and protocols
• Configure remote access services, security,
  dial-up connectivity, and client access

3
Learning Objectives (continued)

• Configure VPN services, security, dial-up
  connectivity, and client access
• Troubleshoot remote access, VPN services, and
  client connectivity

4
Early Remote Access Methods

• An early method for accessing a network, which is
  still used, is to connect to a workstation
  through remote access software such as Carbon
  Copy

5
Accessing a Workstation Remotely
Figure 12-1 Remotely accessing a workstations on
a network
6
Microsoft Remote Access

• A modern way to access a network remotely is by
  using Microsoft Remote Access Services (RAS) in
  Windows 2000 Server

7
Using RAS
Figure 12-2 Remotely accessing a network
through Microsoft RAS
8
Virtual Private Network

• Virtual private network A private network that
  is like a tunnel through a larger network such
  as the Internet, an enterprise network, or both
  that is restricted only to designated member
  clients

9
Planning Tip

• Use a VPN to save money on modems and telephone
  lines for remote access to a network

10
VPN Architecture
Figure 12-3 VPN network architecture
11
Operating Systems Than Can Connect to RAS

• MS-DOS
• Windows 3.1 and 3.11
• Windows NT (all versions)
• Windows 95
• Windows 98
• Windows 2000 Server and Professional

12
Connection Types Supported by RAS

• Asynchronous modems
• Synchronous modems through an access server
• Null modem connections
• Regular dial-up telephone lines
• Leased telecommunications lines, such as T-carrier

13
Connection Types Supported by RAS (continued)

• ISDN lines (and digital modems)
• X.25 lines
• DSL lines
• Frame relay lines

14
T-Carrier

• T-carrier A dedicated leased telephone line that
  can be used for data communications over multiple
  channels for speeds of up to 44.736 Mbps and
  beyond
• Two common varieties of T-carrier are
• T-1 at 1.544 Mbps
• T-3 at 44.736 Mbps

15
Frame Relay

• Frame relay A WAN communications technology that
  relies on packet switching and virtual connection
  techniques to transmit at from 56 Kbps to 45 Mbps

16
ISDN

• Integrated Services Digital Network (ISDN) A
  telecommunications standard for delivering data
  services over digital telephone lines with a
  current practical limit of 1.536 Mbps and a
  theoretical limit of 622 Mbps

17
X.25

• An older packet-switching protocol for connecting
  remote networks at speeds up to 2.048 Mbps

18
DSL

• Digital subscriber line (DSL) A technology that
  uses advanced modulation technologies on regular
  telephone lines for high-speed networking at
  speeds of up to 60 Mbps between subscribers and a
  telecommunications company

19
Telephony Interfaces

• RAS supports telephony interfaces that include
• Universal Modem Driver A modem driver standard
  used on recently developed modems
• Telephone Application Programming Interface An
  interface for communication line devices (such as
  modems) that provides line device functions, such
  as call holding, call receiving, call hang-up,
  and call forwarding

20
Transport and Remote Communication Protocols

• RAS supports protocols such as
• TCP/IP
• NWLink
• NetBEUI
• PPP
• PPTP
• L2TP

21
Using Modems

• One of the most common ways to connect through
  RAS is by using modems either at the RAS server
  end, the client end, or both
• Cable TV modems are another possibility, but
  verify that the end-to-end connections can be
  made secure

22
ISDN Connectivity

• Digital modems can be used to connect a RAS
  server to ISDN, but these are really terminal
  adapters (TAs) and not modems, because ISDN is
  digital and does not use modulation/demodulation
• A design advantage of ISDN is that you can
  aggregate multiple lines to appear as one super
  fast connection

23
Access Server

• An effective way to connect different
  telecommunications and WAN media to RAS is
  through an access server
• For example, an access server can provide the
  following types of connectivity
• Modems
• ISDN
• X.25
• T-carrier

24
Access Server Architecture
Figure 12-4 Using an access server
25
Remote Access Protocols

• Serial Line Internet Protocol (SLIP) An older
  remote communications protocol that is used by
  UNIX computers. The modern compressed SLIP
  (CSLIP) version uses header compression to reduce
  communications overhead.
• Point-to-Point Protocol (PPP) A widely used
  remote communication protocol that supports
  IPX/SPX, NetBEUI, and TCP/IP for point-to-point
  communication.

26
SLIP and PPP Compared
Table 12-1 SLIP and PPP Compared
27
Remote Access Protocols (continued)

• Point-to-Point Tunneling Protocol (PPTP) A
  remote communication protocol that enables
  connectivity to a network through the Internet
  and connectivity through intranets and VPNs

28
Remote Access Protocols (continued)

• Layer Two Tunneling Protocol (L2TP) A protocol
  that transports PPP over a VPN, intranet, or
  Internet. L2TP works similarly to PPTP, but
  unlike PPTP, L2TP uses an additional network
  communications standard, called Layer Two
  Forwarding, that enables forwarding on the basis
  of MAC addressing

29
General RAS Configuration Steps

• Configure a Windows 2000 server with RAS,
  including the appropriate protocols
• Configure a DHCP Relay Agent (if IP addresses are
  assigned via DHCP)
• Configure RAS security
• Configure a dial-up and remote connection
• Configure RAS on client workstations

30
Configuring RAS

• Use the Routing and Remote Access tool to install
  RAS

31
Installing RAS
Figure 12-5 Configuring routing and RAS
32
Installing RAS (continued)
Figure 12-6 Selecting the option to install RAS
33
Routing and Remote Access Options
34
Installing RAS (continued)
Figure 12-7 IP address assignment options
35
RAS Installation Tip

• If you configure RAS for AppleTalk, then users
  access RAS through the Guest account, which
  cannot have a password

36
RAS Properties

• You can configure RAS properties after RAS is
  installed by right-clicking the RAS server in the
  tree of the Routing and Remote Access tool and
  then clicking Properties

37
Viewing a RAS Servers Properties
Figure 12-8 RAS server properties
38
DHCP Relay Agent

• If you configure RAS to use DHCP to assign IP
  addresses, then you must configure a DHCP Relay
  Agent
• Double-click the RAS server in the tree of the
  Routing and Remote Access tool
• Click IP Routing in the tree
• Right-click DHCP Relay Agent and click Properties
• Enter the IP address of the RAS server, click
  Add, and then click OK

39
Multilink

• If you plan to use an aggregated connection, such
  as for ISDN or multiple modems, configure
  Multilink and Bandwidth Allocation Protocol in
  the RAS Properties PPP tab

40
Multilink and BAP

• Multilink A capability of RAS to aggregate
  multiple data streams into one logical network
  connection for the purpose of using more than one
  modem, ISDN channel, or other communication line
  in a single logical connection
• Bandwidth Allocation Protocol (BAP) A protocol
  that works with Multilink in Windows 2000 Server
  that enables the bandwidth or speed of a remote
  connection to be allocated on the basis of the
  needs of an application, with the maximum
  allocation equal to the maximum speed of all
  channels aggregated via Multilink

41
BACP

• Bandwidth Allocation Control Protocol Similar to
  BAP, but BACP is able to select a preferred
  client when two or more clients vie for the same
  bandwidth

42
Configuring Multilink and BAP/BACP
Figure 12-9 Configuring Multilink and BAP
43
Security Set at the Client

• Set up security on the clients account
  properties via the Dial-in tab, including whether
  to use a remote access policy for security and
  callback security

44
Callback Options

• No Callback access is allowed on the first
  dial-up attempt
• Set By Caller the server calls back a number
  provided by the remote computer
• Always Callback to the server calls back a
  number that has already been entered in the
  Dial-in tab

45
Configuring Dial-in Security
Figure 12-10 Configuring dial-in security for a
user account
46
Remote Access Policies

• Configure remote access policies and a profile to
  secure the RAS server and to manage access
  including
• Dial-in constraints
• IP address assignment rules
• Authentication
• Encryption
• Allowing Multilink connections

47
Configuring Remote Access Policies
Figure 12-11 Granting remote access as a RAS
policy
48
Authentication Options

• There are several authentication options that can
  be set in a remote access policies profile
• Extensible Authentication Protocol (EAP) An
  authentication protocol employed by network
  clients that use special security devices such as
  smart cards, token cards, and others that use
  certificate authentication

49
Authentication Options (continued)

• Challenge Handshake Authentication Protocol
  (CHAP) An encrypted handshake protocol designed
  for standard IP- or PPP-based exchange of
  passwords. It provides a reasonably secure,
  standard, cross-platform method for sender and
  receiver to negotiate a connection.
• CHAP with Microsoft extensions (MS-CHAP) A
  Microsoft-enhanced version of CHAP that can
  negotiate encryption levels and that uses the
  highly secure RSA RC4 encryption algorithm to
  encrypt communications between client and host

50
Authentication Options (continued)

• CHAP with Microsoft extensions version 2 (MS-CHAP
  v2) An enhancement of MS-CHAP that provides
  better authentication and data encryption and
  that is especially well suited for VPNs
• Password Authentication Protocol (PAP) A
  non-encrypted plain-text password authentication
  protocol. This represents the lowest level of
  security for exchanging passwords via PPP or
  TCP/IP

51
Authentication Options (continued)

• Silvas Password Authentication Protocol (SPAP)
  A version of PAP that is used for authenticating
  remote access devices and network equipment
  manufactured by Silva (now Intel Network Systems,
  Inc.)

52
Configuring Authentication
Figure 12-12 Configuring authentication
53
Encryption Options

• The RAS encryption options incorporate IPSec and
  Microsoft Point-to-Point Encryption (MPPE)
• MPPE A starting to ending point encryption
  technique that uses special encryption keys
  varying in length from 40 to 128 bits

54
Encryption Selections

• No Encryption Clients do not employ data
  encryption
• Basic Intended for clients using 40-bit
  encryption key MPPE or IPSec
• Strong Intended for clients using 56-bit
  encryption key MPPE or IPSec

55
Encryption Note

• Originally the beta version of Windows 2000
  Server included strongest encryption for 128-key
  MPPE or IPSec encryption, but this option is
  omitted in the first release of Windows 2000
  Server. Expect strongest encryption to be
  included later in an update.

56
Dial-in and VPN Remote Access Tabs
57
Configuring a Dial-up Connection for a RAS Server

• Use the Network and Dial-up Connections tool to
  configure a new dial-up connection for a RAS
  server

58
Creating a New Connection
Figure 12-13 Creating a new connection
59
General Steps to Configure a VPN

• Set up the network connectivity, such as through
  a WAN adapter, access server, or router
• Install the Routing and Remote Access Service,
  configuring it as a VPN server
• Establish the remote access policies and profile,
  including setting up EAP authentication
• Configure the number of PPTP and L2TP ports

60
Design Tip

• If you select to use a static pool of IP
  addresses when you install the VPN server, the
  upper limit of addresses that can be assigned is
  253

61
Static Address Set Up
Figure 12-14 Providing a range of addresses for
a VPN server
62
Configuring VPN Server Remote Access Policies

• Configure VPN remote access policies and a
  profile using the same steps as for configuring a
  RAS server

63
Configuring Ports

• Configure the number of ports to equal those
  available through the WAN connection

64
Steps for Configuring Ports

• To configure the number of ports
• Right-click Ports in the tree under the server in
  the Routing and Remote Access tool
• Click Properties
• Double-click WAN Miniport (PPTP) and set the
  number of ports
• Double-click WAN Miniport (L2TP) and set the
  number of ports

65
Steps for Configuring Ports (continued)
Figure 12-15 Configuring the number of ports
66
Hardware Troubleshooting Tips for RAS and VPN
Servers

• Use the Add/Remove Hardware tool or the Device
  Manager to test modems and WAN adapters
• Use the Network and Dial-up Connections tool to
  check dial-up and WAN connections
• Make sure access servers are working
• Make sure modem lines are properly connected and
  working

67
Software Troubleshooting Tips for RAS and VPN
Servers

• Make sure that the Remote Access Auto Connection
  Manager and Remote Access Connection Manager
  services are started
• Make sure the RAS or VPN server is enabled
• Use the Ports option to check the status of ports
• Make sure all IP parameters are properly
  configured

68
RAS and VPN Client Troubleshooting Tips

• Check the dial-up networking and RAS setup on the
  client
• Make sure that clients are using the right
  protocols
• Check the dial-in security on the clients user
  account
• Check the clients modem to make sure it is
  working and set for compatible communications
  with the server

69
Chapter Summary

• RAS and VPN servers enable clients to remotely
  access Windows 2000 Server, such as those who
  telecommute
• Remote access can be configured through many
  types of WAN connectivity, such as dial-up
  telephone lines, high-speed lines, Internet
  connections, and routers

70
Chapter Summary

• RAS and VPN servers are compatible with remote
  access protocols such as PPP, PPTP, and L2TP
• Manage RAS and VPN servers using remote access
  policies and profiles