CHAPTER 11
PROVIDING YOUR CLIENTS
REMOTE ACCESS SERVICE (RAS)
Lesson 1:
Introducing Remote Access Service
The remote access feature of Microsoft Windows 2000 Server enables remote or mobile workers
who use dial-up communication links to access corporate networks as if they were directly connected.
Remote access also provides VPN services so that users can access corporate networks over the
Internet.
CLASSROOM NOTES:
Overview of Remote Access Service
Windows 2000 Server remote access, part of the integrated Routing and Remote Access service,
connects remote or mobile workers to corporate
networks.
A remote access server running Windows 2000 provides two different types of remote access
connectivity:
Dial-up networking. Dial-up networking occurs when a remote access client makes a
nonpermanent, dial-up connection to a physical port on a remote access server by using a
service of a telecommunications provider such as analog phone, Integrated Service Digital
Network (ISDN), or X.25.
Virtual private networking. Virtual private networking is the creation of secured,
point-to-point connections across a private network or a public network such as the
Internet. The most practical example of a VPN is a dial-up user connecting across the
Internet to a server on the corporate network. The remote access server answers the
virtual call, authenticates the caller, and transfers data between the virtual private networking
client and the corporate network.
=====================================================================
wininf11.html PAGE 2 2002/04/06
Routing and Remote Access Features
The Windows Routing and Remote Access feature set provides network address translation (NAT),
multiprotocol routing, L2TP, IAS, and RAP.
Router Discovery
Windows 2000 has a new feature called router discovery, specified in Request for Comments
(RFC) 1256. When using DHCP or manual default gateway configuration, there is no way to
adjust to network changes.
Router Solicitations. When a host that supports RFC 1256 needs to be configured with a
default gateway, it sends out a router solicitation using an Internet Control Message
Protocol (ICMP) message. The router solicitation can be sent to the all-routers Internet
Protocol (IP) multicast address of 224.0.0.2 the local IP broadcast address, or the limited
broadcast address (255.255.255.255).
Router Advertisements. They are explicit notifications to the hosts on the network that the
router is still available. A router sends out a periodic router advertisement using an ICMP
message.
NOTE: Windows 2000 supports router discovery as a host and router.
Network Address Translator:
(NAT)
NAT is a standard defined in RFC 1631. A NAT is a router that translates IP addresses of an
intranet or home LAN to valid Internet addresses. Not all firewall software supports NAT!
Small companies only.
Multicast Routing
The multicast proxy is best used to provide multicast for remote access users or a single LAN
network connected to the Internet.
Layer Two Tunneling Protocol (L2TP)
L2TP was inspired by PPTP. L2TP is an Open Systems Interconnection (OSI) layer 2
(Data-link layer) protocol used to create VPNs.
=====================================================================
wininf11.html PAGE 3 2002/04/06
Internet Authentication Service
IAS is a Remote Authentication Dial-In User Service (RADIUS) server. A network access
server such as Windows Routing and Remote Access can be a RADIUS client or RADIUS
server.
NOTE: Microsoft released a limited version of RADIUS server in the Windows NT 4.0
Option pack. A RADIUS server (IAS) is now available in Windows 2000.
Remote Access Policies
Must be enabled, and configure the server.
RAPs are stored on the local computer and are shared between Windows 2000 Routing and
Remote Access and Windows 2000 IAS. RAP is configured from the Internet Authentication
Service Manager or from the Routing and Remote Access Manager.
Remote Access Versus Remote Control
Remote Access. It is software based multiprotocol router; remote control solutions work by
sharing screen, keyboard and mouse over the remote link. Client runs the software.
Remote Control. Users share central processing unit (CPU) or multiple CPUs on the server.
In remote control, the applications are run on the server. Used the RADIUS server.
The Effect of a Windows Upgrade on Routing and Remote Access
A system upgraded from Windows NT 4.0 Remote Access Service/Routing and Remote
Access Service to Windows 2000 has one minor problem. Windows NT 4.0 uses the Local
System account. When any service logs on a Local System, it logs on with NULL credentials,
meaning that the service does not provide a user name or password. (keep for dial-in).
=====================================================================
wininf11.html PAGE 4 2002/04/06
NOTE: Using NULL credentials prevents the account from being able to access network
resources relying on Windows NT LAN Manager (NTLM) authentication (unless the remote
computer specifically allows NULL sessions). Passwords are also sent clear-text. If NULL
account and give credentials.
Remote Access Server Upgrade Considerations
For a Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server
to retrieve user properties from Active Directory, you must meet one of the following conditions:
You have a domain in mixed mode and the Windows NT 4.0 Remote Access Service/Routing
and Remote Access Service server is also a Windows NT 4.0 backup domain controller.
You have a domain in mixed mode and the Windows NT 4.0 Remote Access Service/Routing
and Remote Access Service server contacts a Windows NT 4.0 Backup domain controller to
determine user dial-in properties.
The domain is in mixed or native mode and Active Directory security has been loosened to
grant the built-in user Everyone permissions to read any property on any user object. This
is configured with the Active Directory Installation Wizard (DCPROMO.EXE) by selecting
Permissions Compatible With Pre-Windows 2000 Server.
Windows
RAS Server that they can dial into VS. Everyone = read all Active Directory
objects, don’t forget with read you can also copy and link to Dfs Links.
NOTE: Unless Active Directory security has been loosened, or the Remote Access
Service/Routing and Remote Access Service server is installed on a backup domain
controller, dial-in connectivity success could be intermittent. Even if your domain runs in
mixed mode, it is impossible to configure the Remote Access Service/Routing and Remote
Access Service server to contact a Windows NT 4.0 backup domain controller only for
authentication. If a Windows 2000 domain controller authenticates the user, dial-in will fail.
NOTE: The Everyone group workaround should be used only after understanding its impact
on Active Directory security. If it conflicts with your security requirements, it is recommended
that you upgrade the Windows NT 4.0 Remote Access Service/Routing and Remote Access
Service server to Windows 2000 and make it a member of a Windows 2000 mixed or native
domain. This will help prevent inconsistent dial-in access while the domain is in mixed mode.
If you would like to loosen security to allow Windows NT 4.0 Remote Access Service/Routing
and Remote Access Service servers to function after running the Active Directory Installation
Wizard, you can add the Everyone group to the Pre-Windows 2000 Pre-Compatible Access
group by typing the command net^ localgroup”Pre-Windows 2000 Compatible Access”
Everyone/add.
=====================================================================
wininf11.html PAGE 5 2002/04/06
Lesson Summary:
Lesson 2:
Configuring a Routing and Remote Access Server
Once Routing and Remote Access is installed, you can configure it for inbound connections,
lock it down with RAPs, add remote access profiles for security, and control access with BAP.
Allowing Inbound Connections
When Routing and Remote Access is started for the first time, Windows 2000 automatically
creates five PPTP and five L2TP ports.
Creating a Remote Access Policy (RAP)
RAPs are a named set of conditions, that are used to define who has remote access to the
network and what the characteristics of that connection will be. Characteristics of the
connection could be configured, for example, as an ISDN connection that can last only 30
minutes and that will not allow HTTP packets. Similar to Proxy Server Settings, You must
set-up the policies.
From the IAS administration tool or the Routing and Remote Access Manager, RAPs can be
created, deleted, and reordered. Note that there is no Save option, so it is not possible to
save a copy to floppy disk. The order of policies is significant because the first matching
policy will be used to accept or reject the connection.
=====================================================================
wininf11.html PAGE 6 2002/04/06
NOTE: Remote Access Policies are not stored in Active Directory, they are stored locally
in the IAS.MDB file. Policies need to be created on each server.
Conditions
Conditions can be added to a RAP on what conditions must match in order for the system to
grant or deny remote access permission.
NOTE: If no Remote Access Policy exists (if the default policy is deleted, for example) users
will not be able to access the network, regardless of their individual Routing and Remote
Access permission settings.
By using the flowchart on page 273 you can predict the outcome of a connection request for
any given situation.
Grant or Deny Access
Policies can be configured to either grant or deny access. This works in conjunction with the
user object’s dial-in permission to decide whether or not a user is given in the example page 274.
Caller ID
Caller ID verifies that the caller is calling from the phone number specified. If caller ID is
configured, support for the passing of caller ID information all the way from the caller to
Routing and Remote Access is required, or the connection attempt will be denied.
NOTE: For backwards compatibility with previous versions of Windows NT, RAP, Caller
ID, Apply Static Routers, and Assign A Static IP address are not available in mixed mode.
Configuring a Remote Access Profile
Dial-in Tab. Possible settings include idle time disconnect, maximum session time, day and time,
phone number, and media type (ISDN, tunnel, async, and so on.)
=====================================================================
wininf11.html PAGE 7 2002/04/06
IP. Configuration for client IP address assignment and IP packet filtering is found here. Packet
filters can be set for either inbound or outbound and can be configured for protocol and port.
Multilink. Set Multilink and BAP options here. A line can be dropped if bandwidth drops
below a certain level for a given length of time.
Authentication. PAP or Password Authentication Protocol, CHAP Challenge Handshake
Authentication Protocol, and Extensible Authentication Protocol (EAP are set here.
Encryption. Encryption settings for Microsoft Routing and Remote Access servers are
configured here. Options are to prohibit encryption, allow it, or require it.
Advanced. The Advanced tab allows for the configuration of additional network parameters
that do not apply to Microsoft Routing and Remote Access server.
Configuring Bandwidth Allocation Protocol (BAP)
BAP and Bandwidth Allocation Control Protocol (BACP) enhance multilink by dynamically
adding or dropping links on demand.
BAP functionality is implemented through a new Link Control Protocol (LCP) option, BACP,
and BAP protocol as described below:
bundle.
BAP and BACP are encapsulated in PPP Data-Link layer frames with the following protocol
(in hex).
BAP Additional Phone Numbers
The server can provide the client with additional phone numbers to dial if extra bandwidth is
needed.
=====================================================================
wininf11.html PAGE 8 2002/04/06
Lesson Summary:
lock it down with RAPs and add remote access profiles for security, and controlled access with
BAP.
Lesson 3:
Implementing IP Routing on a Remote Access Server
Installing IP Routing
It is similar to installing Remote Access server. In fact, the same wizard is used for new installs,
Updating the Routing Tables
The routing decision is aided by knowing which network addresses (or network IDs) are
available in the internetwork.
Types of Routing Table Entries:
Network Route. A network route provides a route to provide a specific network ID in the
internetwork.
Host Route. A host route provides a route to an internetowrk address (network ID and node
ID). A host route is equivalent to a network route with a netmask of 255.255.255.255.
Default route. A default route is used when no other routes in the routing table are found. For
example, if a router or host cannot find a network route or host route for the destination, the
default route is used.
Routing Table Structure
Destination. The network ID or an internetwork address for a host route.
Gateway. The address to which the packet is forwarded. The forwarding address is a
hardware address or an internetwork address.
Interface. The network interface that is used when packets are forwarded to the network ID.
This is a port number or other type of logical identifier.
Metric. A measurement of the preference of a route. Typically, the lowest metric is the most
preferred route. If multiple routes exist to a given destination network, the route with the
lowest metric is used.
=====================================================================
wininf11.html PAGE 9 2002/04/06
Implementing Demand-Dial Routing
A demand-dial interface is a router interface that will be brought up on demand based on
network traffic.
The fields described in the following section for IP, TCP, and User Datagram Protocol (UDP)
headers can be used to configure demand-dial filters. Routing and Remote Access allows
iltering on the following fields:
IP Header
An IP datagram includes an IP header of 20 bytes.
IP protocol. An identifier of the IP client protocol. For example, TCP uses a protocol ID of
6, UDP uses a Protocol ID of 17, ICMP uses a protocol ID of 1. The Protocol field is used
to demultiplex an IP packet to the upper layer protocol.
Source IP address. The source IP address stores the IP address of the originating host.
Destination IP address. The destination IP address stores the IP address of the destination
host.
TCP Header
TCP uses byte-stream communications in which data contained by the TCP segment is
considered as a sequence of bytes with no record or field boundaries.
sending the TCP segment.
UDP Header
UDP is used by applications that do not require an acknowledgement of receipt of data and
that typically transmit small amounts of data at one time.
=====================================================================
wininf11.html PAGE 10 2002/04/06
UDP source port. The UDP source port is used to identify the source process that is sending
the UDP message.
UDP destination port. The UDP destination port is used to identify the destination process for
the UDP message.
NOTE: A list of well-known ports can be found in %winroot%\system32\drivers\etc\services
or RFC 1700.
ICMP
ICMP messages are encapsulated within IP datagrams so that they can be routed throughout
an internetwork.
ICMP type. The ICMP types indicates the type of ICMP packet (Echo Request vs. Echo
Reply, and so on).
ICMP code. The ICMP code indicates one of possible multiple functions within a given
type.
Protocol
For each filter, various protocols can be used:
ANY means any protocol.
Lesson Summary:
The remote access server can be turned into an IP router or installing Routing and Remote
Access, update its routing tables, and implement demand-dial routing.
Lesson 4:
Supporting Virtual Private networks
A VPN is defined as the ability to send data between two computers across an internetwork
in a manner that mimics the properties of a dedicated private network.
=====================================================================
wininf11.html PAGE 11 2002/04/06
Implementing a VPN
A VPN is defined as the ability to send data between two computers across an internetwork
in a manner that mimics the properties of a dedicated private network. From the user’s
perspective, the VPN is a point-to-point connection between the user’s computer and a
corporate server.
VPN technology also allows a corporation to connect with its branch offices or with other
companies over a public internetwork (such as the Internet) while maintaining secure
communications. The VPN connection across the Internet logically operates as a dedicated
WAN link.
Tunneling Basics
Tunneling or encapsulation, is a method of using an internetwork infrastructure to transfer a
payload.
The encapsulated packets are then routed between tunnel endpoints over the transit internetwork.
Once the encapsulating frames reach their destination on the transit internetwork, the frame is
de-capsulated and forwarded to its final destination.
Examples of Tunneling
PPTP, Point-to-point Tunneling Protocol. PPTP allows IP internetwork packet
(IPX), or NetBIOS , NetBEUI traffic to be encrypted and then encapsulated in an
IP header to be sent address a corporate IP internetwork or public internetworks
like the Internet.
L2TP. L2TP allows IP to be encrypted and sent over any medium that supports Point-to-
point datagram deliver, such as IP, frame relay, or asynchronous transfer mode (ATM).
IP-in-IP Tunneling. Encapsulates an existing IP datagram with an additional IP header.
=====================================================================
wininf11.html PAGE 12 2002/04/06
Integrating VPN in a Routed Environment
In some corporate internetworks the data of a department is so sentitive that the department’s
LAN is physically disconnected from the rest of the
corporate internetwork.
VPNs allow the department’s LAN to be physically connected to the corporate internetwork
but separated by a VPN server.
Integrating VPN Servers with the Internet
To connect a network over the Internet you have two options:
Branch Office using dedicated lines. These lines are always up and running 24 hours a day.
Branch Office using a dial-up line. Rather than having a router at the branch office make a long
distance call to a corporate or outsourced NAS, the router at the branch office calls its local
ISP.
NOTE: In both cases, the users are not charged based on the distance between the offices
because only local physical links are being used.
For VPN connections to be reliably available, the corporate hub router acting as a VPN
server must be connected to a local ISP using a dedicated line.
Lesson Summary:
A VPN is defined as the ability to send data between two computers across an internetwork
in a manner that mimics the properties of a dedicated private network.
Lesson 5:
Supporting Multilink Connections
Multilink was first introduced in Windows NT 4.0 Remote Access Service. It allows the
combining of multiple physical links into one logical link. Typically, two or more ISDN lines
or modems links are bundled together for greater bandwidth.
=====================================================================
wininf11.html PAGE 13 2002/04/06
PPP Protocol (point-to-point)
The PPP was designed to send data across dial-up or dedicated PPP connections. PPP
encapsulates, IP, IPX and NetBEUI packets within PPP frames, and then transmits the PPP-
encapsulated packets across the PPP link. PPP can be used between routers over dedicated
links or by a Remote Access Service client and server over dial-up links.
Encapsulation. This allows the multiplexing or multiple transport protocols over the same link.
LCP. PPP defines an extensible LCP for establishing, configuring and testing the data-link
connection. Some examples of authentication protocols include PAP, CHAP, and EAP.
Network Control Protocol. Network Control Protocol (NCPs) provide specific configuration
needs for their respective transport protocols. For example, IPCP is the IP Control Protocol.
Multilink PPP
A new LCP option. The ability to support multilink is negotiated during PPP’s LCP phase.
A new PPP network protocol.A new PPP network protocol was created called MP (multilink
PPP). MP appears as a normal PPP payload.
Lesson Summary:
Multilink was first introduced in Windows NT 4.0 Remote Access Service. It allows the
combining of multiple physical links into one logical link.
Lesson 6:
Using Routing and Remote Access with DHCP
When a Routing and Remote Access address pool is configured to use DHCP no DHCP
packets will go over the wire to the Routing and Remote Access clients.
=====================================================================
wininf11.html PAGE 14 2002/04/06
Routing and Remote Access and DHCP
When a Routing and Remote Access address pool is configured to use DHCP, no DHCP
packets will go over the wire to the Routing and Remote Access clients. The DHCP blocks
the addresses into 10 and stores them in the registry.
The number of addresses that Routing and Remote Access will lease at a time is configurable
in the registry under \System\CurrentControlSet\Services\RemoteAccess\Parameters\Ip\Initial
AddressPoolSize.
DHCP Relay Agent
The DHCP Relay Agent is a messenger for the DHCP server. Since the router does not
handle broadcasts, and it looses them, the DHCP server uses the DHCP Relay Agent to
ransfer the requests from the client to the server.
Lesson 7:
Managing and Monitoring Remote Access
Managing and monitoring a remote access server can be done with several tools.
Logging User Authentication and Accounting Requests
IAS can create log files based on the authentication and account requests received from the
NASs, collecting these packets in a centralized location.
**** See page 297 to
see the logging possibilities ****
When you set up your server, specify whether new logs are started daily, weekly, monthly,
or when the log reaches a specific size. By default, the log files are located in the
%systemroot%\system32\LogFiles folder, but you have the option of specifying a different
location.
=====================================================================
wininf11.html PAGE 15 2002/04/06
Log File Records
Attributes are recorded in Unicode Translation Format-8 (UTF-8) encoding in a comma-
delimited format.
In IAS-formatted log files, each record starts with a fixed-format header, which has a NAS
IP address, user name, record date, record time, service name, and computer name, followed
by attribute-value pairs.
In database-import log files, each record contains attribute values in a consistent sequence,
starting with the computer name, service name, record date, and record time.
Accounting
Routing and Remote Access can be configured to log accounting information in the
following locations:
is an IAS server, the log files are stored in the IAS server. WINS 2000 uses IAS server.
Netsh Command-Line Tool
Netsh is a command-line and scripting tool for Windows 2000 networking components
for local or remote computers. Netsh is supplied with Windows 2000. Netsh also provides
the ability to save a configuration script in a text file for archival purposes or for configuring
other servers.
***** Very complicated, look
at home, losts of nested commands *****
“aaaa” Accounting, Authentication, Authorization, and auditing
=====================================================================
wininf11.html PAGE 16 2002/04/06
For Routing and Remote Access, Netsh
has the following contexts, or prompts:
Ras. Used to configure remote access configuration.
Aaaa. Configures AAAA component by both Routing and Remote Access and IAS
.
Routing. Configure IP and IPX routing.
Interface. Configure demand-dialing interfaces.
Network Monitor
Network Monitor enables you to detect and troubleshoot problems on the LAN and WAN,
including Routing and Remote Access links. With Network Monitor you can identify network
traffic patterns and network problems.
Resource Kit Utilities
The following are Resource Kit Utilities that make the job of managing an monitoring
Routing and Remote Access easier.
RASLIST.EXE
The RATLIST.EXE command-line tool displays Routing and Remote Access server
announcements from a network. Raslist listens for Routing and Remote Access server
announcements on all active network cards in the computer from which it is run. Its
output shows which card received the announcement. Raslist is a Monitoring tool.
RASSRVMON.EXE
Using the RASRVMON.EXE tool, you can monitor the remote access server activities
on your server in greater detail than the standard Windows tools allow.
total calls, total bytes passed through server, peak connection.
connections to this port since server started, total bytes passes on this port, total errors.
=====================================================================
wininf11.html PAGE 17 2002/04/06
connection count, average connect time, and total error count.
establishment time, duration, bytes transmitted, error count, and line speed.
RASUSERS.EXE
RASUSERS.EXE lets you list for a domain or a server all user accounts that have been
granted permission to dial in to the network via Routing and Remote access.
TRANSEENABLE.EXE
Graphical user interface-based tool that enables tracing and displays current tracing options.
You must enable the tracing function by changing settings in the Windows 2000 registry using
raceenable.exe.
To generate a log using TRACEENABLE.EXE for PPP:
Tracing is now enabled for this component. In most cases the log file is created in %windir%\tracing.