CHAPTER 10
ROUTING AND REMOTE ACCESS SERVICE
Lesson 1:
Introduction to the Routing and Remote Access Service
Multiprotocol routing support for the Windows NT family of operating systems began with
Windows NT 3.51 Service Pack 2, which included components for the routing Information
Protocol (RIP) for IP, RIP for IPX, and the Service Advertising Protocol (SAP) for IPX.
Windows 2000 Routing and Remote Access Service
RRAS for Windows 2000 Server continues the evolution of multiprotocol routing and remote
access services for the Microsoft Windows platform.
When RRAS was implemented in Windows NT 4.0, it added support for the following
features:
RIP version 2 for IP (RAP for IP version 1 is still supported).
Open Shortest Path First (OSPF) routing protocol for IP
Demand-dial-routing (routing over persistent or on-demand WAN links such as analog
phone lines)
Internet Control
Message Protocol (ICMP) router display
Remote Authentication Dial-In User Service (RADIUS) client to benefit from the services
provided by a RADIUS Server.
RADIUS server for providing centralized authentication, authorization, accounting, and remote
access policy to dial-up and VPN remote access clients (included with the Windows NT 4.0 Option Pack)
IP and IPX packet filtering for protocol-level security. A graphical user interface (GUI)
administrative program called Routing and RAS Admin and a command-line utility called Routemon.
Windows 2000 builds on RRAS in Windows NT 4.0 and adds the
following features:
connection of a small office/home office (
========================================================================
winser10.html PAGE 2 2002/02/19
RRAS is fully integrated with Windows 2000 Server operating system. RRAS works with a
wide variety of hardware platforms and hundreds of network adapters; the result is a lower
cost solution than many midrange dedicated router or remote access server products.
The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to
function as a multiprotocol router, a demand-dial router, and a remote access server.
Multiprotocol Router
The computer running RRAS can route IP, IPX and AppleTalk simultaneously.
All routable protocols and routing protocols are configured from the same administrative utility.
Demand-Dial Router
A computer running RRAS can route IP and IPX over on-demand or persistent WAN links, such
as analog telephone lines or Integrated Services Digital Network (ISDN), or over VPN connections
by using either PPTP or L2TP over IPSec.
Remote Access Server
A computer running RRAS can act as a remote access server providing remote access connectivity
to dial-up or VPN remote access clients that use IP, IPX, AppleTalk, or NetBeui.
Combining Routing and Remote Access
Before RRAS was implemented in Windows NT, the routing services and remote access
services worked separately.
PPP provides link parameter negotiation, the exchange of authentication credentials, and network
layer protocol negotiation. For example, you can dial an Internet service Provider (ISP) via PPP,
you agree to the size of the packets you are sending and how they are framed (link negotiation),
you log on by using a user name and password (authentication), and you obtain an IP address
(network layer negotiation).
========================================================================
winser10.html PAGE 3 2002/02/19
Demand-dial routing connections also use PPP to provide the same kinds of services as remote
access connections.
The PPP infrastructure of Windows 2000 Server includes support for the following types of
access:
ISDN) as either the client or server
answering router.
answering router.
LAN and WAN Support
RRAS can run over any of the LAN and WAN network adapters supported by Windows 2000
Server, including cards from Eicon, Cisco, Sys Konnect, Allied, and the US Robotics.
Installation and Configuration
Unlike RRAS for Windows NT 4.0 and most network services of Windows 2000, you do not
elect to install or uninstall RRAS through Add/Remove Programs in Control Panel. Windows
2000 RRAS is automatically installed in a disabled state.
You can use the Routing and Remote Access snap-in to enable and configure RRAS. By
default, a local Windows 2000 Server is listed as a RRAS server as shown on page 544.
You can add additional computers by selecting either the root of the console tree or the Server
Status node and then selecting Add Server from the Action menu.
Once the server is added in the console tree, select the server that you want to enable and then
select Configure And Enable Routing And Remote Access from the Action menu.
========================================================================
winser10.html PAGE 4 2002/02/19
NOTE: If you type ? after entering the netsh command mode, the help information may scroll
beyond the window size. If it does, you can scroll the command-prompt window, maximize
the window, or run in full-screen mode.
Note that each computer on the intranet served by the RRAS server should use a private IP
address in one or the following blocks of address:
=========================================================================
Address Class Network
address blocks
=========================================================================
A 10.10.0.0-10.255.255.255
B. 172.16.0.0-172.31.255.255
C 192.168.0.0-192.168.255.255
=========================================================================
Disabling RRAS
In the console tree, select the computer that you want to disable and then select Disable Routing and
Remote Access from the Action menu. Disabling the service removes all Routing and Remote
Access registry settings.
You can also refresh the configuration of RRAS by first disabling the server and then enabling it.
NOTE: If you disable RRAS, all current configurations for the service, including routing protocol
configuration and demand-dial interfaces, are removed and all currently connected clients are
disconnected.
Authentication and Authorization
There is a difference between the two, and it is important to know the distinction:
Authentication. Authentication is the verification of the credentials of the connection attempt.
This process consists of sending the credentials from the remote access client to the remote
access server in either a clear text or encrypted form that uses an authentication protocol.
Authorization. Authorization is the verification that the connection attempt is allowed.
Authorization occurs after successful authentication.
First you must be authenticated, then you are authorized. Both of these parameters must be met.
========================================================================
winser10.html PAGE 5 2002/02/19
If Remote Access server is configured for Remote Authentication Dial-In User Service (RADIUS)
authentication, the credentials of the connection attempt are passed to the RADIUS server for
authentication and authorization.
Lesson Summary:
remote access services for the Microsoft Windows platform.
and network layer protocol negotiation.
and authorized.
Lesson 2:
Features of the Routing and Remote Access Service
RRAS for Windows 2000 includes a wide variety of features that support unicast and multicast IP
routing, IPX routing, AppleTalk routing, remote access, and VPN support.
Unicast IP Support
Unicasting is where two computers establish a two-way, point-to-point connection in order to
exchange data. Unicast IP routing is where a router or routers forward packets between a
two-way, point-to-point connection.
IP Multicast Support
Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic.
Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this
type of traffic destined for a single host. Multi-host is one machine talking, but a group see
the packet.
========================================================================
winser10.html PAGE 6 2002/02/19
IPX Support
Supports IPX packet filtering (node, socket number, and packet type), RIP for IPX, SAP for
IPX and NetBIOS over IPX.
AppleTalk
Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk packets
and supporting the use of the Routing Table Maintenance Protocol (RTMP).
Demand-Dial Routing
Demand-dial routing allows you to connect to the Internet, to connect branch offices, or to
implement router-to-router VPN connections.
Remote Access
RRAS enables a computer to be a remote access server, accepting remote access connections
(dial-in) from remote access clients that use traditional dial-up technologies such as analog
phone lines and ISDN.
VPN Server
RRAS enables a computer to be a VPN Server, supporting both PPTP and L2TP over IP
Sec and accepting both remote access and router-to-router demand-dial VPN connections
from remote access clients and calling routers.
RADIUS Client-Server
(AAAA)
IAS performs centralized authentication, authorization, auditing and accounting of connections
for dial-up and VPN remote access and demand-dial connections, and it can be used in
conjunction with Windows 2000 RRAS.
SNMP MIB Support ( Men in Black )
The computer running RRAS must also be running the SNMP service, also called SNMP
agent, in order to be managed by an NMS.
========================================================================
winser10.html PAGE 7 2002/02/19
NOTE: MIB support is also provided for Windows 2000 operating system functions, legacy
LAN Manager MIB functions, and the WINS, DHCP, IIS services. IPX is also supported
by the SNMP service; however, TCP/IP must be installed to allow for IPX SNMP support.
API Support for Third-Party Components
Routing protocol developers can write additional routing protocols and interfaces directly into
RRAS architecture.
Lesson Summary:
Lesson 3:
Remote Access
Windows 2000 remote access technology allows remote clients to connect to corporate
networks or the Internet.
In Windows 2000 RAS, remote access clients are either connected to only the remote
access server’s resource (PPP remote access connectivity), or they are connected to
RAS server’s resources and the resources in the network to which the remote access
server is attached (Point-to-LAN remote access connectivity).
Digital Links and V.90
The modern day analog telephone system is analog only on the local loop, the set of wires
that connect the customer to the central office PSTN switch.
The analog-to-digital conversion introduces noise on the connection known as quantization
noise.
========================================================================
winser10.html PAGE 8 2002/02/19
Clients can send a 33.6.Kpsp and receive at 56KBps, but the receive at 56Kbps is not
accurate, because you cannot use any analog at any of the switching connections.
X.25
Old, used in
NOTE: X.25 smart cards are adapters that use the X.25 protocol and can directly connect
to an X.25 public data network. X.25 smart cards are not related to smart cards used for
authentication and secure communications.
ATM over ADSL
Is a new local loop technology for small business and residential customers. Although ADSL
provides higher bit rates than PSTN and ISDN connections, the bit rate is not he same in the
upsteam and downstream directions. Typical ADSL connections offer 64 Kbps from the
customer and 12.544 Mbps to the customer.
Remote Access Protocols
There are three types of remote access protocols supported by Windows 2000 remote access:
multi-protocol support, and interoperability.
remote access protocol used by legacy remote access clients running Microsoft operating
systems, such as Windows NT 3.1, Windows for Workgroups, and LAN Manager.
========================================================================
winser10.html PAGE 9 2002/02/19
LAN Protocol
LAN protocols are the protocols used by the remote access client to access resources on the
network connected to the RAS server. Windows 2000 remote access supports TCP/IP, IPX,
AppleTalk and NetBEUI.
Mutual Authentication
Mutual Authentication is obtained by authenticating both ends of the connection through the
encrypted exchange or user credentials.
Data Encryption
Data encryption encrypts the data sent between the remote access client and the RAS server.
If end-to-end encryption is needed, use IPSec to create and encrypted end-to-end connection
after the remote access connection has been made.
Data encryption on a remote access connection is based on a secret encryption key known
to the RAS server and remote access client
Data encryption is possible over dial-up remote access links when using PPP along with
EAP-TLS or MS-CHAP. The RAS server can be configured to require data encryption.
Caller ID
Caller ID requires that the caller’s telephone line, the phone system, the RAS server’s
telephone line, and the Windows 2000 driver for the dial-up equipment all support called
ID. If caller ID is configured for a user account and the caller ID is not being passed from
the caller to the RAS server, then the connection is denied.
The disadvantage of configuring caller ID is that the user must always dial-up from the same
telephone line.
========================================================================
winser10.html PAGE 10 2002/02/19
Managing Remote Access
Remote access policies can be used to impose connection parameters such as maximum
session time, idle disconnect time, required secure authentication methods, required
encryption, and so on. For example, multiple remote access policies can be used to
meet the following conditions:
MEMBERSHIP.
membership.
Remote Access Permission (Dial-in or VPN)
Be default, the Administrator or Guest accounts on a stand-alone remote access server or in a
Windows 2000 Native-mode domain are set to Control access through Remote Access
Policy and for a Windows 2000 Mixed-mode domain are set to Deny access.
Access by Policy
The Remote Access Policies node appears in the Routing and Remote Access snap-in when the
authentication provider is set to Windows Authentication. When the Authentication provider is
set to Windows Authentication. When the authentication provider is set to RADIUS Authentication,
the Remote Access Policies node does not appear in the Routing and Remote Access snap-in.
Managing Local Lockout
To enable account lockout, you must set the MaxDenials entry in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\
Parameters\AccountLockout) to 1 or greater.
========================================================================
winser10.html PAGE 11 2002/02/19
RADIUS Authentication
If RADIUS is selected and configured as the authentication provider on the remote access server,
user credentials and parameters of the connection request are sent as a series of RADIUS request
messages to a RADIUS server, such as a computer running Windows 2000 Server and IAS.
Lesson Summary:
remote access and VPN remote access.
and a WAN infrastructure.
authentication, mutual authentication, data encryption, callback, caller ID and remote access
account lockout.
Lesson 4:
Virtual Private Networks
A virtual private network (VPN) is an extension of the private network that encompasses
encapsulated, encrypted, and authenticated links across shared or public networks.
Introduction to Virtual Private Networks
From the user’s perspective, the VPN is a point-to-point connection between the user’s
computer and a corporate server.
The secure connection across the internetwork appears to the user as a virtual network
interface providing private network communication over a public internetwork.
========================================================================
winser10.html PAGE 12 2002/02/19
Connecting Networks over the Inernet
Rather than using an expensive long-haul dedicated circuit between the branch office
and the corporate hub, both the branch office and the corporate hub routers connect to
the Internet through the use of a local dedicated circuit and local ISP.
Tunneling Basics
Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure
to transfer a payload.
Maintaining the Tunnel
For some tunneling technologies, such PPTP and L2TP, once the tunnel has been created,
it must be maintained. Both ends of the tunnel must be aware of the state of the other end in
case of a connection fault.
Tunnel Types
There are two basic types of tunnels: voluntary tunnels and compulsory tunnels.
action by the user at the tunnel client computer.
knowledge or intervention.
This is a functionality referred to as access concentrator.
PPTP
Point-to-Point Tunneling Protocol (PPTP) is an extension of PPP, encapsulates PPP frames
into IP datagrams for
transmission over an IP internetwork such as the
Internet.
========================================================================
winser10.html PAGE 13 2002/02/19
PPTP uses a TCP connection for tunnel maintenance and uses modified GRE encapsulated
PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be
encrypted and compressed.
PPTP versus L2TP
Both PPTP and L2TP use PPP WAN connections, to provide an initial envelope for the
data and then append additional headers for transport through the transit internetwork.
PPTP requires that the transit internetwork be an IP internetwork. L2TP requires that the
tunnel media provide packet oriented point-to-point connectivity. L2TP can be run over IP.