Configuring, Managing Monitoring, an Troubleshooting Remot
Contents
1. GONZOR local Properties General Security IP PPP Event Logging IV Enable IP routing Allow IP based remote access and demand dial connections r IP address assignment This server can assign IP addresses by using Dynamic Host Configuration Protocol DHCP Static address pool FIGURE 3 27 Configuring Routing and Remote Access to use DHCP is as easy as clicking an option a Don t Memorize All the Counters mag Just be familiar with the general categories and how to use the z Performance console x lt Lu To configure Routing and Remote Access for DHCP integration do the following STEP BY STEP 3 5 Configure Routing and Remote Access for DHCP Integration 1 Open the Routing and Remote Access console by going to Start Programs Administrative Tools Routing and Remote Access 2 From the tree right click the server and select Properties from the Context menu Click the IP tab see Figure 3 27 3 In the IP address assignment section click the Dynamic Host Configuration Protocol DHCP Your Routing and Remote Access will now issue DHCP addresses for users connecting via dial in or VPN MANAGING AND MONITORING REMOTE ACCESS Manage and monitor remote access Now you have a functional Routing and Remote Access server up and running How do you manage and monitor it Let s start by tak ing a look at what kinds of information the Performance consol2. FIGURE 3 5 You can select the users who should be able to connect However if their account is disabled or locked they will not be able to connect continued 4 Select the device s that you want to receive the incoming calls and click Next The Incoming Virtual Private Connection dialog box opens see Figure 3 4 Because we will discuss creating a virtual private network VPN connection in the Configuring a Virtual Private Network VPN section of this chapter select Do Not Allow Virtual Private Connections and click Next The Allowed Users dialog box opens see Figure 3 5 Select the users you want to have dial in access Click Properties to open the user properties This allows you to configure callback if necessary Click the Callback tab see Figure 3 6 For the most secure access select Always Use the Following Callback Number and enter the user s phone number Click OK to return to the wizard and click Next to continue The Networking Components dialog box opens see Figure 3 7 TsInternetUser Properties General Callback C Do not allow callback Allow the caller to set the callback number C Always use the following callback number ee O Coret FIGURE 3 6 In a highly secure environment use of the call back options included with Windows 2000 is a necessity 06W2000 NITG 03 10 11 00 12 59 PM Page 139 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBL
3. Maximum 0 000 Duration 1 40 FIGURE 3 28 The Performance console allows you to monitor various system and application metrics for evaluating the performance and health of the system 06W2000 NITG 03 10 11 00 12 59 PM Page 155 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 155 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE 4 Select the RAS Port performance object You will see the list of counters available for RAS displayed on the left and a list of RAS devices in the right pane see Figure 3 29 5 Select the port you want to monitor After you have decided on the counter you want to monitor click Add You can add multiple counters either by selecting each counter and clicking Add or by using the standard Windows multiple item select method of holding down the Ctrl key while you select all the counters you want to monitor and clicking Add 6 Click Close when you are done You will see your coun ters being graphed similar to those shown in Figure 3 30 K Performance LRS Console Window Heip D co Gel m ate x Action View Favorites Ij e gt Tree Favorites Fpp J Console Root 2 System Monitor E i Performance Logs and Alerts 8 Counter Logs Trace Logs Alerts 0 000 Average 0 000 Minimum Maximum 0 000 Duration 1 40 AS RAS Port GONZOR 1 00
4. 06W2000 NITG 03 10 11 00 12 59 PM Page 129 S OBJECTIVES If you have ever used a modem to connect your Windows computer to another server or network you have used remote access With Windows 2000 Microsoft has introduced many new remote access capabilities to its operating system This chapter covers the Configuring Managing Monitoring and Troubleshooting Remote Access in a Windows 2000 Network Infrastructure objectives for this exam As today s workforce becomes more and more diverse the ability to provide reliable and secure remote access is becoming critical in every environment Microsoft defines the Configuring Managing Monitoring and Troubleshooting Remote Access in a Windows 2000 Network Infrastructure objectives as Configure and troubleshoot remote access Configure inbound connections e Create a remote access policy Configure a remote access profile Configure a virtual private network VPN Configure multilink connections e Configure Routing and Remote Access for DHCP Integration gt One of the functions that Windows servers have always had is as a remote access server With Windows 2000 Microsoft enhances your remote L access capabilities This objective expects you to understand how to configure the different remote access features included with Windows 2000 Server CHAPTER amp Manage and monitor remote access Configu ri ng Managi ng gt Ifyou are going to use y
5. x Diatin Constraints IP Multilink Authentication Encryption Advanced NOTE These encryption settings apply only to the Windows 2000 Routing and Remote Access Service Select the level s of encryption that should be allowed by this profile I No Encryption Basic I Strong Cancel Apply FIGURE 3 21 Routing and Remote Access supports three levels of encryption The Bandwidth Allocation Protocol BAP Settings can be used to configure when to drop one of the multilink lines based on usage If the usage drops below a configurable amount of bandwidth 50 is the default for a specified amount of time 2 minutes is the default one of the multi link lines is dropped You can also enable the Require BAP for Dynamic Multilink Requests Authentication This tab see Figure 3 20 allows you to con figure the authentication methods supported by Windows 2000 The protocols listed in the figure are discussed later in this chapter Encryption This tab see Figure 3 21 allows you to set the level of encryption required with Routing and Remote Access authentication You can set it to No Encryption Basic or Strong or allow any combination of the three Advanced The Advanced tab see Figure 3 22 allows you to add connection attributes to be returned to the Remote Access Server This is usually used in conjunction with RADIUS Edit Dial in Profile 2 x Dialin Constraints IP Multilink Au
6. Callback Administrative 3 3 Configuring a Remote Access Profile 1 Open the Routing and Remote Access console by going to Start Programs Administrative Tools Routing and Remote Access Add Remove Edit g EEE NR 2 Right click the remote access policy you want to configure Grant remote access permission the remote access profile for Select Properties from the Enemy rarele coess pamiation Context menu The Policy Properties dialog box opens Access will be denied The profile you specify will be ignored 2 x unless access is overridden on a peruser basis see Figure 3 17 The name in the title bar reflects the name of the policy 3 Click the Edit Profile button The Edit Dial in Profile _conot_ _ a dialog box opens refer to Figure 3 16 FIGURE 3 17 4 Make any modifications necessary and click OK to return The Policy Properties dialog box contains all the to the Properties dialog box Click OK again to commit information regarding the policy the changes and return to the OS That s how you get to the parameters for the profile Now let s take a look at some of the parameters you can configure before we move on to VPNs in the next section The dial in profile contains the following settings i What Is Dial in Media This is more aan E applicable with a VPN connection than Dial in Constraints This tab refer to Figure 3 16 allows you Z a dialin
7. as defined in the Users and Groups console Click Add to go to the Groups dialog box see Figure 3 13 Then click Add to open the Select Groups dialog box continues Select Attribute Select the type of attribute to add and then click the Add button Attribute types Description Phone number dialed by user Phone number from which call originated Friendly name for the RADIUS client IAS only IP address of RADIUS client IAS only Manufacturer of RADIUS proxy or NAS IAS onl Time periods and days of week during which use The protocol to be used String identifying the NAS originating the request IP address of the NAS originating the request l Type of physical port used by the NAS originatin Type of service user has requested Tunneling protocols to be used Windows groups that user belongs to Called Station Id Calling Station Id Client Friendly Name Client 1P Address Client Vendor Day And Time Restric Framed Protocol NAS Identifier NAS IP Address NAS Port Type Service Type T FIGURE 3 12 Select the appropriate attributes for the policy you are trying to create Add Remote Access Policy Conditions Determine the conditions to match Specify the conditions to match Conditions FIGURE 3 11 The first step in creating a remote access policy is to set the conditions The following groups are currently in this condition Groups FIGURE 3 1
8. 2000 server to support an inbound connection STEP BY STEP 3 1 Configuring Remote Access Inbound Connections 1 Right click the My Network Places icon on the desktop From the Context menu select Properties The Network and Dial up Connections window opens You can also open this window by going to Start Settings Network and Dial up Connections e 06W2000 NITG 03 10 11 00 12 59 PM Page 137 cb 2 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 137 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Double click the Make New Connection icon The Network Connection Wizard starts If you have not already configured your dialing location information see Figure 3 1 you will be prompted to do so before continuing with the wizard Fill in the information and click OK You will see the new location entry in the Phone and Modem Options window Click OK to close it and return to the wizard Click Next to start the wizard process The Network Connection Type dialog box opens see Figure 3 2 Select the Accept Incoming Connections option and click Next The Devices for Incoming Connections dialog box see Figure 3 3 opens continues Network Connection Wizard Network Connection Type You can choose the type of network connection you want to create based on your network configuration and your networking needs C Dial up to private network Connect using my phone line modem or ISDN C
9. Access Policy The Add Remote Access Policy window opens see Figure 3 10 GONZOR local E Remote Access Clients 0 Ty IP Routing By Remote Access Client 5 Remote Access Policies remote Access Logging Remote Access Policie Remote Access Loggir Add Remote Access Policy x Policy Name Specify a friendly name for the policy A Remote Access Policy is a set of actions which can be applied to a group of users meeting certain conditions Analogous to rules you can apply to incoming mail in an e mail application you can specify a set of conditions that must be matched for the Remote Access Policy to apply You can then specify actions to be taken when the conditions are met Policy friendly name Test Policy 06W2000 NITG 03 3 10 11 00 12 59 PM Page 141 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 141 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Enter a user friendly name and click Next to continue The Add Remote Access Policy Conditions dialog box opens see Figure 3 11 Click Add to add a condition Select one attribute from the list of attributes shown in Figure 3 12 Each attribute will create a slightly different process and you will need to configure the attribute appropriately For this example select Windows Groups Using the Windows Groups attribute allows you to enable remote access by user groups
10. Configuring Multilink If you want to configure multilink there are a couple of prereq uisites First you must have at least two modems installed on the system After all it s tough to multilink a single modem Second you need to have an incoming remote access connection created Use Step by Step 3 1 to complete this activity NOTE Know Where Multilink Is Enabled More important you should under stand what is needed for a multilink connection and what benefits multi link provides EXAM ili Incoming Connections Properties General Users Networking Incoming connections Allow incoming connections on these devices Devices U S Robotics 56K FAX EXT M amp U S Robotics 56K FAX EXT PnP OY Direct Parallel LPT1 IV Enable multilink Properties m Virtual private network IV Allow others to make private connections to my computer by tunneling through the Internet or other network J Show icons on taskbar when connected x e FIGURE 3 26 The Incoming Connections Properties dialog box allows you to configure all the parameters for dialing in including the multilink configuration 06W2000 NITG 03 10 11 00 12 59 PM Page 152 152 Part EXAM PREPARATION Know That Routing and Remote Access Service Requests Its DHCP Addresses 10 at a Time When it exhausts its pool it will go back to the DHCP server for an additional 10 TIP EXAM
11. Dial up to the Internet Connect to the Intemet using my phone line modem or ISDN C Connect to a private network through the Internet Create a Virtual Private Network VPN connection or tunnel through the Internet Accept incoming connections Let other computers connect to mine by phone line the Intemet or direct cable C Connect directly to another computer Connect using my serial parallel or infrared port lt Back Coresi FIGURE 3 2 The Network Connection Type dialog box allows you to select from a variety of Routing and Remote Access connection options Location Information 2 x Before you can make any phone or modem connections Windows needs the following information about your current location What country region are you in now United States of America zl What area code or city code are you in now If you dial a number to access an outside line what is it The phone system at this location uses Tone dialing Pulse dialing Cone FIGURE 3 1 The Location Information is needed so that the server knows whether a call is local or long dis tance In the case of a dial in server this is needed for callbacks Network Connection Wizard Devices for Incoming Connections You can choose the devices your computer uses to accept incoming connections Select the check box next to each device you want to use for incoming connections Connection devices U
12. MONITORING AND TROUBLESHOOTING 163 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE CHAPTER SUMMARY In this chapter we have covered in detail how to use the Windows 2000 Routing and Remote Access Service to provide remote access KEY TERMS e yj i services We started the chapter discussing how to configure Routing virtual private network VPN and Remote Access to support inbound connections DHCP VPNs modem multilink connections and we also discussed the creation and use of e multilink a remote access policy We have examined how to use and configure a remote access profile as well e encryption We then discussed monitoring and managing the Routing and e Dynamic Host Configuration Remote Access Service and wrapped up the chapter by discussing Protocol DHCP the different security aspects of the service including configuring i oer f e authentication remote access security authentication protocols and encryption And that wraps up the chapter summary Let s take a look at some Keinate Agoes Sbeis ARAS exercises and questions e callback 06W2000 NITG 03 10 11 00 12 59 PM Page 164 cb 164 Part EXAM PREPARATION Arey Your Know es Exercises 2 Right click the Exercise 1 remote access policy created in the last exercise Select Properties from the Context menu 3 Click the Edit Profile button 3 1 Creating a Remote Access Policy In the follow
13. S Robotics 56K FAX EXT PnP CY Direct Parallel LPT1 lt Back Cancel FIGURE 3 3 This dialog box allows you to selectively enable the devices that will be accepting incoming calls 06W2000 NITG 03 10 11 00 12 59 PM Page 138 138 Part EXAM PREPARATION Network Connection Wizard Incoming Virtual Private Connection Another computer can create a virtual private connection to your computer through the Internet or another public network Virtual private connections to your computer through the Intemet are possible only if your computer has a known name or IP address on the Intemet Choose whether to allow virtual private connections Allow virtual private connections Do not allow virtual private connections lt Back Cancel FIGURE 3 4 In addition to supporting inbound modem con nections Windows 2000 also has the capability to accept inbound virtual private connections Network Connection Wizard Allowed Users You can specify which users can connect to this computer Select the check box next to the name of each user you want to allow to connect to this computer Note that other factors such as a disabled user account may affect a user s ability to connect Users allowed to connect O Guest C amp IUSR_GONZOR Internet Guest Account C IWAM_GONZOR Launch IIS Process Account O TsintemetUser TsIntemetUser Add Delete Properties lt Back Cancel
14. WAN Miniport PPTP 2 x You can use this device for remote access requests or demand dial connections IV Remote access connections inbound only J Demand dial routing connections inbound and outbound Phone number for this device You can set a maximum port limit for a device that supports multiple ports Maximum ports E a Corcel FIGURE 3 25 The Configure Device dialog box allows you to fine tune the properties for the device including the number of ports available continued 3 To configure the ports select Ports in the left pane and right click From the Context menu select Properties The Ports Properties dialog box opens see Figure 3 24 You can see each of the protocols listed 4 Select the protocol you want to modify and click Configure The Configure Device dialog box see Figure 3 25 opens This screen allows you to set the direction of the interface Inbound Only or Inbound and Outbound as well as the number of ports You can also set the phone number of the device although this is of limited use with a VPN implementation That is all there is to configuring the VPN server bundled with Windows 2000 IN THE FIELD YOUR VPN IS ONLY AS GOOD AS YOUR INTERNET CONNECTION Although VPNs are being used frequently to replace more traditional remote access methods such as dial in people overlook a couple of things when putting together a VPN First the assumption is that
15. a VPN will be faster than dialing a remote access server This is not necessarily true You can have a bottleneck at your ISP connection congestion issues on the Internet or even server capacity issues on the VPN server itself Make sure you set realistic expectations for your users regarding the capabilities of your new VPN Second just putting up a VPN does not mean that all your remote access prob lems are solved You ll find that a host of new issues can quickly arise How end users get access to the Internet the size and capac ity of the VPN server even the available Internet bandwidth can place a quick bottleneck on the performance of your VPN 06W2000 NITG 03 10 11 00 12 59 PM Page 151 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 151 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Configuring Multilink Connections First introduced as part of Windows 98 Windows 2000 includes the capability of aggregating multiple modem lines to form a single higher bandwidth connection to a remote access server This is usu ally an Internet Service Provider connection but it could also be to another Windows 2000 Server perhaps at a different location As part of this capability you also have the ability to leverage the Bandwidth Allocation Protocol BAP BAP is a PPP control proto col that is used to dynamically add or remove additional links to a multilink connection To set up a multilink connection you
16. considered to be a 168 bit encryption key 3 X 56 168 and is used in high security environments Until recently the U S government tightly controlled the export of applications using 3DES encryption Although these restrictions have been relaxed exporting 3DES applications still requires government approval These are the encryption protocols available for remote access in Windows 2000 Windows 2000 does use other encryption such as Kerberos for logging on to a domain but it is not applicable to remote access To configure these protocols do the following Edt DiatinProfile ES Diakin Constraints IP Multilink Authentication Encyption Advanced STEP BY STEP NOTE These encryption settings apply only to the Windows 2000 Routing and Remote Access Service Select the level s of encryption that should be allowed by this profile 3 10 Configuring Encryption Protocols IV No Encryption i M Basic 1 Open the Routing and Remote Access console and select F Suono Remote Access Policies from the tree view In the right pane right click the policy you want to set the encryption level for and select Properties 2 From the Policy Properties dialog box click Edit Profile The Edit Dial in Profile dialog box opens 3 Click the Encryption tab shown in Figure 3 35 You can set the encryption levels to No Encryption Basic Strong or any combination of the three Select the appropriate Cancel Apply FIGURE 3
17. follow the wizard to complete the installation selecting Allow Virtual Private Connections to ensure that your VPN works This solution A Is functional and meets the primary and secondary objectives B Is functional but meets only the primary objective C Is functional but meets only the secondary objective D Is not functional You are the system administrator for Run to the Hills Travel You have a Windows 2000 Routing and Remote Access server configured to use mul tilink You would like to configure the server to automatically drop a connection when the lines are not being used What protocol can you use to accomplish this A PPP B BAP 18 19 C PPTP D EAP You are the Internet administrator and you are using Windows 2000 Server as a VPN server You need to configure additional IPSec VPN ports How do you accomplish this A Run the VPN wizard and configure the additional ports B Go to the Networking and Dial up Connections window and double click New Connection When the New Connection wizard starts select New Inbound VPN and follow the prompts C In the Routing and Remote Access console edit the properties of the L2TP ports and add the additional connections D In the Routing and Remote Access console edit the properties of the IPSec ports and add the additional connections You are the security administrator for a small police force Your network is based on Windows 2000 Se
18. grant or deny remote access permission FIGURE 3 15 You can use a Remote Access Policy either to grant certain access privileges to a group of users or to act as a filter and deny access privileges to a group of users If a user matches the specified conditions C Grant remote access permission Deny remote access permission You can grant or deny permissions from this screen lt Back Cancel 06W2000 NITG 03 10 11 00 12 59 PM Page 143 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE profile for the users affected by this policy see Figure 3 16 You can restrict a number of access parameters which we discuss at the end of the section 7 Click OK to return to the User Profile screen 8 Click Finish to complete the creation of the profile IN THE FIELD DESIGN YOUR POLICIES WITH CARE One thing you will find if you work in a large remote access envi ronment is the uses for group based policies A couple of places these types of groups can be very useful include creating a group for contractors who work for your company intermittently You can create an allow access and a deny access group and then depending on the status of any projects you can control their access to remote access just by moving their account from one group to another People on a leave of absence might be placed in an LOA group to block th
19. monitor these counters on either a port by port or an entire server level Select RAS Ports to look at a single port or RAS Total to see the Errors Serial Overrun Errors Timeout Errors Total stats for the entire server Errors and Total Errors Sec These objects handle all the error information for the Routing and Remote Access Service EXAM Percent Compression Out Tells how well outbound traffic is being compressed Now that we have looked at the counters for the service let s take a look at some of the ways to monitor the service 06W2000 NITG 03 154 10 11 00 12 59 PM Page 154 Part EXAM PREPARATION To configure Routing and Remote Access Performance monitoring do the following STEP BY STEP 3 6 Monitor Routing and Remote Access 1 Open the Performance console by going to Programs Administrative Tools Performance see Figure 3 28 2 In Performance select System Monitor 3 To create an entry in System Monitor click the Add icon The Add Counters window opens By default it opens to the Processor performance object Performance l x RF Console Window Help io S k m 161 x Action view Favorites l e alm 2 uma Gale w aele olse Tree Favorites 9 Console Root z System Monitor 2 amp Performance Logs and Alerts HA Counter Logs Trace Logs Alerts Last 0 000 Average 0 000 Minimum 0 000
20. some ISPs authenti cate users for an enterprise account by passing RADIUS authentication requests to a local RADIUS server allowing the company to control who gets access to the Internet Configuring a Virtual Private Network VPN Before we delve into configuring the Windows 2000 VPN lers look at VPNs in general and some of the factors that led to the creation of them If you have been around the industry for a while you are probably aware that one of the most misused terms in the computer industry today is VPN It seems as though every vendor has a VPN to sell you and many times one vendor s VPN can seem to be the exact opposite of anothers For example not too long ago one of the major telecommunications vendors offered a VPN service that consisted of a private frame relay network that users could dial in to and then utilizing the frame relay network connect to the business s 06W2000 NITG 03 148 10 11 00 12 59 PM Page 148 Part EXAM PREPARATION network This service involved no encryption and the only true security provided by the solution was whatever mechanism the cus tomer provided at the frame relay s point of entry to the corporate network Another VPN vendor will try to sell you a dedicated hard ware platform designed to provide strictly VPN services Firewall vendors will try to sell you VPN in their firewall platform and router vendors will try to convince you that the VPN services bun dled with your
21. 0 Proce Total Proces GONZOR 0 00 Bytes T Server GONZOR Add Counters Use local computer counters Select counters from computer GONZOR bd Explain Performance object RAS Port ha All counters Allinstances Select counters from list Select instances from list Alignment Errors Buffer Overrun Errors Bytes Received Bytes Received Sec FIGURE 3 29 The counters associated with RAS are very similar to the errors offered for most LAN connections including Ethernet FIGURE 3 30 To find out what kinds of errors you may be experiencing in the field keep an eye out for sudden jumps either up or down The graph in this figure shows that no RAS errors exist at this time 06W2000 NITG 03 156 Part Device 10 11 00 12 59 PM Page 156 EXAM PREPARATION Condition Authenticated Administrator Line bps 10 000 000 Duration 00 00 25 r Statistics Bytes in 198 833 Bytes out 1457 r Errors CRC 0 Framing 0 Time out 0 Hardware overruns 0 Alignment 0 Butfer overruns 0 m Network registration IP address IPX address NetBEUI name AppleTalk address 169 254 144 168 FIGURE 3 31 Refresh Reset Disconnect Close You can get a fairly complete port status here If you want to see statistics on a VPN connection do the following STEP BY STEP 3 7 1 2 Checking the Status of a Port O
22. 00 Routing and Remote Access server Which protocol s should you use A IPSec B PAP C EAP D CHAP E MS CHAP You manage a Windows 2000 Routing and Remote Access server used for remote dial in access You have an end user who is trying to connect to the Routing and Remote Access server but he keeps getting the message that he is not an authorized user He is able to connect to the net work and log in from his office across the LAN What might be causing the problem A The user is not using the correct password B The user is not using an ID that is authorized to use the dial in server C He is trying to use his LAN account instead of his dial in account D One of the modems on the server is probably down You manage a Windows 2000 Routing and Remote Access server used for remote dial in access You have an end user who is trying to connect to the Routing and Remote Access server but keeps getting the message that he is not an authorized user He is able to connect to the network and login from his office across the LAN After doing some research you find that the user ID was not authorized for remote access How would you fix this situation A Using the Routing and Remote Access console open the user s ID and under the Remote Access tab grant him access B Using the Routing and Remote Access con sole create a remote access policy Use the Windows Groups criteria and add the user to an auth
23. 3 As a general rule Windows Groups is an attribute that is used frequently with remote access policies because it allows you to intu itively group users by department function or access rights 06W2000 NITG 03 10 11 00 12 59 PM Page 142 142 Part EXAM PREPARATION continued Select Groups j 2 xi Lookin B unwrite net F a Domain Controllers urwrite net Users a Schema Admins urvrite net Users a Enterprise Admins urvrite net Users Cert Publishers urvite net Users a Domain Admins urvrite net Users lt lt FIGURE 3 14 Select the appropriate groups for remote access permissions Add a Domain Guests Permissions shown in Figure 3 14 and select the appropriate group s for the rule Click OK to return to the Groups dialog box Click OK to add the Windows Groups condition to the policy If you were to add an additional condition users would need to meet both conditions to have the policy applied a logical AND operation Click Next to open the Add Remote Access Policy permis sions dialog box shown in Figure 3 15 You can either Grant or Deny Remote Access Permission by selecting the appropriate option Select the Deny Remote Access Permission option and click Next The Edit Dial in Profile dialog box that opens allows you to access the dial in i Domain Users Add Check Names Type names separated by semicolons or choose from list gt gt Remote Access Policy Determine whether to
24. 35 level and then click OK twice and you are back to the Windows 2000 supports three levels Routing and Remote Access console of encryption e 06W2000 NITG 03 10 11 00 12 59 PM Page 161 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 161 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE CASE STUDY IMPLEMENTING ROUTING AND REMOTE ACCESS IN A COMPLEX ENVIRONMENT ESSENCE OF THE CASE The essence of the case is as follows gt The management of your company is reluctant to make a major investment in toll charges for a dial based remote access solution gt Your company has three main populations of users each with different remote access requirements gt Each team has the requisite level of security SCENARIO You are the network administrator for NR Widgets Inc a multinational conglomerate and you are based in the conglomerate s corporate headquar ters NR Widgets Inc has a mobile population of about 200 people who need access to the net work for submitting expense reports About 100 of the users live and work within your local area code and the rest are scattered throughout the country Your management does not want to pay for long distance calls for remote access Your mobile users consist of three groups The first group is the highly technical telecommuters who need access to everything They are also very security conscious and want to make sure the
25. ESHOOTING 139 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE 8 Select the components you want the dial in user to have access to after they connect By default all components Hea ERG Cae EE Cea oar cocoa Tare kinds of computers are selected Click Next to continue The Completing the Select the check bon nest to the name ofeach newarking component you want to Pi ee enable for incoming connections Network Connection Wizard dialog box opens see Nein ones Figur E 3 8 r File and Printer shares for Microsoft Networks E SY Client for Microsoft Networks xi 9 Enter an intuitive name for the new connection and click ies ies ieee woa s 2 D Finish to complete the installation Faen esen inte Peis dvaret eee The default wide area network protocol that provides communication across diverse interconnected networks lt Back Next gt Cancel Now that you have a dial up connection let s take a look at creat FIGURE 3 7 The Networking Connections dialog box determines which services are available to dial in users ing a remote access policy to define what can be done with the new connections Network Connection Wizard Creating a Remote Access Policy x Completing the Network A remote access policy is a set of actions that can be applied to a Connection Wizard The connection will be named group of users that meet a specified set of requirements The exam incoming Co
26. How can you check through the public phone network bypassing the toll charges C Get each user a personal 800 number Exam Questions D 1 What portion of the Routing and Remote Access security to use callback Service can be used to aggregate bandwidth Set the Routing and Remote Access server across multiple modem connections 06W2000 NITG 03 10 11 00 12 59 PM Page 166 166 Part EXAM PREPARATION APPLY YOUR KNOWLEDGE 4 You are the LAN Administrator for Little Faith Enterprises Meat Packing As part of the trou bleshooting of a support issue you need to check to see whether a user is connected to the Routing and Remote Access server How can you check to see if the user is logged on A Open Performance Manager Click the Add Counter icon Select the RAS object and choose the Connected Users counter Click OK and check the resulting statistic B Open the Performance console Click the Add Counter icon Select the RAS object and choose the Connected Users counter Click OK and check the resulting statistic C Open the Routing and Remote Access con sole Right click the RAS server and choose Connected Users Check for the user in the Connected Users dialog box D Open the Routing and Remote Access con sole Under the server in the tree view select Remote Access Clients Check for the user in the Remote Access Clients You need to configure strong authentication for your Windows 20
27. Secret Change Time out seconds 5 4 Initial score 30 4 Port 1812 JT Always use digital signatures Cancel FIGURE 3 33 Adding a RADIUS server looks pretty easy but you need to be sure your information matches the RADIUS server configuration 06W2000 NITG 03 10 11 00 12 59 PM Page 158 158 Part EXAM PREPARATION NOTE MS CHAP Versus MS CHAP v2 Protocol When you are making a VPN connection Windows 2000 Server attempts to authenticate using the MS CHAP v2 protocol before offer ing the MS CHAP protocol If you are using an updated Windows client computer you should be able to authenticate with the MS CHAP v2 protocol Windows NT 4 and Windows 98 based computers can use only MS CHAP v2 authentication for VPN connections Configuring Authentication Protocols Windows 2000 supports a number of authentication protocols therefore almost any connection configuration is supported The protocols include the following Extensible Authentication Protocol EAP EAP TLS is an extension to the PPTP EAP provides a standard mechanism for support of additional authentication methods within PPP such as smart cards one time passwords and certificates EAP is critical for secure Windows 2000 VPNs because it offers stronger authentication methods such as X 509 certificates instead of relying on the user ID and password schemes used traditionally Challenge Handshake Authentication Prot
28. and they are complaining about performance as p aning P access services as part of a VPN What VPN You are using the Routing and Remote Access oe protocols will the server support Service with a modem bank for providing access and they are running Windows 2000 A PPTP Professional You have used the performance B IPSec monitoring capabilities of Windows 2000 to determine that no issues exist with Routing and C PPP Remote Access so the issue appears to be band D EAP width limitations What should you do E L2TP 3 You are the LAN Administrator for the OUI Find em detective agency You have people con 4 You have just installed Routing and Remote Access for providing VPN services to 100 of your end users You are able to get the first five users i connected but then the server denies access necting to your Windows 2000 Routing and What is the problem and how do you fix it Remote Access from all over the country most working from home How can you minimize 5 You re the LAN administrator for Think About the users toll charges using Routing and IT Consulting Services company You have just Remote Access installed your first Routing and Remote Access f server and your users are connecting without a A Configure the user s RAS client computer for problem You want to see how much traffic is Connect as Needed mode being added to the network by the additional B Use IPSec to tunnel to the RAS server users
29. any network configuration and reboot the machine method of managing Windows networking With Windows 2000 the number of times you need to reboot the server is dramatically lessened Although you may still need to reboot occasionally most activities can be done without impacting operations Additional VPN services and simplified VPN management The VPN interfaces PPTP and L2TP are installed and configured by default requiring no additional configuration There is also support for the IPSec protocol 06W2000 NITG 03 10 11 00 12 59 PM Page 134 134 Part EXAM PREPARATION EXAM alg Authentication Support Only Windows 2000 Server supports EAP and RADIUS for authentication Network Address Translation NAT has been added as has Internet Connection Sharing ICS Additional authentication mechanisms have been added to Routing and Remote Access including MS CHAP v2 RADIUS and EAP for smart card and certificate support One other key point to remember when discussing Microsoft s Routing and Remote Access Service and the remote access capabili ties is that in previous incarnations the term RAS or Remote Access Service was used interchangeably to refer to the dial in connections and the service that ran the dial up server With the new Routing and Remote Access Service Microsoft is striving to clarify its use of terminology So in Windows 2000 parlance Routing and Remote Access refers only to the Routin
30. assword Authentication Protocol SPAP is used specifically to allow Shiva client computers to connect to a Windows 2000 Server and to allow Windows 2000 client computers to connect to Shiva servers PAP Password Authentication Protocol PAP uses unen crypted plain text passwords for authenticating users and is considered the least secure authentication protocol available PAP is usually used as the authentication of last resort used when a more secure form of authentication is not available You might need to use this protocol when you are connecting to a non Windows based server To configure these protocols do the following Authentication Methods E x S T E P B Y S T E P The server authenticates remote systems by using the selected methods in the order shown below 3 9 Configuring Authentication Protocols IT Extensible authentication protocol EAP EAP Methods 1 Open the Routing and Remote Access console IV Microsoft encrypted authentication version 2 MS CHAP v2 7 J IV Microsoft encrypted authentication MS CHAP 2 Right click the server and select Properties This opens the T Enetypted authentication CHAP server p ro p e rti es Shiva Password Authentication Protocol SPAP I Unenciypted password PAP 3 Select the Security tab and click Authentication Methods fy Unsuiheriicated accer a A x JT Allow remote systems to connect without authentication refer to Figure 3 32 The Authe
31. based management capabili security in the industry today Microsoft consid ties and understanding the policies associated ers security to be one of the cornerstones of with remote access is important for this exam Windows 2000 gt Be sure to complete the exercises at the end gt Review the different types of encryption avail able for authenticating and securing your infor mation through remote access of the chapter Microsoft is striving to make cer tification exams more rigorous Familiarity not only with the theory but also with the hands on portion of the configuration and troubleshooting of remote access is important for this exam 06W2000 NITG 03 132 10 11 00 12 59 PM Page 132 Part EXAM PREPARATION CONFIGURING AND TROUBLESHOOTING REMOTE ACCESS Configure and troubleshoot remote access Before we begin discussing how to configure remote access with Windows 2000 Server we should take a minute to review what exactly remote access is under Windows 2000 If you have worked with Windows NT 4 you are undoubtedly familiar with the Remote Access Service RAS RAS was an NT 4 add on service which pro vided the capability to receive incoming modem calls and allowed the user to connect to the network RAS was also used for the other direction you needed RAS to connect your Windows NT server or workstation to another host either NT or a generic dial in server This model has changed dramatically in Windows 2000 N
32. connection but you have the to configure the restrictions on the dial in users including the ability to disallow specific network idle disconnect timer the maximum length of the session the media from connecting to the server time and day access is permitted the dial in number allowed For example if you didn t want ADSL and the dial in media allowed users to be able to connect you can specifically deny it 06W2000 NITG 03 10 11 00 12 59 PM Page 145 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE 145 IP This tab shown in Figure 3 18 is used to determine the IP Address Assignment Policy if necessary The following are three possible settings for the IP Address Assignment Policy e Server Must Supply an IP Address For this to work the server must have a DHCP range configured for remote access The client computer cannot connect without requesting an address e Client May Request an IP Address This setting leaves the determination on whether to use a DHCP address to the client computer If the client computer has a statically configured address it will still be able to connect Server Settings Define Policy This setting defers the decision on IP address policy to the Routing and Remote Access Server s global policy You can also apply IP Packet Filters from the IP tab Packet filters can be configured for traffic sent to the client co
33. des mutual authentication stronger initial data encryption keys and different encryption keys for sending and receiving 06W2000 NITG 03 10 11 00 12 59 PM Page 171 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 171 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE APPLY YOUR KNOWLEDGE e SPAP Shiva Password Authentication Protocol SPAP is used specifically to allow Shiva client computers to connect to a Windows 2000 Server and to allow Windows 2000 client computers to connect to Shiva servers PAP Password Authentication Protocol PAP uses unencrypted plain text passwords for authenticating users and is considered the least secure authentication protocol available PAP is usually used as the authentication of last resort used when a more secure form of authentication is not available You might need to use this protocol when you are con necting to a non Windows based server 2 Understanding the differences between IPSec and PPTP is important These points should help you distinguish between the two e IPSec IP Security Protocol IPSec is a suite of cryptography based protection ser vices and security protocols used to provide a secure VPN connection IPSec provides machine level authentication as well as data encryption for L2TP based Layer 2 Tunneling Protocol VPN connections Unlike some other IPSec based VPNs Microsofts implementation uses the L2TP protocol for encrypti
34. e Access console to configure remote access on a domain controller See Configuring Inbound Connections B BAP Bandwidth Access Protocol is used to accomplish this function in conjunction with mul tilink See Configuring Multilink Connections 18 19 20 21 C You can just edit the properties of the L2TP ports which are installed and configured when Routing and Remote Access is installed Because by default IPSec used L2TP as a transport under Windows 2000 the ports are L2TP ports not IPSec ports See Configuring a Virtual Private Network VPN D The authentication protocols are configured in the dial in profile Although A is almost right this is not configured as part of the policy but is instead part of the profile See Configuring a Remote Access Profile D 3DES or Triple DES is the strongest encryp tion protocol used by Windows 2000 See Configuring Encryption Protocols B DES is used in conjunction with IPSec Because IPSec is used with L2TP B is the correct answer See Configuring Encryption Protocols Suggested Readings and Resources 1 Boswell William Jnside Windows 2000 Server Indianapolis IN New Riders Publishing 2000 2 Siyan Karanjit S Windows NT TCP IP Indianapolis IN New Riders Publishing 1998 06w2000 NITG 03 10 11 00 12 59 PM Page 174 c
35. e can provide It is generally the best tool for monitoring specifics about Windows 2000 services The Performance console offers the follow ing counters for the RAS object Alignment Errors The size of the packet received is different from the size expected 06W2000 NITG 03 10 11 00 12 59 PM Page 153 cb Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 153 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Buffer Overrun Errors The software is unable to handle the rate that data is being received Bytes Received Total amount of bytes received by the service Bytes Received Sec Number of bytes received by the service in a second Bytes Transmitted Total amount of bytes transmitted by the service Bytes Transmitted Sec Number of bytes transmitted by the service in a second CRC Errors A frame received contains erroneous data and the packet did not pass the Cyclic Redundancy Check CRC Frames Received Total number of frames received by the service Frames Received Sec Number of frames received by the service per second Frames Transmitted Total number of frames transmitted by the service Frames Transmitted Sec Number of frames transmitted by the service per second What Are We Measuring Aggregate or Port Level The Percent Compression In Tells how well inbound traffic is Performance console allows you to being compressed TIP
36. e time passwords and certifi Appty Your Knowteoce es cates EAP is critical for secure Windows 2000 VPNs because it offers stronger authen tication methods such as X 509 certificates instead of relying on the user ID and pass word schemes used traditionally CHAP The Challenge Handshake Authentication Protocol CHAP negotiates an encrypted authentication using MD5 Message Digest 5 an industry standard hashing scheme CHAP uses challenge response with one way MD5 hashing on the response This allows you to authenticate to the server without actually sending your pass word over the network Because this is an industry standard authentication method it allows Windows 2000 to securely connect to almost all third party PPP servers e MS CHAP Microsoft created Microsoft Challenge Handshake Authentication Protocol MS CHAP an extension of CHAP to authenticate remote Windows workstations increasing the protocol s functionality by inte grating the encryption and hashing algorithms used on Windows networks Like CHAP MS CHAP uses a challenge response mechanism with one way encryption on the response Although MS CHAP is consistent with stan dard CHAP as much as possible the MS CHAP response packet is in a format specifically designed for computers running a Windows operating system A new version of the Microsoft Challenge Handshake Authentication Protocol MS CHAP v2 is also available This new protocol provi
37. em from remote access until they come back on the job The variations are endless The trick is to really put some thought into the policy design before you start creating users If you just start creating users with the thought of going back and organizing later you have probably created three times as much work for yourself 143 Authentication l Encryption Advanced Dial in Constraints IP Multilink I Disconnect if idle for 4 min IT Restrict maximum session to DE min T Restrict access to the following days and times Sun 00 24 00 7 Restrict Dial in to this number only T Restrict Dial in media C ADSL DMT Asymmetric DSL Discrete Multi Tone C ADSL CAFP Asymmetric DSL Carrierless Amplitude Phase M O Ethemet C IDSL ISDN Digital Subscriber Line O SDSL Symmetric DSL FIGURE 3 16 The Edit Dial in Profile dialog box allows Cancel Apply you access to the granular settings for the dial in users Configuring a Remote Access Profile Now that you understand how to create a remote access policy we need to discuss the next phase of the process configuring a remote access profile To configure a remote access profile follow the steps in Step by Step 3 3 06W2000 NITG 03 10 11 00 12 59 PM Page 144 144 Part EXAM PREPARATION Test Policy Properties 2 x aaa STEP BY STEP Policy name fletPoicy Specify the conditions to match Ser ype matches
38. ems and PPP dialers What is the most secure way to ensure that all your users have access A In the dial in profile for those users select Microsoft Encrypted Authentication MS CHAP and Microsoft Encrypted Authentication version 2 MS CHAP v2 B In the dial in profile for those users select Encrypted Authentication CHAP C Use IPSec in conjunction with RAS D Allow remote PPP client computers as well as all the other protocols to connect without negotiating any authentication method You are the network administrator for Go to Philly bus company and you have a requirement for a Windows 2000 Routing and Remote Access server to replace a hardware solution How do you install and configure the service A Using the Networking and Dial up Connections Wizard install the Routing and Remote Access Service B Using the Networking and Dial up Connections Wizard install the Remote Access Service C Use the Routing and Remote Access Service to configure the service Configure it with Windows 2000 Administration D Use the Add Remove Programs to add the Routing and Remote Access Service to the server Configure the application using the Routing and Remote Access Service 06W2000 NITG 03 168 10 11 00 12 59 PM Page 168 Part EXAM PREPARATION APPLY YOUR KNOWLEDGE 12 13 You are the system administrator for Blue Cap Haberdashery and you have a Windows 2000 Routing and Remote Access se
39. g and Remote Access application The server is called either a dial in or dial up server or in the case of VPN a VPN server The client computers are called dial in or dial up clients It is important to keep in mind that Microsoft s Routing and Remote Access Service considers all connections to be LAN connec tions What this means from a functionality perspective is that all the services that are available via LAN connection are also available via a modem connection Understanding Remote Access Protocols Microsoft s Routing and Remote Access Service supports two data link control protocols for asynchronous connections Serial Line Interface Protocol SLIP The granddaddy of serial line protocols SLIP is supported for legacy applications and is almost never used Point to Point Protocol PPP PPP is the protocol most of us use when connecting via modem PPP can automatically establish and re establish connections it uses error correction and it can support multiple protocols The Windows 2000 implementation for PPP is fully RFC 1661 Point to Point Protocol compliant 06W2000 NITG 03 10 11 00 12 59 PM Page 135 cb Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 135 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Windows 2000 can connect to any other RFC 1661 compliant dial up server and can accept connections from any compliant client computers The real strength of this protocol is the
40. ial in server You must be authorized in a remote access policy before you can connect via dial in See Creating a Remote Access Policy B Using the Routing and Remote Access console create a remote access policy Use the Windows Groups criteria and add the user to an authorized group See Creating a Remote Access Policy C With a third party dialer the best you will be able to manage for authentication is the CHAP protocol CHAP is an industry standard protocol supported by virtually all PPP dialers PAP would also work but offers no security whatsoever IPSec is not an authentication protocol EAP is a protocol used for devices such as smart cards See Configuring Authentication Protocols 9 B When you are communicating between 11 12 Windows PPP client computers MS CHAP is the most secure protocol listed See Configuring Authentication Protocols D The trick here is to understand that the con nect without negotiating any authentication method configuration is the lowest common denominator for connections That s the only way to ensure that all your users can get to the net work using your RAS solution Users can still connect using greater security See Configuring Authentication Protocols C The Routing and Remote Access Service is installed with the operating system You will need the Routing and Remote Access console to make sure everything is configured cor
41. ice Comment Z WAN Miniport PPTP VPN3 4 VPN R WAN Miniport PPTP VPNS 3 VPN P WAN Miniport PPTP VPN3 2 VPN P WAN Miniport PPTP VPN3 1 VPN 23 WAN Miniport PPTP VPN3 0 VPN S wan miniport L2TP VPN2 4 YPN tes P Wan Miniport L2TP VPN2 3 YPN DHCP Relay Agent WAN Miniport L2TP VPN2 2 VPN PT washer P WAN Miniport L2TP vPN2 1 VPN pe a ee ed Z WAN Miniport L2TP VPN2 0 VPN a A n Loui PU S Robotics 56K FAX EXT Pn MODEM STEP BY STEP 3 4 Configuring a Virtual Private Network 1 Open the Routing and Remote Access by going to Start Programs Administrative Tools Routing and Remote Access 2 Click the Ports entry under the server Notice that the sample configuration in Figure 3 23 shows five PPTP Kil J ports and five L2TP IPSec ports This is because the server had five user licenses configured when the Routing FIGURE 3 23 and Remote Access Service was installed All the configured VPN ports will be displayed in the right window continues 06W2000 NITG 03 10 11 00 12 59 PM Page 150 150 Part EXAM PREPARATION Ports Properties E Ed x Devices Routing and Remote Access ARAS uses the devices listed below 1 5 WAN Miniport L2TP RAS L2TP 5 Direct Parallel None Parallel 1 Configure Cancel Apply FIGURE 3 24 All the configured remote access connections appear here after they are installed Configure Device
42. ing exercise you will use the Routing and Remote Access console to create a remote access policy 4 Go to the Dial Constraints tab Select the For this exercise you will create a policy for users Disconnect If Idle option and set the timeout connecting with PPP value to 30 minutes Estimated Time 10 minutes 5 Click OK to commit the changes Click OK to 1 Open the Routing and Remote Access console return to the Routing and Remote Access console 2 Expand the application tree in the left pane by double clicking the server Right click 3 3 Monitoring Routing and Remote Access Remote Access Policies and select New Remote Using the Performance Console Access Policy This exercise will walk you through adding a counter to the Performance console so that you can see how 3 Enter the name Exercise 1 and click Next i rts ar paca ie many errors the Routing and Remote Access ports are 4 Click Add to add a condition Select the Framed Protocol attribute from the list of attributes and click Add 1 Open the Performance console experiencing Estimated Time 15 minutes 5 Select PPP from the list of protocols Click Add 2 In Performance select System Monitor 6 Click OK to add the condition Click Next 3 Click the Add icon to add the counter 7 Select the Grant Remote Access Permission 4 Select the RAS Total performance object ion Click Next a aa 5 Select the Total Errors counter and click Add 8 Click Fi
43. ir information is as secure as possible The second group is the local users who need access but are not too concerned about the security of the connection The third group con sists of about 35 users who work from home and have high speed Internet connections What is the best way to do this so that you can accomplish the following Each group has access to the network Each group of users has the information security it needs Long distance or toll free numbers are not allowed What should you do continues 06W2000 NITG 03 162 10 11 00 12 59 PM Page 162 Part EXAM PREPARATION CASE STUDY IMPLEMENTING ROUTING AND REMOTE ACCESS IN A COMPLEX ENVIRONMENT continued ANALYSIS As you have discovered in this chapter you can meet these requirements by installing the Windows 2000 Routing and Remote Access Service But by now you probably realize that it is a bit more complicated than just running the con figuration wizard First you need to take a close look at each population of users The technical telecommuters who have access to confidential information will need to have a configuration that leverages the robust security and encryption mechanisms of the Windows 2000 Routing and Remote Access Service You may need their pro file configure dialLback and may also need to use smart cards for authentication For the second group of users you will probably need to limit their access to sensitive information on
44. its offerings e 06W2000 NITG 03 10 11 00 12 59 PM Page 133 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 133 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE in the remote access and routing areas of networking The Routing and Remote Access upgrade provided the first framework for inte grating all network services into a single application Routing and Remote Access introduced the following features to Windows NT networking A unified service for Routing and Remote Access integrated with the operating system A full set of routing protocols for IP and IPX including the noteworthy addition of OSPF APIs for third party routing protocols user interface and management Demand dial routing PPTP server to server for secure VPNs Remote Authentication Dial In User Service RADIUS client support But enough history Let s look at what the Routing and Remote Access Service included with Windows 2000 brings to the table Routing and Remote Access includes the following capabilities Full integration into the Windows 2000 operating system This is not an add on or a patch but a fully integrated service built from the ground up as part of Windows 2000 Consistent management interface for all routing based activi ties including remote access VPN and IP and IPX routing Fewer reboots If you worked with earlier versions of Windows you are familiar with the change
45. just need to open the Network and Dial up Connections window right click the Incoming Connections icon select Properties see Figure 3 26 and then select Enable Multilink Multilink is now configured If a user dials in with two modems the server will now aggregate the connections and allow the user to use the additional bandwidth as needed Configuring Routing and Remote Access for DHCP Integration If you have users that are connecting to your Routing and Remote Access server you will probably want to dynamically assign them a TCP IP address on the network The best way to do this is with DHCP which will need to be configured DHCP and the Routing and Remote Access Service have an important relationship that you need to understand When the remote access server is configured to use DHCP the Routing and Remote Access Server uses the DHCP client component to obtain 10 IP addresses from a DHCP server This could be on the net work or on the same server as Routing and Remote Access Server The remote access server uses the first IP address obtained from DHCP for the RAS interface and subsequent addresses are allo cated to TCP IP based remote access client computers as they con nect IP addresses freed because of remote access client computers disconnecting are reused When all 10 addresses have been allo cated the process starts again with the DHCP client computer requesting an additional 10 addresses e Before You Begin
46. mputer or traffic received from the client computer These filters are Edit Dial in Profile Advanced Multilink Define the IP address assignment policy for the Routing and Remote Access IP Address Assignment Policy Server must supply an IP address Encryption Authentication Dial in Constraints IP Client may request an IP address C Server settings define policy Define IP packet filters to apply during this connection Routing and Remote Access only m IP Packet Filters From client To client FIGURE 3 18 The IP tab can be used to set IP filters on a policy Cancel Apply applied by network and can be used to filter a variety of IP Edit Dial in Profile HE based protocols including Any Other ICMP UDP TCP and Authenticaion Eneyptin Advanced Dial in Constraints IP Multilink TCP established eee Multilink This tab see Figure 3 19 allows you to configure Windows 2000 s capability to aggregate multiple analog phone lines connected to multiple modems to provide greater band width The Multilink Settings section allows you to configure the following e Default to Server Settings Defers the configuration to the Routing and Remote Access global settings e Disable Multilink Restrict Client to a Single Port This setting is self explanatory e Allow Multilink This configuration allows a client computer to connect using multiple ports and
47. ng the usernames pass words and data whereas IPSec is used to negotiate the secure connection between your computer and its remote tunnel server All authentication under the Microsoft IPSec VPN occurs through L2TP connec tions These use all standard PPP based authentication protocols to authenticate the user after the secure IPSec communication is established PPTP Point to Point Tunneling Protocol PPTP is Microsoft s legacy proto col for supporting VPNs Developed jointly by Microsoft Corporation U S Robotics and several remote access vendor companies known collectively as the PPTP Forum PPTP encountered some security issues in its original form It has been revised by Microsoft but it has never been widely accepted by the security community Although still supported on a variety of vendors VPN servers PPTP is rapidly being overtaken by the more widely adopted IPSec protocol The only way to provide additional bandwidth short of a different access media is to enable multilink and have the users add an additional modem and modem line on the remote end This will allow the users to aggregate their bandwidth across two separate connections By default Routing and Remote Access is config ured with five connections for the VPN You need to open the Routing and Remote Access application and go into the Port properties Add additional ports as needed To find out the raw numbers on bandwidth thr
48. nish lete th i f pu aa aeeecmennn 6 Click Close to complete the exercise the profile 3 2 Configuring an Idle Timeout for Routing 2 and Remote Access Server Review Questions This exercise will walk you through modifying a profile 1 You are the network administrator for Exponent to add an idle timeout for a remote access policy Mathematicians and you have been asked to Esti dTi review the authentication protocols being used by Sees Tin 13 iminite your Routing and Remote Access server What are 1 Open the Routing and Remote Access console the available protocols and how do they work 06W2000 NITG 03 10 11 00 12 59 PM Page 165 cb Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 165 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Arey Your Know oor es 2 You are the administrator of the Get Stuffed A Multinet Taxidermists chain Routing and Remote Access Hi B Multilink server You have users who are utilizing the Windows 2000 VPN both with IPSec and PPTP C X 25 protocols What are those protocols and which is D VPN the industry standard a 2 You are the system administrator for Phil s Phill 3 You are the Windows 2000 administrator for up Stations a chain of gas stations As part of the Bug B Gone Exterminators Your users are all network you maintain a Windows 2000 Routing connecting to your network using 56K modems aes 85 2 and Remote Access server to provide remote
49. nnections To create this connection and save it in the Network and Dial up Connections folder click Finish ple Microsoft uses to illustrate this point is to think about email rules In many email packages you can configure a rule that allows To edit this connection in the Network and Dial up Connections folder select it click File and then click Properties you to delete all messages from a specific user or group of users A remote access policy is similar in that you can specify actions based on a number of criteria To illustrate how this works let s run through creating a remote access policy lt Back Cancel FIGURE 3 8 This dialog box allows you to enter a descriptive name for the new connection 06W2000 NITG 03 10 11 00 12 59 PM Page 140 140 Part EXAM PREPARATION FIGURE 3 9 The Routing and Remote Access console allows you to manage your remote access server including creating remote access policies FIGURE 3 10 This dialog box allows you to give your policy a user friendly name STEP BY STEP 3 2 Creating a Remote Access Policy 1 Open the Routing and Remote Access console by going to Start Programs Administrative Tools Routing and Remote Access see Figure 3 9 Routing and Remote Access acton vow e gt amx ABE E IP Routing Expand the application tree in the left pane by double clicking the server Right click Remote Access Policies and select New Remote
50. ntication Methods dialog Saks box opens see Figure 3 34 aa 4 Select the appropriate protocol for a connection and click OK Click OK to return to the Routing and Remote FIGURE 3 34 Remote Access security is controlled from this dialog box Access console Configuring Encryption Protocols The first thing you need to be aware of when discussing the encryption protocols available with Windows 2000 is that two main encryption protocols are used in a Windows 2000 VPN We discussed PPTP and IPSec earlier in the chapter but a couple of encryption protocols are used in conjunction with IPSec that we need to cover 06W2000 NITG 03 10 11 00 12 59 PM Page 160 f 160 Part EXAM PREPARATION Under the Microsoft model IPSec encryption does not rely on any authentication methods for its initial encryption keys The encryp tion method is determined by the IPSec SA Security Association An SA is a combination of a destination address a security protocol and a unique identification value called an SPI Security Parameters Index The available encryptions for IPSec include the following Data Encryption Standard DES DES uses a 56 bit encryp tion key This is considered barely adequate encryption for business use and this level of encryption has been broken using specialized hardware Triple DES 3DES Like DES 3DES uses a 56 bit key But as the name implies it encrypts the data using three 56 bit encryption keys This is
51. ocol CHAP CHAP negotiates an encrypted authentication using MD5 Message Digest 5 an industry standard hashing scheme CHAP uses challenge response with one way MD5 hashing on the response This allows you to authenticate to the server without actually sending your password over the network Because this is an industry standard authentication method it allows Windows 2000 to securely connect to almost all third party PPP servers Microsoft Created Microsoft Challenge Handshake Authentication Protocol MS CHAP Microsoft created MS CHAP an extension of CHAP to authenticate remote Windows workstations increasing the protocol s functionality by integrating the encryption and hashing algorithms used on Windows networks Like CHAP MS CHAP uses a challenge response mechanism with one way encryption on the response Although MS CHAP is consistent with standard CHAP as much as possible the MS CHAP response packet is in a for mat specifically designed for computers running a Windows operating system A new version of the Microsoft Challenge Handshake Authentication Protocol MS CHAP v2 is also available This new protocol provides mutual authentication stronger initial data encryption keys and different encryption keys for sending and receiving 06W2000 NITG 03 10 11 00 12 59 PM Page 159 cb Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 159 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE SPAP Shiva P
52. orized group C Using the Routing and Remote Access create a remote access profile Use the Windows Groups criteria and add the user to an authorized group 06W2000 NITG 03 10 11 00 12 59 PM Page 167 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 167 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE APPLY YOUR KNOWLEDGE 10 D Using the Routing and Remote Access create a remote access profile Configure that profile to Grant Remote Access Permission You are the network administrator for Runaway Travel and you have just installed a new Windows 2000 Routing and Remote Access server to replace a hardware RAS server Your users are using a third party PPP dialer that was used for the old system What is the most secure authentication protocol that can be used for this connection A PAP B EAP C CHAP D IPSec You are the network administrator for Runaway Travel and you have just installed a new Windows 2000 Routing and Remote Access server to replace a hardware RAS server Your users are using the Windows 2000 Professional dialer What is the most secure authentication protocol available A CHAP B MS CHAP C PPP D IPSec You are the network administrator for Runaway Travel and you have just installed a new Windows 2000 Routing and Remote Access server to replace a hardware RAS server Your 11 users are using a variety of client computer operating syst
53. ot only is the Routing and Remote Access Service the next generation of the Remote Access Service installed automatically with the operating system it also bundles a number of features that used to be distrib uted through other services under Windows NT For example not only are RAS services available with Routing and Remote Access but the Windows 2000 VPN service is included in Routing and Remote Access as well But before you jump into configuring the Routing and Remote Access Service let s discuss some of the reasons for deploying remote access and some of the specifics surrounding the Windows 2000 Routing and Remote Access Microsoft has included remote access capabilities in all its operating systems since the introduction of Windows for Workgroups a remote access client computer and the Windows NT Advanced Server a remote access server If you have worked with earlier ver sions of Windows NT or Windows 9x you are probably familiar with the term RAS first used to discuss the NT Remote Access Server and later used as a generic description of most of the Windows operating system remote access applications This changed in the midst of the Windows NT Server 4 operating system s life cycle with the introduction of an add on service upgrade known as the Routing and Remote Access Service which you should note carried over to the Windows 2000 operating system The main rea son for the change is that Microsoft needed to enhance
54. ough the server you need to use the Performance console Go to the RAS Total object and add the Total Bytes Received and Total Bytes Transmitted counters Add the two counters to get the total additional traffic 06W2000 NITG 03 172 10 11 00 12 59 PM Page 172 Part EXAM PREPARATION APPLY YOUR KNOWLEDGE Answers to Exam Questions 1 B The correct term for this feature is multilink See Configuring Multilink Connections A B E The Windows 2000 Routing and Remote Access will support the following VPN protocols IPSec PPTP and L2TP See Configuring a Virtual Private Network VPN D If you configure the Routing and Remote Access server to use callback all the toll charges following the initial connection will be on the company s bill not the end user s This is an old trick for reducing costs by leveraging the com pany s generally more favorable long distance rates See Configuring a Remote Access Profile D You can see this information in the right pane of the Routing and Remote Access console by clicking the Remote Access Clients entry See Configuring Authentication Protocols C D E IPSec is not an authentication protocol PAP sends the authentication information as clear text EAP CHAP and MS CHAP are all secure authentication protocols See Creating a Remote Access Policy B The user is not using an ID that is authorized to use the d
55. our Windows 2000 server H H for remote access you need to know how to manage Monitori ng an PE NNE T E Troubleshooting Remot Access in a Windows 200 Network Infrastructur 06W2000 NITG 03 10 11 00 12 59 PM Page 130 s OBJECTIVES OUTLINE Configure remote access security Configuring and Troubleshooting e Configure authentication protocols Remote Access 132 e Configure encryption protocols Understanding Remote Access Protocols 134 Create a remote access policy Configuring Inbound Connections 135 gt Security is becoming more important in today s Creating a Remote Access Policy 139 computing environment This objective tests your Configuring a Remote Access Profile 143 understanding of the security capabilities of Configuring a Virtual Private Windows 2000 Server and remote access Network VPN 147 Configuring Multilink Connections 151 Configuring Routing and Remote Access for DHCP Integration 151 Managing and Monitoring Remote Access 152 Configuring Remote Access Security 156 Configuring Authentication Protocols 158 Configuring Encryption Protocols 159 Chapter Summary 163 Apply Your Knowledge 164 06w2000 NITG 03 10 11 00 12 59 PM Page 131 STUDY STRATEGIES gt Be sure you have a thorough understanding of gt Pay close attention to the capabilities of remote the security capabilities of all the different access policies Windows 2000 includes a remote access mechanisms With the focus on number of policy
56. pen the Routing and Remote Access utility Select Ports in the left pane A list of available ports appears in the right pane Select the port you want to gather statistics from and right click From the Context menu select Status The Port Status dialog box opens see Figure 3 31 You can see the port condition the line speed the call duration network statistics errors and the network protocols being used with addresses for the port You can reset or refresh the statistics by clicking the appropriate button at the bottom of the dialog box and in the event someone is connected to the port you can disconnect that connection by clicking Disconnect Now let s take a look at configuring remote access security CONFIGURING REMOTE ACCESS SECURITY Configure remote access security The name of this section of the chapter is a bit of a misnomer Most of what we have discussed in this chapter so far has to do with remote a ccess security But Microsoft has used the term Remote 06W2000 NITG 03 10 11 00 12 59 PM Page 157 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 157 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE Access Security for one specific group of settings To configure this group of settings do the following STEP BY STEP 3 8 Configuring Remote Access Security 1 2 Open the Routing and Remote Access console Right click the server and select Properties This o
57. pens the server properties Select the Security tab see Figure 3 32 By default the Authentication provider is Windows Authentication You can also set it for RADIUS authentication Select RADIUS from the pull down menu Click Configure to configure the RADIUS server The Edit RADIUS Server dialog box opens see Figure 3 33 From here you can set the Name Address of the RADIUS server the shared secret Timeout Initial Score and RADIUS Port You can also require the use of digital signatures Click OK to add the RADIUS server Click OK to close the RADIUS Authentication dialog box You will need to restart Routing and Remote Access to take advantage of the RADIUS authentication Click OK to close the window Now that you have looked at how to do the RADIUS and Windows authentication let s look at the authentication protocols Windows 2000 uses GONZOR local Properties General Security IP PPP Event Logging The authentication provider validates credentials for remote access clients and demand dial routers Authentication provider Windows Authentication Authentication Methods The accounting provider maintains a log of connection requests and sessions Configure Accounting provider Windows Accounting x Configure OK Cancel Apply FIGURE 3 32 Remote Access security is controlled from this dialog box Edit RADIUS Server E 2 x Server name RADIUS urwrite net
58. r Phil Em Up gas stations You have installed a Windows 2000 Routing and Remote Access server to pro vide access to the corporate network remotely You want to see what kind of utilization the server is experiencing What is the easiest way to find out A Use Performance Manager to log the utilization Check the performance logs for the information B Use the Performance console to log the utilization Check the performance logs for the information Go into the Registry and enable logging Check the log file for the information Go to the Event Logging tab in the Routing and Remote Access Server properties Check the application log using the Event Viewer application to view the statistics You are the network administrator for Ye of Little Faith advertising and you are running a Windows 2000 network made up of six Windows 2000 06W2000 NITG 03 10 11 00 12 59 PM Page 169 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 169 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE A PPLY YOUR KNOWLEDGE 17 servers and 300 Windows 2000 Professional client computers You have added 30 modems to the backup domain controller and need to install and configure the server for inbound connec tions A secondary objective would be to install and configure VPN services You do the following Open the Networking and Dial up Properties and double click the Make New Connection icon You
59. rectly See Configuring Inbound Connections B The Routing and Remote Access Service will request 10 addresses from the network DHCP server when it starts When those 10 have been issued RRAS will request an additional 10 addresses If the DHCP server has gone down since the original 10 addresses were issued the user would be able to connect but would not be able to get on the network because the Routing and Remote Access Service couldn t get additional IP addresses from the DHCP server See Configuring Routing and Remote Access for DHCP Integration 06W2000 NITG 03 10 11 00 12 59 PM Page 173 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 173 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE APPLY YoUR KNOWLEDGE 13 14 15 16 17 C Because the Routing and Remote Access server gets its DHCP information from the net work DHCP server a bad DNS configuration on the DHCP server could cause the issue described See Configuring Routing and Remote Access for DHCP Integration D EAP is the protocol needed to support smart cards See Configuring Authentication Protocols D In the latest version of Routing and Remote Access logging is enabled in the server proper ties The results of the logging can be found in the Event Viewer See Managing and Monitoring Remote Access D This solution will not work because you must use the Routing and Remot
60. router are the solution for you Finally there are the solutions that run on a network operating system such as the VPN bundled with Windows 2000 For the sake of our discussion a VPN is a private network that is constructed using a public network such as the Internet to connect its nodes The first thing you need to be aware of when discussing the Windows 2000 VPN is the encryption protocols available Windows 2000 has two main encryption protocols that are used in the VPN They include Point to Point Tunneling Protocol PPTP PPTP is Microsoft s legacy protocol for supporting VPNs Developed jointly by Microsoft Corporation U S Robotics and several remote access vendor companies known collectively as the PPTP Forum PPTP encountered some security issues in its original form It has been revised by Microsoft but has never been widely accepted by the security community Although still supported on a variety of vendors VPN servers PPTP is rapidly being overtaken by the more widely adopted IPSec protocol IP Security Protocol IPSec IPSec is a suite of cryptography based protection services and security protocols that are used for the first standards based VPN protocol In Windows 2000 IPSec is used to provide machine level authentication as well as data encryption for L2TP based Layer 2 Tunneling Protocol VPN connections Unlike some other PSec based VPNs Microsoft s implementation uses the L2TP protocol for encr
61. rver and you have just purchased smart cards for the entire force You would like to take advantage of these for remote access but you are unsure how to configure Routing and Remote Access You know you need the EAP protocol Where do you configure this protocol A In the remote access policy B In the modem pool properties C Under the Security tab of the Routing and Remote Access server properties D In the dial in profile for the pertinent policy 06W2000 NITG 03 10 11 00 12 59 PM Page 170 170 Part EXAM PREPARATION 20 What is the strongest encryption protocol supported by Windows 2000 A DES B IPSec C MS CHAP v2 D 3DES 21 You are the security administrator for Jolly Snowmen Ice Cream You have been asked by your manager to explain the use of encryption on your Windows 2000 server You know you are running DES What service does DES provide to your installation A DES encrypts dial in traffic over the phone lines B DES encrypts L2TP VPN traffic C DES provides encrypted authentication D DES provides encrypted address information in conjunction with PPTP Answers to Review Questions 1 The authentication protocols available include the following e EAP TLS The Extensible Authentication Protocol EAP is an extension to the Point to Point Protocol PPP EAP provides a stan dard mechanism for support of additional authentication methods within PPP such as smart cards on
62. rver acting as a dial in server You have 15 modems on the server for users to dial in Ten users have connected and are able to connect to the network The eleventh user is able to connect but cannot reach anything on the network What could the problem be A The server is licensed for only 10 dial in users B The DHCP server was down when the eleventh user tried to connect C The user has an incompatible modem D The users IPSec password is incorrect You are the system administrator for Blue Cap Haberdashery and you have a Windows 2000 Routing and Remote Access server acting as a dial in server You have 15 modems on the server for users to dial in Users are able to connect without any problems but they cannot reach any systems by DNS name They are able to connect using the IP address of the system What could the problem be A The Routing and Remote Access server is not running the DNS service B The Routing and Remote Access server is not running the WINS service The network DHCP server has a bad DNS configuration The network WINS server has a bad DNS configuration 15 16 14 You are the security administrator for Barb s House of Pancakes You have been asked to implement smart cards for remote access authen tication using the Windows 2000 Routing and Remote Access Service What protocol do you need A IPSec B PPTP C MS CHAP v2 D EAP You are the network administrator fo
63. sole Callback options were also configured on a per user basis In Windows 2000 authorization is granted based on the dial in properties of a user account and remote access policies Remote access policies are a set of conditions and connection set tings that give network administrators more flexibility in authorizing connection attempts The Windows 2000 Routing and Remote Access Service uses remote access policies to determine whether to accept or reject connection attempts With remote access poli cies you can grant remote access by individual user account or through the configuration of specific remote access policies We look at setting up a policy in the Creating a Remote Access Policy section later in the chapter Windows 2000 uses three types of policies to control remote access Local Internet Authentication Services policies These local policies are derived from RADIUS and can be used to define access permissions based on a number of client attributes Central Internet Authentication Services policies A dial up server can be configured to use a central IAS RADIUS server to provide its policies This allows multiple Routing and Remote Access dial up servers to use the same policies without requir ing the manual replication of policies and settings Group Policies More in line with the older versions of remote access Access can be controlled by group policies Now let s look at how to configure a Windows
64. support for mul tiple network protocols such as IPX IP and AppleTalk SLIP was restricted to IP only PPP also uses a number of authentication pro tocols discussed later in the chapter We will discuss many of these features as we move through this chapter For now let s take a look at the simplest use for the Routing and Remote Access Service Configuring Inbound Connections If you have mobile users it is a safe bet that you have dealt with requests for access to the network This could be for access to mail Q Support for mound Dial In the company intranet or even to file shares or applications g Connections Windows 2009 _ Windows 2000 includes as part of Routing and Remote Access the Pear Supports oo poung dian i 8 connections Windows 2000 capability to permit inbound connections via attached modems lt x lt Professional supports 1 f IN THE FIELD ISSUES TO CONSIDER IN CONFIGURING SYSTEMS FOR MOBILE USERS If you deploy Windows 2000 as your remote access solution for mobile users you will need to keep a couple of things in mind First because any server has only a limited number of communi cation ports you will probably need a multiport modem card Various manufacturers offer these types of products but be sure to check the Microsoft Hardware Compatibility List before making any purchases You should also avoid installing this capability on any domain con trollers or application servers Altho
65. the net work since they are using a less secure more user friendly authentication policy Finally while it is easy to configure a network for example an Internet based VPN you still need to make deci sions You need to examine the amount of band width you have to the Internet to support these users You need to consider where the server is placed Should it be behind a firewall or directly on the Internet You need to consider which VPN protocol is best suited for your environment You may even find that your remote users who are not in the local area code want to utilize a local ISP in conjunction with the VPN solution allowing you to further save on toll charges All this is very dependent on the environment and the circum stances and requires effective planning You need to install the following One server running Windows 2000 Server and the Routing and Remote Access Service The server needs to have modems installed and configured for dial in users Users who do not have the ability to dial locally to the server need to leverage the Windows 2000 VPN service therefore the server needs an Internet connection The server needs remote access profiles to control the session security for each group This should be fairly straightforward after you have read the chapter Let s do a quick chapter recap and then move on to some exercises 06W2000 NITG 03 10 11 00 12 59 PM Page 163 Chapter 3 CONFIGURING MANAGING
66. thentication Encryption Advanced Specify additional connection attributes to be returned to the Remote Access Server Parameters Service Type RADIUS Standard Framed Framed Protocol RADIUS Standard PPP Cancel Apply FIGURE 3 22 If you need to configure RADIUS attributes use this tab 06W2000 NITG 03 10 11 00 12 59 PM Page 147 Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 147 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE IN THE FIELD PUTTING RADIUS TO WORK If you have worked in a large remote access environment you might have run across RADIUS already But for those of you who haven t we will discuss it a bit here RADIUS Remote Authentication Dial in User Service is an authentication and accounting system used by many Internet Service Providers ISPs and enterprise networks When you dial in to the ISR you must enter your username and password This information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system Though not an official standard the RADIUS specification is maintained by a working group of the IETF Another place you see RADIUS used is to leverage the account information in a Windows 2000 domain The built in RADIUS server can be used not only to authenticate Routing and Remote Access client computers but it can also be used by third party dial in servers as an authentication method In fact
67. ugh the overhead associated with supporting dial in users is fairly low the security ramifications of connecting a modem or modems to a production application server or even worse a domain controller are significant You should try to avoid that architecture if at all possible In the latest version of Routing and Remote Access Microsoft has added some new features as part of the management One of the features that has the most impact on the discussion of remote access is the addition of remote access policies Remote access continues 06W2000 NITG 03 10 11 00 12 59 PM Page 136 136 Part EXAM PREPARATION EXAM giz Be Familiar with IAS Internet Authentication Services IAS are the new RADIUS authentica tion capabilities included with Windows 2000 They are used heavily in conjunction with Routing and Remote Access policies EXAM ili Know Where Remote Access Group Policies Are Stored They re stored in the file system in the default WINNT SYSVOL SYSVOL lt domain name gt directory EXAM Qila Remember to Use the Snap in _ If you are configuring Routing and Remote Access for dial up access on a domain controller you must use the Routing and Remote Access snap in continued policies are a radical departure from the Windows NT 3 5x and 4 models in which user authorization was based on a simple Grant Dial In Permission to User option in User Manager or the Remote Access Admin con
68. you can configure the number of ports they can use Default to server settings Disable muttilink restrict client to single port Allow Multilink T7 Limit maximum ports r Bandwidth Allocation Protocol BAP Settings Reduce a muttilink connection by one line if the lines fall below 2 min 50 of capacity for a period of I Require BAP for dynamic Multilink requests Cancel pply FIGURE 3 19 The multilink capabilities of Windows 2000 allow you to maximize bandwidth across multiple analog phone systems 06w2000 NITG 03 10 11 00 12 59 PM Page 146 146 Part EXAM PREPARATION Edit Dial in Profile 2 xi Diakin Constraints IP Multilink Authentication Encryption Advanced Check the authentication methods which are allowed for this connection Extensible Authentication Protocol gt Select the EAP type which is acceptable for this policy Mos Challenge Configure IV Microsoft Encrypted Authentication version 2 MS CHAP v2 IV Microsoft Encrypted Authentication MS CHAP JT Encrypted Authentication CHAP I Unenerypted Authentication PAP SPAP Unauthenticated Access E Allow remote PPP clients to connect without negotiating any authentication method Cancel Apply FIGURE 3 20 To take advantage of the multilink capabilities of Windows 2000 you need to enable it here for the appropriate group Edit Dial in Profile q 2
69. ypting the usernames passwords and data whereas IPSec is used to negotiate the secure connection between your computer and its remote tunnel server 06W2000 NITG 03 10 11 00 12 59 PM Page 149 cb Chapter 3 CONFIGURING MANAGING MONITORING AND TROUBLESHOOTING 149 REMOTE ACCESS IN A WINDOWS 2000 NETWORK INFRASTRUCTURE TABLE 3 1 a Know the Differences Between THE DIFFERENCES BETWEEN L2TP IPSEc AND PPTP ag L2TP and PPTP Because L2TPIIPSec PPTP Microsalt URES a custom protocol f a configuration for its IPSec VPN Standards based Microsoft proprietary e implementation you should be sure Windows Linux Macintosh Windows OS and Linux platforms uu that you understand the differences Solaris and other platforms between IPSec and PPTP as well as DES 3DES encryption Microsoft proprietary encryption how Microsoft implemented its ver Requires only that the tunnel Requires an IP based transit sion of IPSec Table 3 1 can help media provide packet oriented internetwork you keep them straight point to point connectivity Supports header compression No header compression Now that you know what a VPN is and how it works let s set up one The good news is that installing Routing and Remote Access automat ically makes a VPN connection available What you need to under stand at this point is how to configure the VPN that is installed To configure the VPN service do the following mene Ports Name Dev
Download Pdf Manuals
Related Search