The Best Damn Windows Server 2003 Book Period- P83 doc

In the next window, accept the default value of No, use Routing and Remote Access to authenticate connection requests, and click the Next button to continue.. Make sure you have addresse

3 Right-click your server’s icon and choose Configure and Enable Routing and Remote Access to start the Setup Wizard Click Next to continue.

4 Select the Remote Access (dial-up or VPN) option, as shown in Figure 22.15, and then click the Next button.

5 Check the VPN check box, and then click the Next button.

6 In the VPN Connection window, shown in Figure 22.16, select the network interface that is connected to the Internet, and then click the Next button.

7 In the IP Address Assignment window, you have two choices:

■ Automatically Choose this option if you have a DHCP server you can use to auto-matically assign IP addresses to the remote clients.This setup will be easier to administer than assigning addresses manually (However, if you do not have a DHCP server, you

must specify a range of static addresses.) Click Next to continue.

Figure 22.15 Choose Remote Access

Figure 22.16 Choose the Interface Connected to the Internet

■ From a specified range of addresses Choose the option if the remote clients can

only be given an address from a specified pool of addresses Click Next to continue In the Address Range Assignment window, click the New button In the Start IP address box, type the first IP address in the range of addresses you want to use.Then type in the last IP address in the range you’ve chosen Windows Server 2003 will

automatically calculate the number of addresses for you Click the OK button to return to the Address Range Assignment window, and then click the Next button

to continue

8 In the next window, accept the default value of No, use Routing and Remote Access

to authenticate connection requests, and click the Next button to continue.

9 Click Finish to turn on RRAS and to configure the server as a remote-access server.

Once you have your server set up to provide VPN service, you can allow client machines to connect to it over the Internet

Using your new VPN connection is simple: click Start | Connect To and choose your new

connection If you don’t already have a current connection to the Internet, you’ll be offered the opportunity to connect When the connection is made, the VPN server will prompt you for your

name and password Enter the necessary information and click the Connect button All of the same

resources available when you are directly connected to the network are available now When you’re

ready to disconnect, simply right-click the connection and choose Disconnect.

Now that you know how to create and use a client VPN connection, what are the differences

in setting up a router-to-router VPN? There are actually not very many differences.The following steps will walk you through the process of setting up a router-to-router VPN server

Set Up Windows Server 2003

As Router-to-Router VPN Server

1 Select Start | Administrative Tools | Routing and Remote Access.

2 Right-click your server’s icon and choose Configure and Enable Routing and Remote Access to start the Setup Wizard Click Next to continue.

3 Select the Secure connection between two private networks option, as shown in Figure 22.17, and then click the Next button.

4 Choose the No option when you are asked if you want to use demand-dial connections, unless you need to use them, and then click the Next button again If you choose Yes to

use demand-dial connections, you’ll have the opportunity to set up the demand-dial con-nections when this Wizard is finished If you are using a full-time connection, you don’t need the demand-dial connection

5 Click Finish to turn on RRAS and to configure the server as a router-to-router VPN

server

Make sure you have addresses assigned to all the installed interfaces and that you’ve installed and set up your routing protocols on each interface.Then you should be able to use this router

Packet Filtering and Firewalls

One of the best features available in RRAS is the ability to filter TCP/IP packets traveling in either direction For all practical purposes, enabling packet filtering creates a firewall on your server.You can build filters that can either allow or deny packet traffic into or out of your network.You do this

by specifying rules that designate source and destination addresses and ports

Normally, you set up these filters to block information that the machines in your network should not receive.The filters are set up on a specific interface.This means that the filters on one interface are completely independent of the filters on another Incoming and outgoing filters are independent of one another also

Simply put, you have two choices with input filters: accept all traffic over the interface except the traffic you specify, or drop all traffic except the traffic you specify Output filters are configured

in the same manner Which choice you should make most often depends on the context and pur-pose of the filter.The second option is the most secure If you are attempting to keep all but very specific traffic out of your network, this would be the correct choice.The first choice is appropriate

if you are just trying to stop specific traffic

For instance, say you have a Web server and the only traffic you want to allow on this server is traffic traveling to and from the Web server service All you need to do is configure an input filter

Figure 22.17 Choose Secure Connection between Two Private Networks

for the destination IP address of the Web server and the TCP destination port 80 At the same time, you will want to configure an output filter for the source IP address of the Web server and the TCP source port 80 If these two filters are the only two filters operational on this server, the only traffic that will be allowed across the interface is TCP traffic to and from the Web server service on your Windows Server 2003 machine

You need to be careful about how you implement these filters, so that you don’t make them too restrictive, which would impair the functionality of the other protocols operating on the server For instance, given our example of a Web server, we can’t use PING or any other basic IP

trou-bleshooting tool on that computer now, because we’ve restricted it to only Web traffic on port 80

We’ll talk more about troubleshooting shortly

It’s a good idea to use packet filtering to block unwanted traffic from your VPN servers.There are two basic sets of rules for this process: PPTP packet filters and L2TP packet filters

For PPTP, there are at least two filters that are required to block non-PPTP traffic.You need to allow Generic Routing Encapsulation (GRE) packets to pass.You also need to allow inbound traffic

on TCP port 1723 If the PPTP server is also acting as a PPTP client, you can add a third filter to

allow outbound traffic on TCP port 1723 also After these packets are established, choose the Drop All Packets Except Those That Meet The Criteria Below radio button.Then close the dialog box Repeat the process on the output side

For L2TP packet filters, you will need four filters: two for input and two for output, as follows:

■ A filter with the VPN interface address and a network mask of 255.255.255.255, filtering the User Datagram Protocol (UDP) with a source and destination port of 500

■ An input filter with a destination of the VPN address and a network mask of 255.255.255.255, filtering UDP traffic with a source and destination port of 1701

■ An output filter with a source of the VPN interface address and a network mask of 255.255.255.255, filtering UDP traffic with a source destination of 500

■ An output filter with a source of the VPN interface address and a network mask of 255.255.255.255 filtering UDP with a source and destination port of 1701

Logging Level Coming up with a good logging strategy is important to the proper maintenance of your network and the devices that are used on it What to log is probably one of the most important questions you will consider If you have too much logging, the performance of your server and the network will decline sharply If you have too little logging, when you have a problem, you won’t have the information you need to determine the source and cause.The best choice is to log only those options you really need, and when you don’t need a particular type of log data anymore, stop recording it

In order to set the logging levels, open the RRAS module, right-click the server you wish to

administer, choose Properties, and then click the Logging tab As shown in Figure 22.18, the Logging tab contains several options for the various types of events that you can log.The default is

to log all errors and warnings.You can also check the Log additional Routing and Remote

Access information (used for debugging)check box, which, as its name implies, will assist you

in debugging

Troubleshooting IP Routing

Here, we will look at the two main tools you might use in troubleshooting IP routing and the common problems that occur with IP routing, which is critical to maintaining a network

Identifying Troubleshooting Tools

Your best troubleshooting tools are those tools you should be using on a daily basis for network man-agement and monitoring Windows Server 2003 ships with the Network Monitor tool

(NETMON.exe), which is an excellent protocol analyzer you can use to monitor your network.This tool captures and displays information about the IP packets moving in your network and can tell you about the traffic patterns, the broadcast rates, how the network is being used, what kinds of errors you might be experiencing, and many other aspects concerning the behavior of your network

The Routing and Remote Access console is another excellent troubleshooting tool Using this tool, you can show your network’s TCP/IP information, your IP routing table, the router’s RIP neighbors, its OSPF area, the LSDB, the router’s OSPF neighbors, and the OSPF virtual interface Other familiar tools that you can use for troubleshooting include PING, pathping,Tracert, mrinfo, and Netsh Let’s take a look at how you can these tools to verify and troubleshoot your connections Another useful troubleshooting tool is the pathping command.This command combines aspects

of PING and Tracert, and adds in some additional features that make it an excellent troubleshooting tool.This tool works by measuring the packet loss across each router between the source machine and the destination.This information can help you determine where your network reliability prob-lems may be coming from.The syntax for the pathping command is as follows:

pathping [-n] [-h maximum_hops value] [-g host-list] [-p value]

Figure 22.18 Set the Logging Level

■ -n Tells pathping not to resolve addresses to host names.

■ -h maximum_hops value Sets the maximum number of hops you want the command

to search for the target.The default is 30 hops

■ -g host-list Provides a loose source route along the host list

■ -p period Sets the wait period in milliseconds between pings.The default is 250 millisec-onds

■ -q num_queries Sets the number of queries per hop.The default is 100 queries

■ -w timeout Sets the time length in milliseconds for each reply before the command times out on that hop.The default is 3000 milliseconds

■ -T Tests the connectivity to each hop with Layer-2 priority tags

■ -R Tests to see if each hop is RSVP-aware

■ final_destination The host name or IP address of the network, domain, or machine that you are testing the route to

The tool will first trace the route to the destination, and then analyze the traffic running through each hop Keep in mind that one test is not sufficient to give you a good idea about what is going on.There is no specific number of lost packets that signify that a link is causing you problems

If the number is in double digits, though, you should probably examine that route carefully.To get a realistic picture of what is going on in your network, test a router over time and test in both peak and off-peak usage

If you’re using multicast routing, another useful troubleshooting command is mrinfo.This com-mand displays multicast router configuration information.The syntax is as follows:

mrinfo [-n] [-?] [-i address] [-t secs] [-r retries] destination

Where:

■ -n Displays the IP addresses in numeric format

■ -? Prints usage information

■ -i Specifies the IP address of the local interface from which the query was sent

■ -r Specifies how many times an SNMP query is to be resent.The default value is 0

■ -t Specifies how long to wait for an IGMP neighbor query reply.The default is three sec-onds

The mrinfo command displays the interfaces for both the multicast router and its neighbors on each interface It also provides the names of the neighboring domains, the multicast routing metric, and the TTL

Also, the Netsh utility, discussed in the “Using Netsh Commands” section earlier in this chapter, can display the configurations of protocols, filters, and routes It also allows you to reconfigure inter-faces Don’t overlook this valuable tool as an option for troubleshooting IP routing

Common Routing Problems

If you suspect that your RRAS server isn’t functioning properly, start by making sure the RRAS server is running.You might be surprised how many times the problem turns out to be the RRAS not being turned on

Most TCP/IP administrators spend much of their time troubleshooting the hardware

Connectors go bad, NICs die, and cables break or are cut.You need to troubleshoot and repair these elements before you start looking at the software Consider these potential trouble spots first:

■ Check for basic communication between systems first Broken cables, loose connections, and so on can cause what might look like much more complex problems

■ Make sure that your systems are in compliance with the standards you’ve chosen.This means you need to verify all devices on your Ethernet are broadcasting Ethernet and not something else Make sure you have the correct types of cables An example of this is the common mistake beginners sometimes make using RG59A/U cable instead of

RG58A/U.The former cable type is used in broadcasting specifically with video; the latter

is used with IEEE 802.3 10Base2 networks

■ Carefully isolate your problem to a single LAN, MAN, or WAN segment by going through each individually Keep in mind it is extremely rare for two segments to go down

at the same time

Interface Configuration Problems

Make sure that the RRAS server is configured to perform as an IP router Open the RRAS

Microsoft Management Console (MMC) and verify all your settings Make sure that you have enabled RRAS on the Windows Server 2003 machine you are expecting to perform as a router It could be that you have the wrong server configured Also, keep in mind that the system must first make the physical connection to the network After that, it must make the logical connections The router also might not be receiving routed data from other routers.Take a look at the routing table to see that the router is receiving routes from the other routers If there is anything

there other than Local in the Protocol column, the router is receiving routes via the routing

pro-tocols If not, double-click the rest of the settings in this section and pay particular attention to the appropriate protocol

RRAS Configuration Problems

Routing for the correct LAN protocol may not be enabled If you’re using IP routing, make sure that IP routing is enabled on the IP tab of the server’s property sheet Also, make sure that you have

IP routing protocols attached to each of the interfaces where they are needed

The wrong protocol could be installed, or the right protocol could have been installed on the wrong interface.The correct protocol must be installed on the appropriate interface for this to work correctly

Routing Protocol Problems One of the most common problems you’ll face with RIP for IP is incorrect routing table entries If you’re seeing wrong or inconsistent routes in the routing tables, or if routes are totally missing, you should look at the following possibilities:

■ The wrong version of RIP could be in use

■ Silent RIP hosts might not be receiving hosts

■ The subnetting scheme on your network could be incompatible with your routing infras-tructure

■ A router might be using the wrong password

■ Routing filters might be too restrictive

■ Packet filters might be too restrictive

■ Neighbors might be incorrectly configured

■ Default routes might not be being propagated

If your router is using OSPF, make sure that the Enable OSPF on this interface check box is selected.This option is in the interface’s OSPF Properties dialog box.

Also make sure that your router is receiving routing information from the other routers on the

network Do this by opening the routing table and looking at the Protocol column One of the

following might be the problem with OSPF:

■ OSPF might not be enabled on the desired interface

■ The neighboring router might be unreachable

■ The OSPF settings may not match on each of the neighboring routers

■ The stub area configuration or area ID on neighboring routers may not match

■ Interfaces may not be configured with OSPF neighbor IP addresses

■ There may not be a designated router (DR) for the network

■ Packet filtering may be too restrictive

■ Summarized routes may be configured improperly

■ ASBR source or route filtering may be too restrictive

■ Virtual links may be incorrectly configured

If a routing table entry is marked as being either OSPF or RIP, then information from some of the other routers on your network is getting through If you do not see any OSPF or RIP entries in the table, you have a problem

TCP/IP Configuration Problems

Verifying that the router’s TCP/IP configuration is correct first may save you a lot of time.You must use the correct IP address and subnet mask

Routing Table Configuration Problems

You’ll need to have a static default route defined and enabled so that your router will forward any packets when there is no specific route designated for them If the default route is incorrect or missing, you will have problems If you’re using default routing, the default route must be learned through the routing protocols or statically configured on the router over the correct interface

Planning, Implementing, and Maintaining Internet Protocol Security

In this chapter:

 Understanding IP Security (IPSec)

 Deploying IPSec

 Managing IPSec

 Addressing IPSec Security Considerations

 Using RSoP for IPSec Planning

Introduction

Securing sensitive or mission-critical data is an important part of the network adminis-trator’s job Data is especially vulnerable to interception as it travels across the network Windows Server 2003 includes Microsoft’s implementation of the Internet standard IP Security (IPSec) protocol, for the purpose of protecting data in transit.This chapter deals with how to work with Windows Server 2003’s IPSec We start by introducing IPSec terminology and concepts and explaining how IPSec works “under the hood” to secure data in transit over the network We discuss the purposes of IPSec encryption: authenti-cation, integrity, and confidentiality.You’ll learn about how IPSec operates in either of two modes: tunnel or transport

Although we refer to IPSec as a protocol, it is actually a framework, or a collection

of protocols and standards designed to protect IP data in transit In this chapter, you’ll learn about the protocols used by IPSec.These include the two primary protocols: the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol We’ll also discuss the roles of additional protocols used by IPSec, including the Internet Security and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE), and the Oakley key-determination protocol, and the Diffie-Hellman key-agree-ment protocol.You’ll learn about Windows Server 2003’s IPSec components—the IPSec

Chapter 23

795