Depending on your configuration, you will need to create policies in one of these two places: ■ If you are using Windows authentication, use the Remote Access Policies item under each RR
Trang 17 Click Finish to complete the basic NAT configuration Now we will modify the
configu-ration to provide public inbound requests for our private Web servers
8 Click NAT/Basic Firewall in the left pane of the management console and right-click the WAN interface in the right pane of the management console Select Properties.
9 From the WAN Properties dialog box, select the Service and Ports tab as shown in
Figure 25.11
10 Select the Web Server (HTTP) check box In the Private address box, enter
192.168.1.100as shown in Figure 25.12 to direct inbound Web traffic to the Web server located at 192.168.1.100
Figure 25.10Specifying the LAN Interface as the Private NAT Interface
Figure 25.11Specifying Services Available through NAT
Trang 211 Click OK Click OK again to complete the configuration.
ICMP Router Discovery
RFC 1256 describes a method for IP hosts to detect a router’s availability by using Internet Control Message Protocol (ICMP) ICMP Router Discovery, the name for this process, works in two ways:
■ Hosts send router solicitations using ICMP to discover available routers on the network
■ Routers send ICMP advertisements in response to the IP host solicitations as well as peri-odic ICMP updates to notify the hosts that the router is still available
Although Windows Server 2003 supports ICMP Router Discovery, it is disabled by default.You can use the following procedure to configure ICMP router discovery
Configure ICMP Router Discovery
1 Open Routing and Remote Access Start | Programs | Administrative Tools |
Routing and Remote Access.
2 In the left pane of the RRAS console, click General.
3 In the right pane, right-click the interface on which you want to enable router discovery,
and then click Properties.
4 On the General tab, select the Enable router discovery advertisements check box.
5 In Advertisement lifetime (minutes), type or select the time after which a router is
considered down after hearing its last router advertisement
6 In Minimum time (minutes), type or select the minimum rate at which the router
periodically sends ICMP router advertisements
Figure 25.12Specifying the Private Network Web Server Address
Trang 37 In Maximum time (minutes), type or select the maximum rate at which the router
periodically sends ICMP router advertisements
8 In Level of preference, type or select the level of preference for this router to be a
default gateway for hosts
Creating Remote Access Policies
You can manage the security of your remote access server by creating one or more remote access policies Depending on your configuration, you will need to create policies in one of these two places:
■ If you are using Windows authentication, use the Remote Access Policies item under each RRAS server in the Routing and Remote Access MMC snap-in
■ If you are using RADIUS authentication, use the Remote Access Policies item under the IAS server in the Internet Authentication Service MMC snap-in
Regardless of the type of authentication you are using, the policies you create will work the same way, and the dialog boxes for creating and modifying policies are the same
Policies and Profiles
Remote access security includes two key components:
■ Remote Access Policies Determine which users can connect remotely and the connec-tion methods they can use.You can have any number of remote access policies
■ Remote Access Profiles Provide further restrictions after the connection is established Each policy contains exactly one profile
Each remote access policy has an order number, or priority.You can define the order by using the Move Up and Move Down actions in the policy window.The list of policies in a default
Windows Server 2003 RRAS installation is shown in Figure 25.13 Each policy can have various criteria against which connection attempts are checked.The policy can be set to either Grant or Deny access for users who match these criteria
Trang 4When a user attempts to connect, his or her connection criteria are compared to each policy’s conditions in order until a policy matches.The Grant or Deny setting of that policy then deter-mines whether the user is allowed access If a policy grants access, its associated profile is used to fur-ther restrict the connection
In the following sections, you will learn how to make practical use of remote access policies and profiles to authorize or restrict remote access and to control aspects of the connections using remote access profiles
Authorizing Remote Access The simplest use for a remote access policy is to authorize remote access for a particular user or group Windows Server 2003 includes a wizard that you can use to quickly create these types of policies After you have created a policy, you can modify the properties of the policy to make more specific settings or restrictions.You can launch the wizard through Start | Administrative Tools | Routing and Remote Access In the left pane, select Remote Access Policies then from the menu select Action | New Remote Access Policy.The wizard will step you through the process to autho-rize remote access by user A similar process is used to authoautho-rize remote access by group
Authorizing Access By Group Unlike user accounts, security groups do not include dial-in properties If you wish to enable access for a group, you can use the wizard to create a remote access policy that includes a condition to check the user’s group membership.You can use the following steps to authorize remote access by group
1 Select Programs | Administrative Tools | Routing and Remote Access from the
Start menu If you are using RADIUS authentication, select Internet Authentication Service instead
Figure 25.13 Remote Access Policies
Trang 52 Click Remote Access Policies in the left-hand column A list of the current policies is
displayed in the window
3 From the menu, select Action | New Remote Access Policy.
4 The wizard displays a welcome message Click Next to continue.
5 The Policy Configuration Method screen is displayed Select the Use the wizard to set
up a typical policy option and enter Allow Admin Access in the Policy name field Click Next to continue.
6 The Access Method screen is displayed.You can select whether this policy will apply to
Dial-up, VPN, Wireless, or Ethernet access Select the Dial-up option and click Next to
continue
7 The User or Group Access dialog box is displayed Select the Group option and click the
Addbutton to add a group name
8 The Select Groups dialog box is displayed Enter Domain Admins in the Enter the
object names to select field and click OK.
9 You are returned to the User or Group Access dialog box Click Next to continue.
10 The Authentication Methods dialog box is displayed Click Next to continue.
11 The Policy Encryption Level dialog box is displayed Click Next to continue.
12 The wizard displays the completion dialog box Click Finish to create the policy.
Restricting Remote Access
You can add any number of conditions to a remote access policy to restrict the users, connection types, and other criteria that can match the policy Each policy can be configured to either allow access or deny access based on those criteria
To restrict access, you can create a policy that denies access based on a set of criteria Because each connection will use the first policy that it matches, be sure your policies for denying access are placed early in the list, before any other policy that might match the same users
The current conditions for a policy are listed in its Properties dialog box.You can use the Add
button to add a condition.There are a variety of attributes you can test to create a condition Restricting by User/Group Membership
You already used the wizard to create a simple policy to restrict by group membership earlier in this section.You can also add this condition manually to any policy using its properties.The attribute for
group membership is Windows-Groups.You can specify one or more group memberships to
match and set the policy to either grant or deny access
Restricting by Type of Connection
You can use the NAS-Port-Type attribute to restrict a remote access policy to a particular type of connection Connection types include modem, ISDN, wireless, VPN, and other network
Trang 6connec-tions that can be used for remote access For example, suppose you were discontinuing the use of dial-in remote access and want to add a policy to prevent dial-in access.You would create a policy
to deny access when the NAS-Port-Type attribute indicates a modem connection and place it at the top of the list to override other policies
Restricting by Time
You can use the Day-and-Time-Restrictions attribute to control the day of the week and times
of day that a policy will be effective.You can use this feature to deny access at a specific time or day
or to explicitly grant access at a certain time.To use this feature, use the Add button in the
Properties dialog box to add a condition to a policy, and then select
Day-and-Time-Restrictions The Time of day Constraints dialog box enables you to allow or deny access for
each hour of the day and each day of the week
Restricting by Client Configuration You can use the Network Access Quarantine Control (NAQC) feature to restrict connections based
on aspects of a client’s configuration: the operating system, file system, and even details of which security updates have been installed.You need to create a custom script or program to check the client’s configuration to implement this feature
NAQC is included with the Windows Server 2003 Resource Kit It includes several components:
■ The Remote Access Quarantine Agent service (RQS.EXE) runs on the RRAS servers
■ A custom script to check the configuration.The script can use RQC.EXE, included in the resource kit, to notify the quarantine agent whether the client passed its tests
■ Connection Manager, using a custom profile and a post-connect action to run the script
■ A RADIUS (IAS) server to manage authentication
■ A remote access policy that uses the quarantine attributes, installed with the quarantine agent, to determine whether the connection has been authorized by the script
NAQC is supported by Windows 98 SE and later clients that support Connection Manager For details on implementing a quarantine script, consult Microsoft’s TechNet site
Restricting Authentication Methods
You can use the Authentication-Type attribute to restrict a policy to certain authentication types.
When you add this attribute, you can use the Authentication-Type dialog box to add one or
more of the possible authentication types, as shown in Figure 25.14
Trang 7Restricting by Phone Number or MAC Address
You can use the following two attributes to add a phone number condition to a remote access policy:
■ Called-Station-ID: The phone number the user called
■ Calling-Station-ID: The phone number the call originated from (Caller ID)
Controlling Remote Connections
After a connection is established by matching a remote access policy, the profile associated with the policy is used to control what the user can do with the connection Some of the most useful profile settings include the following:
■ The amount of time the user is allowed to remain connected or remain idle
■ The encryption methods that will be allowed
■ Which traffic will be filtered using packet filters
■ The client IP address
Controlling Idle Timeout
The idle timeout is the amount of time the RRAS server will keep a session connected when there has
not been any traffic to or from the remote access server.You can use this setting to ensure that clients who finish using their remote connection but fail to disconnect are disconnected automatically
The idle timeout is part of a remote access profile.You can change the timeout on the Dial-in
Constraints tab of the Edit Dial-in Profile dialog box.
Figure 25.14Restricting by Authentication Method
Trang 8Controlling Maximum Session Time Along with the idle timeout, you can define a maximum amount of time a client can remain con-nected to the server whether they use the connection or not When your supply of incoming ports
is limited, this is one way to ensure that ports are opened up to enable other users to connect.The
maximum session time is also defined in the Dial-in Constraints tab of a profile.
Controlling Encryption Strength
You can use the settings in the Encryption tab of a remote access profile’s Properties dialog box
to allow or disallow particular types of encryption for a VPN connection Encryption types include the following:
■ Basic encryption (MPPE 40-bit)
■ Strong encryption (MPPE 56-bit)
■ Strongest encryption (MPPE 128-bit) Any three of these encryption settings can be used, depending on what the server and the client support, to prevent unauthorized access
Controlling IP Packet Filters You can use IP packet filters to filter incoming or outgoing traffic for connections that match a partic-ular remote access profile.You might find this useful for denying access to a VPN from particpartic-ular loca-tions or only allowing access from a particular address.You can manage outgoing and incoming packet
filters from the IP settings tab of the Profile Properties dialog box, as shown in Figure 25.15.
Figure 25.15 IP Settings
Trang 9Controlling IP Address for PPP Connections
You can also use the IP settings to control IP address assignment for PPP (dial-in) connections.
The following options are available:
■ Server must supply an IP address
■ Client may request an IP address
■ Server settings determine IP address assignment
■ Assign a static IP address The last option enables you to specify a single IP address to be a assigned to clients that match this profile If you use this feature, be sure only one client at a time will match the profile, because the IP address can only be assigned to one client
Troubleshooting Remote
Access Client Connections
Remote access client connections are often the most difficult connection problems to troubleshoot
In many cases, the system you are troubleshooting is not physically in front of you or even remotely accessible via remote control software, which makes it an added challenge.The best practice to follow when troubleshooting any type of connectivity problem is to start with the simpler areas and work your way up.The Open Systems Interconnect (OSI) reference model proves to be a handy guide for troubleshooting.Troubleshoot by starting at the lowest layers first, as seen in Table 25.1
Table 25.1 The OSI Reference Model
1 Physical Layer Cabling, connectors
2 Data Link Layer Network card, Hardware address (ARP, MAC, LLC)
3 Network Layer Logical Addressing (IP address, IPX address)
4 Transport Layer Segment and assemble upper layer information (TCP
ports, UDP ports)
5 Session Layer Connection control (RPC, SQL, NFS)
6 Presentation Layer Data formatting (ASCII, MPEG, JPEG)
7 Application Layer Applications (e-mail client, Web browser, word
pro-cessor) Most, if not all, networking problems will be solved within the first three or four layers Begin the troubleshooting process with cabling Work your way up the OSI reference model to test hard-ware settings and drivers next At layer 3, the network layer, verify connectivity based on logical addressing like phone numbers or IP addresses At the transport layer, verify available port numbers for your applications Usually, transport layer problems will occur at a firewall or NAT system.This
Trang 10should be one of the first things to check if you have made it to layer 4 in the troubleshooting pro-cess Session layer troubleshooting would entail verifying that services are started and running prop-erly on your systems Presentation and application layer problems do not generally affect network and/or remote access connectivity Let’s take a closer look at the different types of remote access to see how our methodology applies
If the client is connecting through a modem, check the phone cable connectors to make sure they are securely connected to the wall and the modem Ensure the modem is getting power and displays proper diagnostic indicators if you are working with an external modem.You might try shutting off and restarting an external modem Check the Windows Device Manager to verify oper-ation and driver informoper-ation If necessary, update the drivers Working our way toward the network layer, test full operation of the modem by dialing a phone number with the phone dialer.Test the modem itself to ensure it is dialing a different number using phone dialer If possible, ensure that the routing and remote access service is operational on the remote access server Make sure you are using the correct authentication algorithm
If you are connecting through VPN using an Internet connection, first verify Internet connec-tivity If you are using a dial-up Internet connection to provide a transport for the VPN, follow the steps in the previous paragraph to ensure dial-up connectivity to your ISP and the Internet If you are able to reach Internet servers, verify connectivity to the VPN server by issuing a ping command
to the VPN server’s FQDN or IP address Make sure that there are a sufficient number of L2TP or PPTP ports available on the VPN server Make sure you are using the proper authentication algo-rithms and the proper encryption strength Finally, verify remote access policy settings will allow connectivity If any one of the remote access policy rules matches your client computer or your user account, rule processing ends at that step and the requested action is processed
If you are able to connect to the remote access server but you are unable to connect to resources within the remote LAN, you have already ruled out the first two layers of the OSI refer-ence model.Typical problems in this scenario include IP connectivity problems, name resolutions problems, and incorrect upper layer protocol selection An approach here would be to check the IP address assigned to the PPP adaptor Verify IP connectivity to the inside interface of the remote access server.This is the LAN interface on the RRAS server Next, in a Windows 2000 or Windows Server 2003 Active Directory environment, issue an nslookup command to test DNS resolution for the client If IP connectivity fails, name resolution will fail When testing IP connectivity, verify that the address assigned to the PPP adaptor is a valid address for one of your LANs If the address is in the range of 169.254.0.1 and 169.254.255.254, this is an Automatic Private IP Address assignment (APIPA).This signifies a problem in the address request process with the DHCP server.This problem could be between the client and the RRAS server or between the RRAS server and the DHCP server
Some utilities for troubleshooting Windows Server 2003 connectivity include:
■ Ipconfig
■ Netsh
■ Nslookup
■ Ping