mcse exam 70-293 planning and maintaining a windows server 2003 network infrastructure phần 4 docx

This chapter is about how to develop the best strategy for connecting your company’sWindows Server 2003 network to the Internet.We’ll discuss connecting the LAN to theInternet using rout

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in thischapter as well as the other chapters in this book, see the Self Test Appendix

Planning, Implementing, and Maintaining an

Internet Connectivity Strategy

Exam Objectives in this chapter:

2 Planning, Implementing, and Maintaining a Network

Infrastructure2.3 Plan an Internet connectivity strategy2.5 Troubleshoot connectivity to the Internet

2.5.1 Diagnose and resolve issues related to Network Address

Translation (NAT)

Chapter 5 MCSE 70-293

Summary of Exam ObjectivesExam Objectives Fast TrackExam Objectives Frequently Asked QuestionsSelf Test

Self Test Quick Answer Key

Internet connectivity is no longer a luxury for most businesses; it is a necessity Employeesuse the Internet to exchange e-mail with clients, suppliers, and co-workers in other physicallocations; to conduct research via the Web; and to remotely access the local area network(LAN) from home or when on the road Creating an effective policy for implementing andmanaging the organization’s Internet connections is an important part of the WindowsServer 2003 network administrator’s job

This chapter is about how to develop the best strategy for connecting your company’sWindows Server 2003 network to the Internet.We’ll discuss connecting the LAN to theInternet using routed connections or translated connections (via Internet ConnectionSharing or the Routing and Remote Access Service’s Network Address Translation compo-nent).You’ll learn how to use both Internet-based virtual private networks (VPNs) androuter-to-router VPNs to provide connectivity to the company’s LAN from remote loca-tions or to connect two branch offices.We’ll discuss the intricacies of demand-dial/on-demand connections and persistent connections, and explain the difference between

one-way and two-way initiation.We’ll also show you how to use Remote Access Policies tocontrol VPN connections, and we’ll discuss VPN protocols supported by Windows Server

2003 and how to make VPN connections using either the Point-to-Point Tunneling

Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP).You’ll learn about VPN rity and the authentication and encryption protocols that make your virtual network pri-vate

secu-Next, we’ll take a look at the Internet Authentication Service (IAS) and how it canprovide centralized user authentication and authorization, centralized auditing and

accounting, and extensibility and scalability.You’ll learn about IAS integration with

Windows Server 2003 Remote Access and Routing Service (RRAS), and how to controlauthentication via Remote Access Policies.We’ll show you how to use the IAS MicrosoftManagement Console (MMC) snap-in and how to implement monitoring of IAS, andwe’ll discuss the use of the IAS Software Development Kit (SDK).Then we’ll delve a littledeeper into the IAS authentication methods and discuss Remote Authentication Dial-InUser Service (RADIUS) access server support, wireless access points (WAPs), and authenti-cating switches

In the next section, we’ll walk you through the process of using the ConnectionManager Administration Kit (CMAK) to create service profiles, custom actions, and customhelp files, as well as VPN support, to make it easier for nontechnical users to connectremotely without needing to do complex configuration.We’ll talk about security issuespertaining to Connection Manager, and show you how to prevent editing of service profilefiles, how to prevent users from saving their passwords, and how to distribute service pro-files securely

Connecting the LAN to the Internet

You can connect a Windows Server 2003 network to the Internet in two basic ways:

■ Using a router to directly route traffic to and from the Internet

■ Using a translation service to convert traffic from an internal network to Internettraffic

The following sections discuss the advantages and disadvantages of these methods

Routed Connections

The traditional method of connecting a network to the Internet is to use a router to routetraffic between the external network and your local network.The advantages of thisapproach are that it is easy to configure, requiring only simple hardware setup, and that itallows full Internet access for all machines on the local network segment It also allows allmachines on the network to provide services to the Internet

Routed connections have two chief disadvantages First, every machine on the localnetwork is reachable from anywhere on the Internet.This is rarely necessary and creates alarge number of potential security problems Second, a separate Internet IP address isrequired for each machine that can access the Internet Since IP addresses are scarce and areissued only to networks that can prove a need for them, this is not the most efficientapproach

Advantages of Routed Connections

Although translated connections are becoming increasingly popular, routed connections dohave a number of advantages:

■ Since each client is connected to the Internet through the router, clients can nect even if the local network servers are not working

con-■ Some Internet clients, such as multimedia applications and games, do not workcorrectly over a translated connection

■ Each machine has a dedicated Internet IP address and can be used for servicessuch as File Transfer Protocol (FTP) and Domain Name System (DNS) thatrequire a unique IP address per host

Hardware and Software Routers

A routed connection uses a router, a device that transmits data between the internal network

and the Internet.There are two types of routers:

■ A hardware router is a dedicated device Hardware routers provide a simple of-the-box” solution for Internet connections

■ A software router runs as a service on one of the computers on the network.TheRouting and Remote Access Service (RRAS) in Windows Server 2003 allows acomputer to act as a router.

In order to use a computer as a software router, it must have two network connections:one to the internal network (LAN) and one to the external network (the Internet)

Microsoft sometimes refers to a computer with two network connections as a multihomed

computer.

IP Addressing for Routed Connections

When you are using a routed connection to the Internet, each machine on the internalnetwork will need a valid Internet IP address IP addresses are managed by a central

authority, the American Registry for Internet Numbers (ARIN).You will typically obtain

IP addresses from an Internet Service Provider (ISP), which has obtained a block of

addresses from ARIN for use by its clients

Once you have been issued one or more IP addresses, you can assign them to the puters in the network.There are two basic ways to accomplish this:

com-■ By manually configuring an IP address in each computer’s network connectionproperties

■ By using the Dynamic Host Configuration Protocol (DHCP) to assign addressesUsing DHCP, you can define the IP addresses you have been issued in the DHCP

server, and clients are automatically assigned, or leased, an address when they are booted If a

client disconnects from the network, its lease is terminated after a timeout period and able to other computers

avail-TEST DAY TIP

Any Windows Server 2003 (or Windows 2000 Server) computer can act as a DHCP

server To configure DHCP, select Start | Administrative Tools | Configure Your Server Wizard and enable the DHCP Server role.

Translated Connections

The second strategy is to use a service that translates between internal IP addresses andexternal addresses used on the Internet By using this technique, you can enable Internetaccess for many computers using a single Internet IP address Along with conserving addressspace, address translation ensures that your computers are not accessible directly from theInternet, effectively preventing many types of network attacks

Network Address Translation (NAT) is an Internet standard defined in RFC 1631 forsystems that translate between internal and external network addresses.Windows networkssupport two types of NAT service:

■ Network address translation (NAT) is a full-featured NAT implementation ported by Windows 2000 Server and Windows Server 2003

sup-■ Internet Connection Sharing (ICS) is a simplified NAT implementation for smallnetworks, and is supported by Windows 98 Second Edition,Windows Me,Windows XP, and Windows 2000 Professional

When you configure the NAT or ICS service, the computer that acts as the NATserver must have at least two network connections: a connection to the Internet (typically amodem or broadband connection) and a connection to the LAN containing the computersthat will share the Internet connection

Network Address Translation (NAT)

NAT is Microsoft’s full-featured address translation feature.When you access the Internet

on a network that uses a NAT server, outgoing packets are sent to the NAT server, whichchanges their originating address and forwards them to the Internet.The returned packetsare delivered to the NAT server.The server then translates the packets to internal IPaddressing and sends them to the machine that made the original request

The Windows Server 2003 NAT server actually supports three separate services:

■ NAT, the address translation service

■ DHCP for assigning IP addresses to clients that are sharing the Internet tion

connec-■ DNS for name resolution Depending on your network configuration, you might not need the NAT server tohandle address assignment or name resolution.You can choose whether to use these com-ponents when you configure the NAT server If you have dedicated DHCP or DNS servers

on the network, you can continue to use them with NAT (The DNS service forwardsrequests to an Internet DNS server and returns the results to the appropriate client withinthe private network.)

Installing the NAT Service

NAT is part of the RRAS component of Windows Server 2003 RRAS is installed withWindows Server 2003 but is not enabled by default.You can enable this service using theManage Your Server application that is launched when you install the operating system or

by using the Routing and Remote Access MMC snap-in.Windows Server 2003 includes awizard that can enable RRAS and set up a NAT server Exercise 5.01 shows how to con-figure NAT using the wizard

EXAM

70-293

OBJECTIVE

2.5

TEST DAY TIP

Remember that you need at least two network interfaces on the NAT server: oneconnected to the private network, usually a LAN adapter, and one connected tothe Internet You can configure a demand-dial Internet connection (if you’re using

a modem or ISDN dial-up instead of an “always-on” connection to the Internet)during the NAT server setup process

You can also configure NAT manually using the Routing and Remote Access MMCsnap-in.This is the only way to configure a NAT server on a machine that already hasRRAS enabled RRAS can perform NAT along with its other functions, which includeacting as a network router or accepting dial-up network connections

E XERCISE 5.01

I NSTALLING NAT U SING THE W IZARD

You can install NAT on a Windows Server 2003 server that does not yet haveRRAS enabled using the Routing and Remote Access Server Setup Wizard Thisexercise guides you through the process of setting up a basic NAT server usingthe Wizard

1 Select Start | Administrative Tools | Routing and Remote Access to

start the RRAS MMC snap-in

2 Click the RRAS server name (usually the current machine) in the leftcolumn to highlight it

3 From the menu, select Action | Configure and Enable Routing and

Remote Access.

4 The Wizard displays a Welcome window Click Next to continue.

5 The Configuration window appears Select the Network address

translation (NAT) option, as shown in Figure 5.1, and click Next.

6 The NAT Internet Connection window is displayed Here, you can

choose how the NAT server will connect to the Internet Choose either

Use this public interface to connect to the Internet or Create a new demand-dial interface to the Internet.

7 You can optionally choose to enable basic security for the Internet

interface by checking the Enable security on the selected interface

by setting up Basic Firewall option This option is enabled by default.

8 Click Next to continue.

9 The Ready to Apply Selections window is displayed Click Next to

start the RRAS service

If you chose to create a new demand-dial interface in Step 6, the Dial Interface Wizard will guide you through this process This Wizard is

Demand-described in Exercise 5.04, later in this chapter Otherwise, you are returned tothe Routing and Remote Access MMC snap-in, and you can now manage theNAT service as described in the next section

Figure 5.1 Select NAT from the RRAS Wizard

Managing NAT

After you have enabled RRAS and set up a NAT server, you can manage the server from

the Routing and Remote Access MMC snap-in Select the server and select Action | Properties to display the Properties dialog box Select the IP tab within this dialog to

display the IP properties, shown in Figure 5.2.This page allows you to manage the addressassignment feature of NAT.The NAT server can assign IP addresses in one of two ways:

■ Select Dynamic Host Configuration Protocol (DHCP) to use an existing

DHCP server to handle addressing

■ Select Static address pool to explicitly list the IP addresses this server can assign

to clients Once you have selected this option, you can use the Add, Edit, and Removeoptions to create a list of one or more IP address ranges for the addresspool

The IP properties tab also include an option to manage the name resolution feature of

NAT Select the Enable broadcast name resolution option if you do not have a DNS

or Windows Internet Name Service (WINS) server on the network to handle name tion If this option is selected, the RRAS server uses network broadcasts to resolve names.This eliminates the need for a dedicated name server on single-subnet Windows-based net-works

resolu-Figure 5.2 The IP Properties for an RRAS Server

TEST DAY TIP

If you are not using broadcast name resolution, the NAT server needs to know the

IP address of a DNS or WINS server to complete resolution requests These serveraddresses are not part of the RRAS configuration You must specify them using the

Properties dialog box for the network interface.

Configuring a NAT Connection

You can also manage the settings for a NAT interface from the Routing and Remote

Access console.To access these settings, select the NAT/Basic Firewall entry under IP routing in the left column, and then select Action | Properties from the menu.The Propertiesdialog box is divided into four tabbed sections:

■ NAT / Basic Firewall On this tab, shown in Figure 5.3, you can enable or able NAT for the connection.You can also enable a basic firewall, which preventsunauthorized traffic from the Internet from reaching the internal network.You

dis-can also use the Inbound Filters and Outbound Filters buttons to define IP

filters to further secure the connection

■ Address Pool Allows you to define the Internet addresses that will be used by

the NAT server Don’t confuse this with the pool of private addresses the server

can assign to clients At least one Internet address must be included here.You can

also use the Reservations button to define an external address that always

reaches the same internal client machine.This is useful if you need to run a Webserver or other service and make it accessible over the Internet

■ Services and Ports Allows you to enable various services, such as FTP andSimple Mail Transfer Protocol (SMTP), that will be accessible to Internet users,and define the internal machines these packets will be routed to

■ ICMP Allows you to enable various types of diagnostic packets.These may

be needed if you wish the NAT server to respond to PING or Traceroute diagnostics

How NAT Works

NAT transparently handles translation, so clients do not need to be aware that NAT is inuse Instead, they are configured with the NAT server’s address as their default gateway.When a client sends an outgoing packet, it is sent to the NAT server.The NAT serverreceives the packet and performs the following tasks:

■ The packet’s destination address and port are stored in an entry in the NAT table,along with the internal address from which the packet originated

■ The packet’s source address is changed to the NAT server’s address, and a randomport number is assigned

■ The packet is sent over the Internet

■ When the remote server responds, the response is sent to the NAT server at theport number previously assigned.The NAT server consults the NAT table todetermine which client requested the response, edits the packet to use the client’sinternal IP address as its destination, and sends it to the internal network

Figure 5.3NAT Properties

Some Internet protocols, such as FTP, store addressing information within the packet

itself, which would not normally work with NAT.The NAT server uses a NAT editor to

modify the addresses for these protocols.Windows Server 2003 includes editors for severalprotocols Keep in mind that some protocols may not be supported across the NAT server

Internet Connection Sharing (ICS)

Internet Connection Sharing (ICS) is a simple implementation of a NAT server and isincluded with all versions of Windows 2000,Windows XP, and Windows Server 2003, aswell as Windows 98 Second Edition and Windows Me It is much easier to configure anduse than the full NAT service Although ICS supports the basic translation features of NAT,

it has a couple of limitations:

■ ICS supports only a single Internet IP address and a single LAN connection.Thefull NAT service can connect any number of public IP addresses to multipleLANs

■ ICS cannot be used on networks that have a DHCP or DNS server implemented

TEST DAY TIP

You should use ICS only when you are not using the NAT feature on the server, orwhen you are using an operating system for the NAT host, such as Windows XP,that supports ICS but not the full NAT service

Activating the ICS Service

ICS is included and installed automatically with all versions of Windows Server 2003 andWindows 98 Second Edition and later.This feature is disabled by default, but enabling it is

a simple process

To enable ICS, open the Properties dialog box for the network adapter that connects

to the Internet and select the Advanced tab.The Advanced properties are displayed, as shown in Figure 5.4.To enable ICS, simply check the Allow other network users to connect through this computer’s Internet connectionoption.You can also optionally

check the Establish a dial-up connection whenever a computer on the network attempts to access the Internetoption for a dial-up Internet connection

TEST DAY TIP The ICS options are included only in the Advanced tab of the Properties dialog

box for Internet connections LAN connections, such as the default Local AreaConnection, do not include this option, since they connect only to the local net-

work You will, however, find the Connection Sharing option in the Properties

dialog box for VPN connections

Configuring Services

ICS is primarily a way for computers on your network to access Internet services, but italso allows you to configure services that are provided by a machine on your network andavailable via the Internet.When you use this option, incoming requests from the Internetare received by the ICS server and forwarded to whichever local machine is providing theservice

When ICS is enabled, you can click the Settings button in the Advanced tab of the Propertiesdialog box to configure the services available on your network and specify

which client machines provide them No services are enabled by default.The Services

Figure 5.4 The Advanced Internet Provider Properties

dialog box, shown in Figure 5.5, lists a number of common services and allows you to figure them or add addtional services.

con-Whether you use one of the predefined services, such as an FTP server or a Telnetserver, or configure a custom service, you need to specify which computer on the local net-work will provide the service Exercise 5.02 demonstrates the process of adding a new ser-vice

E XERCISE 5.02

A DDING A C USTOM S ERVICEYou need to add an entry for any service on your network that should beaccessible from outside the network For example, the Network News TransferProtocol (NNTP) service is not included as one of the default options, so youcan add an entry for it Follow these steps to add a custom service:

1 From the Network Connections window, right-click the Internet nection you are sharing and click Properties.

con-2 Select the Advanced tab.

Figure 5.5 The Network Services That Internet Users Can Access

3 Ensure that the Allow other network users to connect through this computer’s Internet connection is enabled and click Settings.

4 The Services dialog box is displayed Click Add.

5 The Service Settings dialog is displayed In the Description of service text box, enter Net News Transfer Protocol, as shown in Figure 5.6.

6 In the Name or IP address text box, enter the machine name or IP

address for the local machine providing the service

7 In the External port number for this service text box, enter 119.

8 In the Internal port number for this service text box, also enter 119.

Figure 5.6 Service Settings

tions, it is also relatively expensive A VPN eliminates the need for dedicated WAN links bytaking advantage of readily available connections to the public Internet.

A VPN is defined as a private network that uses virtual links through a public network

rather than dedicated WAN links.These virtual connections use a technology called

tun-neling to encrypt private data and encapsulate it in packets to be transmitted over the public

network

Windows Server 2003 includes VPN functionality as part of RRAS.You can configure

a Windows Server 2003 machine to act as a VPN server, which manages the VPN tions between clients or networks

connec-TEST DAY TIP

One advantage of using a VPN connection, rather than a dedicated leased line, isthat the VPN connection is flexible For example, if you move a location, all that isrequired to reconnect to the VPN is an Internet connection of any type

Internet-based VPNs

One common use for a VPN server is to allow clients to remotely access the network Forexample, you might have employees who work from home or who need network accessfrom their laptops while on the road.Traditionally, this would require a pool of modems and

a dial-up RRAS server, or a dedicated WAN link.With a VPN, since remote clients oftenhave Internet connectivity, you can configure a VPN server to accept connections from theseclients over the Internet.This provides them with a secure connection to the networkwithout the need for modems or phone lines, and it often saves money, since a client can use

a low-cost ISP with a local phone number rather than making a long-distance call

Microsoft refers to a VPN connection used for remote access as an Internet-based

VPN This is also known as a client-server VPN connection The other type is a

router-to-router connection Although both types use the Internet for connectivity,Internet-based VPN refers to client-server connections

How Internet-based VPNs Work

Figure 5.7 shows how a typical Internet-based VPN works.The remote client connects tothe public Internet and uses VPN client software to initiate a connection with the VPNserver Communications for the VPN are encrypted and encapsulated into packets sent overthe Internet

Configuring Internet-based VPNs

RRAS supports the protocols needed for a VPN.You can configure these individually oruse the RRAS Setup Wizard to configure a VPN server Exercise 5.03 guides you throughthe process of configuring a VPN server using the Wizard

E XERCISE 5.03

C ONFIGURING A VPN S ERVER U SING THE W IZARD

If you have not yet configured RRAS on a server, you can use the Routing andRemote Access Server Setup Wizard to configure the server with the basicoptions for a VPN server

NOTE

If you have previously configured the server to use RRAS, in order to perform thisexercise you will need to first disable it To do so, right-click the RRAS server name

in the left console panel of the Routing and Remote Access MMC and select

Disable Routing and Remote Access.

Follow these steps to configure the VPN server:

1 Select Start | Programs | Administrative Tools | Routing and

Remote Access to start the Routing and Remote Access MMC snap-in.

2 Click the RRAS server name (usually the current machine) in the leftcolumn to highlight it

3 From the menu, select Action | Configure and Enable Routing and

Remote Access.

4 The Routing and Remote Access Server Setup Wizard displays a

Welcome window Click Next to continue.

Figure 5.7 Communications in an Internet-based VPN

Internet

Encrypted Tunnel

5 The Configuration window appears (see Figure 5.1, earlier in the

chapter) Select Virtual Private Network (VPN) access and NAT from the list and click Next.

6 The Wizard displays a final confirmation window, as shown in Figure

5.8 Click Finish to enable the RRAS and VPN features.

7 A dialog box asks whether you wish to start the RRAS service at this

time Click Yes.

Windows Server 2003 next starts the RRAS service and can accept VPN nections You are returned to the Routing and Remote Access MMC snap-in,where you can customize the settings for the VPN server

con-Router-to-Router VPNs

While an Internet-based VPN provides easy remote access for individual clients, you canalso configure a larger-scale VPN to connect two geographically separated LANs A router-to-router VPN requires an Internet connection for each LAN, and it encapsulates traffic onthe Internet to create a virtual WAN between the locations

A router-to-router VPN can either use demand-dial connections, creating the VPN only when it is required for traffic between the networks, or persistent connections for an always-on

Figure 5.8 Completing the Routing and

Remote Access Server Setup Wizard

VPN In either case, it can save money, since Internet connectivity is usually available at alower cost than a dedicated WAN link between geographically separated sites.The longerthe distance, the more money you are likely to save.

On Demand/Demand-Dial Connections

A demand-dial connection is often the most practical choice for small remote sites that onlyoccasionally require VPN connectivity RRAS supports one or more demand-dial connec-tions.You can configure a connection using the Network Interfaces node in the RRASMMC snap-in Exercise 5.04 demonstrates how to add a new demand-dial interface

E XERCISE 5.04

C ONFIGURING A D EMAND -D IAL I NTERFACE

You can add a new demand-dial interface on any RRAS computer that hasRRAS configured If you have not yet configured and enabled RRAS, see theinstructions earlier in this chapter Follow these steps to create a new demand-dial interface:

1 From the Routing and Remote Access MMC snap-in, right-click the

Network Interfaces item in the left column and select New dial Interface.

Demand-2 The Demand-Dial Interface Wizard displays an introductory message Click Next to continue.

3 You are prompted for a name for the new interface, as shown in Figure

5.9 Enter the name and click Next.

Figure 5.9 Enter a Name for the Demand-Dial Interface

4 The Connection Type window appears Select Connect using virtual private networking (VPN) and click Next.

5 The VPN Type window is displayed You can choose one of the VPN tocols (described in the “VPN Protocols” section later in this chapter)

pro-Select Automatic selection and click Next.

6 You are prompted for the host name or IP address of the remote

router Enter an address or name and click Next.

7 The Protocols and Security window is displayed, as shown in Figure

5.10 Enable the Route IP packets on this interface option and click Next.

8 The Static Routes for Remote Networks window is displayed Click Add to add a static route Specify a destination address and subnet mask, and then click OK.

9 Click Next to continue.

10 The Dial Out Credentials window is displayed Enter a username,

domain name, and password to connect to the remote network, and

then click Next.

11 The Wizard displays a completion message Click Finish to complete the

configuration of the demand-dial interface

Figure 5.10 Choose Protocols and Security Options

After you have completed this process, the new interface you created is

listed in the Network Interfaces section of the Routing and Remote Access MMC snap-in You can select this entry and open its Properties dialog box to

change the configuration

One-Way versus Two-Way Initiation

You can configure a demand-dial VPN with either one-way or two-way initiation:

■ In one-way initiation, one VPN server is configured to accept demand-dial nections, and the other initiates the connection

con-■ In two-way initiation, both VPN servers are configured to accept connections.Whenever a client of one server requires access to the VPN, it initiates a connec-tion to the other server

Persistent Connections

Instead of using a demand-dial connection, a VPN server can use a persistent (always-on)connection to the Internet, such as an existing Digital Subscriber Line (DSL) connection Ifthe computer you are using as the VPN server is configured to use this type of Internetconnection, it can be made available to VPN clients.To create a new persistent connection,

select Start | Control Panel | Network Connections | New Connection Wizard.

Remote-Access Policies

You can secure a demand-dial connection in the same way that you secure a connection for

a remote user.The calling router requires a user account on the VPN server.You can

con-figure this user account’s properties with the Allow Access option in the Dial-in

proper-ties section to explicitly allow access, or if access is controlled through a Remote AccessPolicy, the policy should grant the appropriate user remote access permissions If you areusing RADIUS authentication (explained in the “Using Internet Authentication Service(IAS)” section later in this chapter), the policy is configured on the RADIUS server ratherthan on the RRAS server

Each remote-access policy is associated with a dial-in profile, which allows you to figure how the connection can be used.You can use the policy and profile settings to con-figure the authentication methods allowed, the hours in which dialing out is allowed, andother settings.These options are explained in detail in Chapter 7

con-VPN Protocols

A VPN is created using a tunneling protocol.This is a standard communication protocol that

creates a tunnel through the public network and transmits private data in encrypted form

This is accomplished using encapsulation, a process that encrypts each VPN packet, combines

it with a header to form a standard IP datagram, and sends it over the public network

Windows Server 2003 supports two standard tunneling protocols: the Point-to-PointTunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP)

PPTP

PPTP is the oldest and most common VPN protocol PPTP is based on the Point-to-PointProtocol (PPP), which is typically used for dial-up connections PPTP encapsulates PPPframes into IP packets, encrypts the data, and transmits them over the Internet

PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supportsthe same authentication methods as PPP, such as the Password Authentication Protocol(PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).When ahigher-level authentication method is used, PPTP supports Microsoft Point-to-PointEncryption (MPPE), a strong method of encrypting VPN traffic before allowing it to tra-verse the public network

L2TP

L2TP is a more recent tunneling protocol that offers additional features over PPTP L2TP is

a generic tunneling protocol that can encapsulate packets of many types for transmissionover a network Unlike PPTP, L2TP does not include encryption.Windows 2003 VPNs usethe IP Security protocol (IPSec) to encrypt data sent over an L2TP tunnel.This providesend-to-end encryption and greater security than the MPPE encryption used with PPTP

Refer to Chapter 7 for more details on tunneling protocols

MPPE is used with VPNs created by PPTP MPPE provides encryption for the tunnel only;

it does not provide end-to-end encryption from the client to the VPN server MPPErequires that the client and server support either the MS-CHAP or ExtensibleAuthentication Protocol-Transport Layer Security (EAP-TLS) authentication method

These methods are described in detail in the “Authentication Methods” section later in thischapter

IPSec

IPSec is an Internet standard for encrypted IP traffic Since the L2TP tunneling protocoldoes not include encryption by itself, IPSec is used to encrypt the data before it is encapsu-

lated across the tunnel Unlike MPPE, IPSec does provide end-to-end encryption.You canuse IPSec over an established PPTP link to add end-to-end encryption.

TEST DAY TIP

IPSec also supports tunnel mode, a built-in ability to create a VPN tunnel without

the use of L2TP This mode works only with router-to-router VPNs It is anadvanced feature and is only necessary to support certain hardware that does notsupport the standard PPTP or L2TP tunneling protocols

Using Internet Authentication Service (IAS)

While basic RRAS security is sufficient for small networks, a larger enterprise often needs

a dedicated infrastructure for authentication RADIUS is a standard for dedicated cation servers A RADIUS server provides centralized authentication and access control, and

authenti-it can also provide detailed accounting for the use of authenti-its services RADIUS services can bescaled to handle any enterprise’s authentication needs and extended with multiple authenti-cation servers

Windows Server 2003 includes Microsoft Internet Authentication Service (IAS), animplementation of a RADIUS server IAS supports authentication for Windows-basedclients, as well as for third-party clients that adhere to the RADIUS standard IAS stores itsauthentication information in Active Directory (AD), and you can manage it with RemoteAccess Policies

Centralized User Authentication and Authorization

In the RADIUS standard, remote users do not connect directly to the RADIUS server.Instead, they connect to a network access server (typically an RRAS server), which acts as a

centralized authentication Any number of RRAS servers can connect to the same IASserver for authentication.

Centralized Auditing and Accounting

Along with authentication, IAS supports auditing features—tracking when the system isused, when errors occur, and so on—and can keep a centralized record of usage of theremote access or VPN servers.This record is stored in a log file, which you can import into

a database or analyze to determine traffic patterns or potential problems

RRAS Integration

IAS supports the same Remote Access Policy settings as RRAS.You can use these settings

on a simple RRAS server in a small network, and later add an IAS server, move the policies

to the IAS server, and configure one or more RRAS servers to authenticate using IAS

When using IAS for authentication, RRAS servers no longer have their own RemoteAccess Policies, since the IAS server manages a centralized policy

Control via Remote-Access Policies

As with basic RRAS security, you can define access policies to configure access security with IAS.You can define a single set of remote-access policies on the IASserver, and they will be used by every RRAS server that uses IAS for authentication.Thiscentralized authentication allows you to quickly define policies for the entire enterprisewithout the need to manage individual policies for each RRAS server

remote-Extensibility and Scalability

IAS provides an extensible architecture for authentication.While it provides only a smalladvantage over traditional Windows authentication methods when used on a small network,IAS excels in large enterprises because it provides centralized authentication.You can scalefrom a single IAS server to multiple IAS servers interacting with multiple RRAS servers in

a global network.When you add a new RRAS server, you don’t need to configure its rity separately; simply configure it to use the existing IAS server for authentication

secu-IAS Management

To support IAS, you will need one or more IAS servers.You can install IAS on a domaincontroller or member server.The server can be used for other components, such as RRAS,but if the IAS server will be heavily used, you may wish to dedicate a server for this pur-pose.You can use a single server or configure a second server to act as a backup RRASservers that authenticate using IAS can contact the backup server if they are unable to reachthe primary server

The IAS component is included with all editions of Windows Server 2003 except theWeb Edition.You can install IAS on a Windows Server 2003 computer using the

Add/Remove Programs option in Control Panel Exercise 5.05 demonstrates how to

add this component to a server

E XERCISE 5.05

I NSTALLING IAS

Follow these steps to install IAS on a computer running Windows Server 2003:

1 Select Start | Control Panel | Add/Remove Programs.

2 Select the Add or Remove Windows Components option.

3 Select Networking Services from the list and click Details.

4 Check the box next to Internet Authentication Service and click OK

5 Click Next to complete the installation.

Activating IAS Authentication

When you have a working IAS server on the network, you can configure the RRAS server

to use IAS authentication.This will disable the normal Remote Access Policies in theRouting and Remote Access MMC snap-in and forward all authentication to the IASserver.You can then configure security settings for all RRAS servers centrally at the IASserver Exercise 5.06 guides you through the process of enabling IAS authentication for anRRAS server

E XERCISE 5.06

S ELECTING IAS A UTHENTICATION

To select IAS authentication, you must have already configured and enabledRRAS services on the computer Follow these steps to enable IAS authentica-tion:

1 Select Start | Administrative Tools | Routing and Remote Access.

2 Click the RRAS server name in the left column to highlight it Select

Action | Properties from the menu, or right-click the RRAS server

name and select Properties from the context menu.

3 The Properties dialog box is displayed Click the Security tab The

Security properties are displayed, as shown in Figure 5.11.

4 In the Authentication provider drop-down list, select RADIUS Authentication.

5 Click the Configure button to display the RADIUS server options.

6 Click Add to add a RADIUS server to the list.

7 The Add RADIUS Server dialog box is displayed, as shown in Figure

5.12 Enter the name of the RADIUS server You can optionally specify a

shared secret using the Change button Click OK.

Figure 5.12 Add a RADIUS Server Figure 5.11 Security Properties

8 Click OK to exit the Properties dialog box.

9 A dialog box reminds you to restart RRAS to enable the new

authenti-cation method Click OK to continue.

10 You are returned to the Routing and Remote Access MMC snap-in Select the RRAS server in the left column and select Action | All Tasks

| Restart from the menu, or right-click the server name and select All Tasks | Restart from the context menu.

RRAS is now restarted, and RADIUS authentication is enabled using the IASserver

EXAM WARNING

If you enter a shared secret (password) in the RADIUS Authentication settings ofRRAS, it must be the same one you already specified in the properties of the IASserver This password system provides a basic level of security between RADIUSclients and servers Its primary purpose is to ensure that an unauthorized RADIUSserver cannot be added to the network and used to provide incorrect authentica-tion information

Using the IAS MMC Snap-in

You can manage the configuration of an IAS server using its MMC snap-in.To launch the

IAS management console, select Start | Programs | Administrative Tools | Internet Authentication Service.The IAS console is shown in Figure 5.13.The left column of thewindow displays several components of the IAS server that you can manage, including thefollowing:

■ RADIUS Clients Lists the clients (RRAS servers) currently configured andallows you to add new clients

■ Remote Access Logging Lists log files and allows you to configure additionallogging options

■ Remote Access Policies Lists current policies and allows you to add policies.IAS policies are identical to those used on RRAS servers

■ Connection Request Processing Includes options for forwarding tion requests to another IAS or RADIUS server for processing

authentica-IAS Monitoring

You can monitor the status of the IAS server using Windows Server 2003’s standard toring facilities, including Event Viewer and System Monitor IAS also supports SimpleNetwork Management Protocol (SNMP) for centralized monitoring of IAS, along withother devices and services

moni-IAS also adds a number of objects to the System Monitor utility when you install it

You can use the counters within these objects to monitor the performance of the IAS

server.To use System Monitor, select Start | Administrative Tools | Performance, click the Add Counters (+) button, and select one of the IAS objects to view a list of the

available counters

IAS SDK

Microsoft also makes an IAS Software Development Kit (SDK) available.You can use this tocreate customized behaviors for IAS, control the number of network sessions available tousers, and create customized methods of authorization and authentication.The SDK alsoincludes development tools for the Extensible Authentication Protocol (EAP) to allow you

to create new types of authentication EAP is described in the next section

Figure 5.13 The IAS Management Console

Authentication Methods

The Windows Server 2003 IAS server supports a number of different authentication

methods.These range from basic, unencrypted authentication to highly secure methods.Windows Server 2003 also supports an infrastructure that allows external methods ofauthentication, such as smart cards In the following sections, we will discuss authenticationmethods supported by IAS

PPP-based Protocols

IAS supports several simple authentication methods based on the authentication used withPPP.These are the same basic methods supported by native RRAS authentication.The fol-lowing are the basic authentication methods you can select:

■ Unencrypted Password (PAP) This option uses PAP, a basic unencryptedauthentication method Since PAP transmits passwords as plaintext, it providesvery little security

■ Shiva Password Authentication Protocol (SPAP) SPAP is Shiva’s extendedversion of PAP and is slightly more secure.This protocol is included for use withlegacy devices and systems that require it

■ Encrypted authentication (CHAP) CHAP is a standard protocol that usesencryption to prevent password snooping In CHAP, the server sends an encryptedchallenge to the client, and the client uses the password entered by the user todecrypt it and send a response

■ Microsoft encrypted authentication (Microsoft-CHAP) MS-CHAP isMicrosoft’s extension of CHAP, which improves security and integrates withWindows authentication.Version 1 of MS-CHAP is included to support olderoperating systems

■ Microsoft encrypted authentication version 2 (MS-CHAP v2) MS-CHAPversion 2 is an improved version that increases security Since version 2 is sup-ported by all current versions of Windows, you should choose it over version 1,unless you are supporting older clients

EAP

Another choice for Windows Server 2003 and IAS authentication is EAP EAP is notstrictly an authentication protocol; it is a structure that allows numerous plug-in authentica-tion methods EAP also allows clients and servers to negotiate the most secure authentica-tion method they both can support

The EAP InfrastructureAuthentication protocols that fit into EAP are called EAP types Each of these types is han-

dled by a plug-in module.When a client connects to the server and both support EAP, theynegotiate an EAP type for authentication, depending on which types each of them sup-

ports A server that responds to authentication requests is called an authenticator.The

authen-ticator can make any number of requests for information from the client, depending on theauthentication type

Enabling EAP-based Authentication

To enable EAP authentication on an IAS server, you create a Remote Access Policy thatallows EAP authentication, or you modify an existing policy Exercise 5.07 demonstrateshow to modify a policy to allow the use of MD5 CHAP authentication through EAP

E XERCISE 5.07

E NABLING EAP-B ASED A UTHENTICATIONYou can enable EAP authentication for any Remote Access Policy and specifythe EAP types that can be used Follow these steps to enable EAP authentica-tion:

1 Select Start | Administrative Tools | Internet Authentication Service.

2 The IAS management console is displayed Click to highlight Remote

Access Policies in the left column.

3 In the right column, select Connections to Microsoft Routing and

Remote Access Server.

4 Select Action | Properties from the menu, or right-click and select

Properties from the context menu.

5 The Properties dialog box is displayed Click the Edit Profile button.

6 The Edit Dial-in Profile dialog box is displayed Select the

Authentication tab.

7 The authentication methods supported by IAS are displayed, as shown

in Figure 5.14 You can enable or disable the non-EAP authenticationmethods here You can also change the order in which the selected EAPtypes are negotiated by moving them up or down in the list, using the

Move Up and Move Down buttons.

8 Click the EAP Methods button A list of the currently enabled EAP

types is displayed

9 Click Add and select MD5-Challenge from the list.

10 Click OK, then click OK in the EAP types list.

11 Click OK to exit the Edit Profile dialog box.

12 Click OK to exit the Properties dialog box.

EAP authentication is enabled as long as one or more EAP types appears inthe list during this procedure You can also remove available types from the list

to disable EAP types or remove support for EAP altogether

EAP-MD5 CHAP

EAP-MD5 CHAP is an implementation of the same challenge-response system as CHAP within the EAP infrastructure It supports the same level of security as MS-CHAPv2, but clients must support EAP in order to authenticate with this protocol Clients thatsupport MS-CHAP but not EAP will require the non-EAP version of this protocol

MS-EAP-TLS

Transport Level Security (TLS) is an authentication protocol that uses public-key tion All messages between the client and server are securely encrypted.The encryption issimilar to that used with the Internet Secure Sockets Layer (SSL) protocol.This is thehighest level of security provided by Windows Server 2003’s authentication methods

encryp-Figure 5.14 Authentication Methods

TEST DAY TIP

EAP-TLS also supports smart cards These are hardware devices that implement

public-key encryption Smart cards answer challenges within the hardware and donot transmit the private key, so they provide higher security than simple passwordauthentication For more information about smart card authentication, see Chapter 7

EAP-RADIUS

EAP-RADIUS is not a true authentication method.This option is an interface betweenEAP and RADIUS.When you select EAP-RADIUS, you specify an external RADIUSserver, and all requests for authentication are forwarded to the RADIUS server for pro-cessing.This provides a way for clients that only support EAP to be authenticated using theRADIUS server

Authorization Methods

IAS supports a variety of methods of authorization, to determine whether a connection isallowed and what tasks it can perform Custom authorization methods are also supported

The following sections discuss different types of authorization in IAS

Dialed Number Identification Service (DNIS)

DNIS is a phone company service that identifies the number being called and allows you

to authorize the connection based on that number It is usually used with 800 and 900numbers, where there are several different numbers that go into the same public exchange(PBX) system In dial-up modem pools where several phone numbers can reach the samegroup of modems, you can use DNIS authorization to ensure that users are calling a validnumber

Automatic Number Identification (ANI) and Calling Line Identification (CLI)

You are probably familiar with caller ID, which works on consumer phone lines to providethe number from which a call originated ANI and CLI are the business-line equivalent ser-vices IAS can authorize connections based on ANI or CLI to allow access to valid

incoming numbers

Guest Authorization

Windows Server 2003’s IAS service can optionally allow guest access for unauthorized usersusing the Guest user account Because this access is unauthenticated, its use is not recom-mended in most cases, and it is disabled by default

Access Server Support

In the RADIUS standard, the RADIUS server works with one or more network accessservers (NASs) that provide access to the network In Windows terminology, this usuallymeans RRAS servers IAS also supports the following alternate types of access servers:

■ RADIUS access server support IAS supports RADIUS standard accessservers, whether they are Microsoft servers running IAS or those from other ven-dors.The standards for RADIUS access servers are defined in RFCs 2865 and2866

■ Wireless access points IAS can also provide authentication for wireless accesspoints using the various 802.11 protocols for wireless networking For this towork, the access point hardware must support RADIUS authentication using anexternal server

■ Authenticating switches Some Ethernet switches support RADIUS cation to authorize nodes attached to the switch IAS includes the Ethernet porttype, which allows you to manage authentication for these switches

authenti-Outsourced Dialing

IAS supports outsourced dialing (sometimes called wholesale dialing), a standard for the use of

ISP modem pools In this system, you contract with an ISP to provide your employeesremote network access using the ISP’s existing modems Users connect to a modem at theISP, and a server at the ISP creates a VPN tunnel to connect them to the LAN A RADIUSserver at the ISP can forward records to your organization’s IAS server, which allows you tomanage access to the modems and obtain auditing and accounting information for theiruse

Outsourced dialing has a number of advantages.The ISP already maintains pools ofmodems, and you may be able to obtain access to them at a lower price than the cost ofconfiguring your own modems.The ISP may also have physical presence in areas you donot have a facility to provide for local calls, and it relieves you of the burden of managingmodem pools

Using Connection Manager

Connection Manager is a Windows application that enables a client to initiate a dial-up orVPN connection to a server running RRAS.To set up a connection, you need to knowwhether you are using dial-up,VPN, or another connection type; the phone number orVPN server to connect to; and other information

Fortunately, if you frequently have clients or employees that need to create a tion to the RRAS server, you can distribute a customized version of Connection Managerthat already contains most of the required information to connect to the server Microsoft

distributes the Connection Manager Administration Kit (CMAK), which guides youthrough the process of customizing Connection Manager and creating a distributionpackage.

TEST DAY TIP

Along with employees who wish to remotely access a company network, CMAK isoften used by ISPs to provide a simple way to set up connections for their cus-tomers

Using CMAK

CMAK works as a Wizard that presents a series of questions about the connection you areusing, and then creates a custom service profile that can be used with Connection Manager

to easily initiate the connection

Installing and Running CMAK

CMAK is included with Windows Server 2003.To install CMAK, follow these steps:

1 Select Start | Control Panel | Add or Remove Programs.

2 Select the Add/Remove Windows Components option.

3 Select Management and Monitoring Tools from the list and click Details.

4 Check the box next to Connection Manager Administration Kit, as shown in

Figure 5.15

Figure 5.15 Installing CMAK

5 Click OK, and then click Next to complete the installation.You will need the

Windows Server 2003 CD-ROM

After CMAK is installed, select Start | Programs | Administrative Tools | Connection Manager Administration Kitto launch the Wizard Exercise 5.08 guidesyou through the process of using CMAK to create a simple service profile

E XERCISE 5.08

U SING THE C ONNECTION M ANAGER A DMINISTRATION K IT

The CMAK prompts you for several items of information Follow these steps touse CMAK:

1 Select Start | Programs | Administrative Tools | Connection

Manager Administration Kit.

2 An introductory window is displayed Click Next to continue.

3 The next window asks whether you wish to create a new service profile

or edit an existing one Select the New profile option and click Next.

4 You are now prompted for a service name Enter Test Connection in the Service name text box and test in the File name text box, as shown in Figure 5.16 Then click Next

Figure 5.16 Specify a Service Name and Filename

5 The next window asks whether you will be using a realm name This

allows you to add a standard prefix or suffix to usernames Select Do not add a realm name to the user name and click Next to continue.

6 The Merge Profiles window is displayed This allows you to merge

phone numbers or other information from other profiles to the new

profile Click Next to continue.

7 The VPN Support window is displayed This allows you to specify that

a VPN connection will be created Check the box next to Phone book from this profile and enter server1 in the VPN Server name or IP Address text box, as shown in Figure 5.17 Then click Next.

8 The VPN Entries window is displayed Here, you can choose an existing

VPN connection for the profile to support or create a new entry Click

Next to continue.

9 The Phone Book window is displayed You can select a phone book file

to provide access numbers to clients Disable the Automatically load phone book updates option and click Next.

down-10 The Dial-up Networking Entries window is displayed You can choose

a current dial-up networking entry to use with the profile or create a

new one Click Next to continue.

11 The Routing Table Update window is displayed Click Next to continue.

Figure 5.17 Specify VPN Support

12 The Automatic Proxy Configuration window is displayed Here, you

can specify settings for a proxy server to be used with the connection

Click Next to continue.

13 The Custom Actions window is displayed Custom actions are described later in this section Click Next to continue.

14 The Logon Bitmap window is displayed You can choose a default

graphic or your own 330-by-140 pixel graphic to be displayed in the

Connection Manager dialog box Click Next to continue.

15 The Phone Book Bitmap window is displayed You can choose a

default graphic to be displayed in the phone book dialog box or specify

a custom 114-by-309 pixel graphic Click Next to continue.

16 The Icons window is displayed You can choose custom icons for the connection or use the defaults Click Next.

17 The Notification Area Shortcut Menu window is displayed You can

choose items to be included in a menu available from the icon in thenotification area This is useful to provide a default list of Internet

applications, such as Web browsers or e-mail programs Click Next to

continue

18 The Help File window is displayed You can use a custom help file, as described later in this section Click Next to continue.

19 The Support Information window is displayed Enter a single line of

text that will be displayed in the Connection Manager dialog box and

click Next to continue.

20 You can choose whether to include the installation files for Connection

Manager with your service profile Select Install Connection Manager and click Next to continue.

21 In the next window, you can specify an optional text file to be

dis-played as a license agreement Click Next to continue.

22 The Additional Files window is displayed You can specify any files you wish to be included with the distribution Click Next to continue.

23 The Ready to Build the Service Profile window is displayed, as shown

in Figure 5.18 Click Next to begin building the service profile.

24 A final window is displayed after your profile is created Click Finish to

exit the Wizard

Service Profiles

When you complete the CMAK Wizard, your connection profile is stored as a extracting executable file Any additional files you specified are also included in the distri-bution directory CMAK creates a directory for your profile, typically under C:\ProgramFiles\CMAK\Profiles If you are distributing your customized version of ConnectionManager to customers or employees, copy the files in this directory to a floppy disk or CD-ROM, or share the folder and provide them with the network path

self-Custom Actions

CMAK supports custom actions, to run programs automatically during the Connection

Manager process.This allows you to incorporate any custom software you wish into theConnection Manager CMAK supports a variety of different actions that execute at dif-ferent times:

■ Pre-init actions Execute when Connection Manager starts

■ Pre-connect actions , pre-dial actions, and pre-tunnel actions Execute

before starting a connection, depending on the type of connection in use

Figure 5.18 Ready to Build the Service Profile

■ Post-connect actions Execute after a successful connection.

■ On cancel actions Processed when the user cancels the connection

■ On error actions Used when an error occurs while connecting

Custom Help

You can specify a custom help file for use with Connection Manager from the Help File

window in the CMAK Wizard.You can use the default Connection Manager help file as abasis for your custom version.When you install CMAK, the source files for this help file arestored in the C:\Program Files\CMAK\Support\CMHelp folder.You can use any standardhelp file development tool, such as Microsoft’s Help Workshop, to modify these files andcompile the new help file

VPN Support

CMAK supports VPN connections as well as dial-up connections.You can specify a VPNserver, or a list of servers, and the protocols that will be enabled by default in ConnectionManager.This makes it easy for clients with existing Internet connections to connect asVPN clients

Connection Manager Security Issues

Although customizing Connection Manager with CMAK allows you to simplify the cess of connecting to your network, it can also create several potential security issues.Thefollowing sections discuss some common security concerns when using CMAK and howyou can address them

pro-Preventing Editing of Service Profile Files

You can edit service profiles using the CMAK Wizard, as explained earlier in this chapter.Only administrators can install this tool on other computers, and users must be members ofthe Power Users group to run an existing installation of CMAK However, because the pro-files created by CMAK are stored as simple text files, anyone who has access to the text filecan modify any of its settings with a text editor

To minimize the risk of users editing the text files, store them in a secure location.However, once you distribute the files to users, keep in mind that savvy users can edit thetext files on their own computers.While this does not compromise your network security,realize that the constraints you created using CMAK might not always be followed

Client Operating System, File System, and Configuration

CMAK can create Connection Manager profiles for a wide variety of Windows operatingsystems, which vary greatly in the levels of security they provide Some features of