Module 9: Remote User Connectivity

In this section: • Emphasize that identifying the number of dial-up clients, connection technologies, client authentication and security requirements, and client connection protocols is

Contents

Overview 1

Introducing Routing and Remote Access 2

Designing a Functional Remote Access

Solution 10

Securing a Remote Access Solution 26

Enhancing a Remote Access Design for

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the information and decision-making experiences needed to design a remote access solution by using Routing and Remote Access Students will make remote access technology decisions for a Microsoft® Windows® 2000 networking infrastructure based on the needs of the organization

At the end of this module, students will be able to:

Recognize Routing and Remote Access as a solution for remote access

Identify the design decisions that influence a functional remote access solution

Select appropriate strategies to secure remote access connections

Select appropriate strategies to enhance remote access availability

Select appropriate strategies to improve remote access performance

Upon completion of the design lab, students will be able to design a remote access solution by using Routing and Remote Access in a Windows 2000 environment

Course Materials and Preparation

This section provides you with the required materials and preparation tasks that are needed to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 1562B_09.ppt

Preparation Tasks

To prepare for this module:

Review the contents of this module

Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or in documents provided on the Instructor

CD

Read the relevant RFCs in the Windows 2000 Help files

Review discussion material and be prepared to lead class discussions on the topics

Complete the lab and be prepared to elaborate beyond the solutions found there

Read the review questions and be prepared to elaborate beyond the answers provided in the text

Presentation:

90 Minutes

Lab:

30 Minutes

Module Strategy

Use the following strategy to present this module:

Introducing Routing and Remote Access Routing and Remote Access supports dial-up connections for remote users connecting to a private network Providing a Routing and Remote Access solution can reduce the dependence on service infrastructures and the performance variability of the Internet

In this section:

• Emphasize that identifying the number of dial-up clients, connection technologies, client authentication and security requirements, and client connection protocols is the first step in designing a Routing and Remote Access solution

• Introduce virtual private network (VPN) and explain how it enhances the security of a Routing and Remote Access solution

• Explain dial-up access and server interoperability as the main features of Routing and Remote Access

• Explain the benefits of integrating Routing and Remote Access with DHCP, WINS, DNS, Remote Authentication Dial-In User Service (RADIUS), and the Active Directory™ directory service

Designing a Functional Remote Access Solution

To design a remote access solution based on Routing and Remote Access, you must consider the network access requirements, the protocols required, and server placement issues

In this section:

• Explain that, to integrate remote access solutions into a local area network (LAN) environment, security policies for dial-up clients, concurrent sessions and multilinks, the aggregate throughput for clients, and client configuration must be identified

• Emphasize that selecting dial-up solutions, enabling supported protocols, providing client-to-server connections, and providing demand-dial router-to-router connections are the necessary tasks for integrating remote access solutions into a routed environment

• Emphasize that selecting dial-up or VPN-based servers, and providing remote access client and router-to-router connections are the necessary tasks for integrating VPN into a routed environment

• Point out that Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are the two tunneling protocols supported by Routing and Remote Access in Windows 2000 that provide

authentication and data encryption for creating VPN connections

• Point out that the placement of VPN servers must be determined to integrate VPN servers with the Internet

• Describe the issues pertaining to the placement of remote access servers

on a network

• Ensure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class

discussion on the students’ responses

Securing a Remote Access Solution The security of a network is compromised if remote users are provided access to intranet-based resources An effective security configuration confirms the identity of the clients attempting to access the resources on the network, protects resources from unauthorized users, and provides an efficient way to set up and maintain security on the network

In this section:

• Explain that Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), Extensible Authentication Protocol-Transport Level Security (EAP-TLS), CHAP, Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP) are the authentication protocols supported by Routing and Remote Access

• Explain that Microsoft Point-to-Point Encryption (MPPE) and L2TP/Internet Protocol Security (IPSec) are the appropriate encryption methods supported by Routing and Remote Access

• Explain access restricted by user, access restricted by a policy in a Windows 2000 native-mode domain, and access restricted by a policy in

a Windows 2000 mixed-mode domain as the methods of ensuring security with remote access policies

• Describe how to secure the network resources by limiting access to the remote access or VPN server

• Describe how integration of Routing and Remote Access with RADIUS can be used for authentication and accounting

Enhancing a Remote Access Design for Availability The availability of a remote access implementation design is measured by the percentage of time users are able to obtain remote access to intranet-based resources

In this section:

• Point out that any design that requires high availability must include more than one Routing and Remote Access or VPN server Explain that adding redundant remote access servers can create highly available remote access services

• Explain how RADIUS centralizes the administration of remote access policies by configuring all remote access and VPN Servers to share a common policy

• Make sure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Optimizing a Remote Access Design for Performance

In a remote access or VPN solution, you must improve the performance of individual servers, or share the load of servers by including additional servers in the network design as the number of remote access clients increases

In this section:

• Explain that factors such as changes in client application usage, wide area network (WAN) usage, and number of clients can affect the performance of a remote access server Emphasize that a possible solution for performance degradation is to use multiple remote access servers and distribute the client load across the servers

• Explain that improving server performance, dedicating a server to remote access and VPN servers, upgrading existing remote access and VPN servers, and improving WAN and LAN connection performance are the various methods of improving the performance of an individual remote access server

Lab Strategy

Use the following strategy to present this lab

Lab A: Designing a Routing and Remote Access Solution

In the design lab, students will design a remote access solution based on specific requirements outlined in the given scenario

Students will review the scenario and the design requirements and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design by using Routing and Remote Access as a solution

To conduct the lab:

Read through the lab carefully, paying close attention to the instructions and

to the details of the scenario

Consider dividing the class into teams of two or more students

Present the lab and make sure students understand the instructions and the purpose of the lab

Direct students to use the planning worksheet to record their solutions

Remind students to consider any functionality, security, availability, and performance criteria provided in the scenario and how they will incorporate strategies to meet these criteria in their design

Allow some time to discuss the solutions after the lab is completed A solution is provided in your materials to assist you in reviewing the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving their designs

Overview

Introducing Routing and Remote Access

Designing a Functional Remote Access Solution

Securing a Remote Access Solution

Enhancing a Remote Access Design for Availability

Optimizing a Remote Access Design for Performance

An organization might allow dial-up clients and remote office locations to access its private network resources The remote access features of Routing and Remote Access in Microsoft® Windows® 2000 provide secure, dial-up access to

a network for remote access clients The remote access clients connect remotely

by using various protocols and connection types

At the end of this module, you will be able to:

Recognize Routing and Remote Access as a solution for remote access

Identify the design decisions that influence a functional remote access solution

Select appropriate strategies to secure remote access connections

Select appropriate strategies to enhance remote access availability

Select appropriate strategies to improve remote access performance

In this module, you will

develop a strategy for

designing a remote access

solution

Introducing Routing and Remote Access

Design Decisions for a Remote Access Solution

VPN with Remote Access Solutions

Routing and Remote Access Features

Integration Benefits

Routing and Remote Access enables remote access clients to access corporate networks as if they were directly connected to the corporate network The remote access clients connect to the network by using dial-up communication links

To design a remote access solution, you need to:

Identify the decisions influencing a remote access solution

Describe the architectural elements of a virtual private network (VPN) in a remote access networking strategy

Identify the features offered by Routing and Remote Access so that you can apply them successfully in the network design

Identify the benefits of integrating Routing and Remote Access with other Windows 2000 services

To design a remote access

solution, you must identify

the client requirements and

how Routing and Remote

Access meets these

requirements

Design Decisions for a Remote Access Solution

Number of Dial-Up Clients?

Local or Network-Wide Resources?

Connection Technologies?

Client Authentication, Security, and Encryption?

Client Connection Protocols?

Remote Access Client

Adapter or

Network

Adapter or Modem

Remote Access Server

Intranet

Provider Network PSTN

X.25 ISDN

Routing and Remote Access supports dial-up connections for remote users connecting to a private network Users can access resources on the remote access server or on attached networks, provided they meet the network security requirements defined for the network design

Providing a Routing and Remote Access solution can reduce the dependence on service infrastructures (such as Internet service providers (ISPs)), and the performance variability of the Internet

In designing a Routing and Remote Access solution, you need to consider the:

Maximum number of simultaneous user connections required

Types of resources that the clients would require to access (local, remote, or both)

Connection technologies and throughput requirements For example, connections that use modems over Public Switched Telephone Network (PSTN), Integrated Services Digital Network (ISDN), or X.25

Client authentication, security, and encryption requirements

Client connection protocols

Slide Objective

To identify the decisions that

influence the design of a

remote access solution

Lead-in

To develop a remote access

solution, you must identify

the number of dial-up users,

and assess the

requirements of these users

Discuss the bulleted points

with students Tell them that

these are the questions they

need to answer before

designing a remote access

solution Explain the

relevance of these decisions

with reference to the

graphic

VPN with Remote Access Solutions

VPN Connection Types

Account-based Authentication and Encryption

Compatibility with Other Operating Systems

VPN Connection Types

Account-based Authentication and Encryption

Compatibility with Other Operating Systems

VPN Server

Compulsory Tunnel Voluntary Tunnel

PSTN ISDN

Dial-Up VPN Client

POP/Network Access Server (NAS)

POP/NAS Point of Presence (POP)

Many organizations are transitioning from a centralized in-house dial-up remote access infrastructure to an Internet-based infrastructure for clients accessing a corporate intranet Organizations requiring support for dial-up clients can reduce costs by outsourcing the remote access dial-up points to an ISP In addition, VPN maintains a high level of security for client connections to the private network

A VPN supports secure point-to-point communications over a private or public IP-based network VPN connections are Transmission Control Protocol (TCP)-based and require no intermediate router support

VPN Connection Types

VPN supports Internet Protocol (IP) layer tunneling that creates a secure connection between a VPN-based remote access client and a remote access server on the private network The computers participating in a VPN connection authenticate one another and encrypt the data flowing through the VPN

It is possible to create a tunnel and send the data through the tunnel without encryption However, it will not be a VPN connection because the private data is sent across a shared or public network in an unencrypted form

VPN connections can be designed as compulsory or voluntary tunnels

Compulsory tunnels are pre-configured device-initiated connections for which:

The remote access server initiates tunnel connections

The remote access server supports the tunnel protocol

Client authentication is per user based and optionally uses Remote Authentication Dial-In User Service (RADIUS)

Client support for tunneling is not required

communications link across

a network and can secure

data from end-to-end or

from the network access

server to the private

network

Use this slide to point out

the three types of

connections Explain how

Voluntary tunnels are ad-hoc connections for which:

The dial-up user initiates tunnel connections

Client support for tunneling protocols is required

No intermediate remote access server support for tunneling is required

Account-based Authentication and Encryption

VPN enhances data security for a connection by:

Authenticating remote users prior to data exchange

Encrypting authentication credentials

Encrypting exchanged data

Both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) support encrypted and plain text authentication When using L2TP and Internet Protocol Security (IPSec) transport mode, VPN

authentication is based on an exchange of certificates that prevents unauthorized access to resources and data Authentication certificates also provide a means of sharing data encryption keys

Compatibility with Other Operating Systems

The VPN technology is supported by a number of vendors and operating systems, and is supported on a number of remote access servers

Although only Windows 2000 supports a VPN configured for L2TP, any Windows 32-bit operating system supports a VPN configured for PPTP

Routing and Remote Access Features

Non-Microsoft Communications Server

Dial-Up Client

NetBEUI TCP/IP NWLink PPP

NetBEUI NWLink TCP/IP SLIP PPP

Provides Dial-Up Access

Supports various transport protocols

Supports various WAN technologies

Supports standard security protocols

Provides Server Interoperability

Internet

Remote Access Server

A Routing and Remote Access-based server supports dial-up connectivity to a network In addition to providing access to directories and files, a remote access server also handles authentication and encryption for remote access clients

Provides Dial-Up Access

Routing and Remote Access provides dial-up access for remote user connections by using Point-to-Point Protocol (PPP) or the Microsoft RAS protocol

Supports various transport protocols

Over the communication channel, PPP allows negotiation of the following protocols:

Transmission Control Protocol/Internet Protocol (TCP/IP)

NetWare IPX/SPX/NetBIOS Compatible Transport Protocol (NWLink)

NetBIOS Enhanced User Interface (NetBEUI)

AppleTalk protocol

The Microsoft RAS protocol is a proprietary protocol supporting dial-up clients

by using the NetBEUI local area network (LAN) protocol The Microsoft RAS protocol is supported in all previous versions of Microsoft remote access and is used on Microsoft Windows NT® version 3.1, Windows for Workgroups, MS-DOS®, and LAN Manager clients The remote access server acts as a network basic input/output system (NetBIOS) gateway for these remote clients

Slide Objective

To describe the features of

Routing and Remote

Access

Lead-in

The remote access server

provides client access to an

organization’s resources

when using dial-up

connections

The NetBIOS gateway provides client access to resources over:

NetBEUI

NetBIOS over TCP/IP (NetBT) protocol

NetBIOS over Internetwork Packet Exchange (IPX) protocol

Routing and Remote Access does not support Serial Line Internet Protocol (SLIP) clients, whereas the Microsoft remote access client software does supports SLIP connections

Supports various WAN technologies

Dial-up remote access clients can connect to wide area networks (WANs) by using the following methods:

Standard telephone lines with a modem (PSTN)

ISDN

X.25 direct connection or X.25 packet assembler/disassembler (PAD)

Supports standard security protocols

Routing and Remote Access supports secured authentication and data encryption The remote access server automatically negotiates authentication and encryption levels with PPP-based remote access clients

For authentication, Routing and Remote Access supports:

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft Challenge Handshake Authentication Protocol, version 2 (MS-CHAP v2)

Challenge Handshake Authentication Protocol (CHAP)

Extensible Authentication Protocol-Transport Level Security (EAP-TLS)

Shiva Password Authentication Protocol (SPAP)

Password Authentication Protocol (PAP)

Provides Server Interoperability

Remote access clients can access any PPP-based remote access servers These servers include:

Shiva LAN Rover

NetWare Connect

UNIX-based SLIP or PPP

Other PPP-based communications servers

Note

Active Directory

DNS Server

WINS Server DHCP

Server

IP Address

Name Resolution

RADIUS Server

Routing and Remote Access integrates with other Windows 2000 networking services to extend these services to remote access clients and reduce network management

DHCP Integration

Integration with DHCP allows dynamic allocation of IP address and configuration information to remote access clients This reduces configuration errors by eliminating manual client configuration

Routing and Remote Access leases blocks of 10 IP addresses from DHCP for remote access clients When clients disconnect, the IP address is returned to the pool

If the remote access server is configured to use the DHCP Relay Agent, all DHCP configuration information is provided to the remote access clients through the DHCP Relay Agent If the DHCP Relay Agent is not configured on the server, clients only receive the IP address and subnet mask provided by the remote access server

The TCP/IP options in DHCP can include specific configuration information for remote access clients by using the predefined user class

RRAS.Microsoft to define the required client options

DNS Integration

DNS integration allows clients with dynamically allocated IP addresses and configuration information to update their name records in a Windows 2000–based DNS server This integration allows dial-up client DNS names to be resolved in the same manner as clients directly connected to the network

Slide Objective

To identify the benefits of

integrating Routing and

Remote Access with other

Windows 2000 services

Lead-in

Routing and Remote Access

integrates with other

Windows 2000 services,

such as DHCP, DNS, and

WINS

Note

WINS Integration

WINS integration allows dial-up clients with dynamically allocated IP addresses and configuration information to update their NetBIOS names in WINS This integration allows the NetBIOS resource names that are registered

by the dial-up client to be resolved in the same manner as clients directly connected to the network

RADIUS Integration

RADIUS integration centralizes the management of multiple remote access servers This integration allows:

Centralized administration of remote access policies

Logging of client authentication success or failure from multiple remote access servers

Distributed authentication for clients in a heterogeneous network

Active Directory Integration

Integration of Routing and Remote Access with a Windows 2000 native-mode domain allows the remote access policies to be administered through the Active Directory™ directory service This integration provides:

Unified administration by using the Active Directory management consoles

Mapping of Windows 2000 users and groups to remote access policies, which control dial-up connection permissions

On a Windows 2000 remote access server, which is a member of a Windows 2000 mixed mode, or Microsoft Windows NT version 4.0 domain, a remote access policy cannot be specified for a user account

Note

Designing a Functional Remote Access Solution

Integrating Remote Access Solutions into a LAN Environment

Integrating Remote Access Solutions into a Routed Environment

Integrating VPN into a Routed Environment

Selecting a Tunneling Protocol

Integrating VPN Servers with the Internet

Placing Remote Access Servers Within a Private Network

Discussion: Evaluating Routing and Remote Access Functional Requirements

The components of a Windows 2000–based dial-up solution include Routing and Remote Access-based servers, dial-up clients, LAN and remote access protocols, WAN options, and security options Routing and Remote Access in Windows 2000 provides the server-side components to support a dial-up solution

To design a remote access solution based on Routing and Remote Access, you must consider the network access requirements, the protocols required, and the server placement issues

Slide Objective

To introduce the decisions

required to evaluate and

design a functional solution

for remote access

Lead-in

You can set the foundation

for your remote access

solution by establishing the

essential requirements for

Routing and Remote

Access

Integrating Remote Access Solutions into a LAN Environment

Remote Access Server

Dial-Up Clients

NetBEUI TCP/IP NWLink PPP

LAN

Security Policies for Dial-Up Clients Concurrent Sessions and Multilink Aggregate Throughput for Clients Client Configuration

Security Policies for Dial-Up Clients Concurrent Sessions and Multilink Aggregate Throughput for Clients Client Configuration

Policies, Groups and Users

A remote access solution for a nonrouted LAN can provide a centralized dial-up facility for remote access clients Clients connecting to the remote access server can be authenticated, provided with TCP/IP configuration information, and allowed access to resources on the network by using the permitted protocols While designing a remote access solution for a nonrouted LAN, you need to identify solutions for the following:

The security model for administering remote access permissions and connection settings in the remote access server

You can control access by individual user names, or Windows 2000 mode or mixed-mode domain policies

native-
The number of concurrent sessions required to service the dial-up clients This allows definition of the number of inbound ports required If PPP (Point-to-Point Protocol) Multilink Protocol and Bandwidth Allocation Protocol (BAP) are enabled, it may be necessary to provide more than one connection point per client

The aggregate throughput requirements for the clients

The peak aggregate bandwidth required by the clients must be equal to or less than the bandwidth available to the LAN interface in the remote access server

The TCP/IP configuration for the dial-up clients

The allocation of IP addresses and a subnet mask can be configured by the remote access server through pre-allocation to the client (allowing a fixed IP address), from a fixed pool of addresses, from DHCP, and from the

Automatic Private IP Addressing (APIPA) addresses (169.254.0.1 through 169.254.255.254)

Slide Objective

To describe how to integrate

a remote access server in a

nonrouted LAN network

Lead-in

A remote access dial-up

solution for a LAN enables

dial-up clients to access

LAN resources

The TCP/IP configuration for the dial-up clients with fixed IP addresses The remote access server can configure the allocation of IP addresses and a subnet mask through pre-allocation to the client, thereby allowing a fixed IP address

Remote access policies must be defined to permit users to request a fixed IP address, and you must configure the dial-up properties of the user account with a static IP address

The TCP/IP configuration for the dial-up clients with dynamic IP addresses The allocation of IP addresses and a subnet mask can be configured by the remote access server from a fixed pool of addresses, from DHCP, and from APIPA addresses

If a DHCP Relay Agent is configured on the remote access server, the client can request TCP/IP options that are defined in the DHCP scope for the subnet If the DHCP Relay Agent is not configured, the clients only receive the IP address and subnet mask provided by the DHCP server

Note

Note

Integrating Remote Access Solutions into a Routed Environment

Selecting Dial-Up Solutions

Enabling Supported Protocols

Providing Client-to-Server Connections

Providing Demand-Dial Router-to-Router Connections

Before integrating a remote access solution into a routed environment, you must consider the access connection speed and connection type of the dial-up users You can constrain the functionality of any dial-up remote access design by the access connection speed and connection type

Bandwidth limitations of LANs and WAN links, and the dial-up connection speed, can place practical constraints on the remote access implementation design

Selecting Dial-Up Solutions

Remote access servers can provide access to intranet-based resources by using dial-up connections Dial-up connections are used when the remote access clients dial directly into modems attached to the organization’s remote access servers

Consider implementing Routing and Remote Access dial-up solutions if the:

Use of the Internet as a mechanism for accessing intranet-based resources is considered an unacceptable risk

Variability of the data throughput rate for an Internet connection is insufficient to support client needs

Logical connections consist of multiple physical connections, or the connections are increased in response to client bandwidth requirements

Security aspects of the network design require additional security features such as caller Identification (ID) verification or callback support

Cost of providing phone lines, modems, and multiport communication adapters is not prohibitive

Slide Objective

To describe how to integrate

a remote access solution in

an IP-routed network

Lead-in

Before integrating a remote

access solution into a routed

environment, you must

consider the access

connection speed and

connection type of the

dial-up users

Enabling Supported Protocols

Remote access servers support connectivity to remote access clients by using multiple protocols Certain protocols may be required to access particular intranet-based resources or applications

The following table lists the Routing and Remote Access–based protocols and their features

Choose To provide

TCP/IP Access to Web-based applications, File Transfer Protocol (FTP)

servers, or other applications that are based on the TCP/IP protocol NWLink Access to NetWare-based file and print servers by using Internetwork

Packet Exchange/Sequenced Packet Exchange (IPX/SPX)

AppleTalk Access to Apple Macintosh remote access clients by using the

AppleTalk Remote Access Protocol

NetBEUI Access to file and print resources in a small, nonrouted LAN by using

NetBIOS naming conventions

Providing Client-to-Server Connections

Dial-up remote access solutions provide access to intranet-based resources for remote access clients A dial-up remote access design must specify the:

Number of telephone lines, modems, adapters, or asynchronous ports required to support the maximum number of simultaneous client connections

User accounts that will be granted remote access

Remote access policy restrictions that apply to a user or a group of users

Providing Demand-Dial Router-to-Router Connections

To support connectivity between remote locations, a multiple remote access design must specify the:

Telephone lines, modems, and asynchronous ports required for connecting the remote locations

Routing capabilities found in the Routing and Remote Access–based servers

Demand-dial interfaces found in Routing and Remote Access–based servers used to automate the initiation of the connection between the locations

User accounts used by the Routing and Remote Access–based servers to authenticate each other

Remote access policy restrictions

Integrating VPN into a Routed Environment

Selecting Dial-Up or VPN-based Servers

Providing Remote Access Client Connections

A VPN implementation can support hundreds of VPN remote access clients However, the local network and WAN links can place practical constraints on the VPN design Before selecting a VPN protocol and connection type, evaluate your organizational needs and environmental constraints The VPN protocols provided by Windows 2000 support a variety of operating systems, security needs, and network designs

Selecting Dial-Up or VPN-based Servers

Routing and Remote Access–based servers provide access to intranet-based resources by using VPN or dial-up connections VPN connections are used when remote access clients dial into an ISP and then establish a virtual connection to the remote access servers of an organization Dial-up connections are used when the remote access clients dial directly in to modems attached to the remote access servers of the organization

Consider implementing VPN remote access servers if:

Using the Internet to access intranet-based resources is an acceptable risk

The organization’s connection to the Internet supports the aggregate throughput required for the maximum number of concurrent remote access clients

The variability of Internet bandwidth does not adversely impact client response times

Slide Objective

To describe the guidelines

for integrating VPN into a

routed environment

Lead-in

Before implementing a VPN

service, you need to

evaluate your networking

environment to properly

integrate VPN into a routed

network

Providing Remote Access Client Connections

Implementation designs that incorporate VPN servers provide access to intranet-based resources by using remote access clients A VPN server design must specify:

The number of PPTP or L2TP ports necessary to support the maximum number of simultaneous clients

The user accounts that are granted remote access

Remote access policy restrictions

Selecting a Tunneling Protocol

Header

IP Header Header GRE

GRE Header Header PPP

PPP Header (IP Datagram, IPX Datagram) Encrypted PPP Payload

Encrypted PPP Payload (IP Datagram, IPX Datagram)

PPP Frame

Client

Remote Access Server

Remote Resource Server

Secure Tunnel over Existing Network

IP Header

IP Header

IPSec ESP Header

IPSec ESP Header

PPP Frame

UDP Header

UDP Header Header Header L2TP L2TP Header Header PPP PPP

PPP Payload (IP Datagram, IPX Datagram)

PPP Payload (IP Datagram, IPX Datagram)

IPSec ESP Trailer

IPSec ESP Trailer

IPSec Auth Trailer

IPSec Auth Trailer L2TP/IPSec

Encrypted by IPSec

Signed

Private Network

Dial-up clients may require secure connections to a remote location, or to resources on a private network Routing and Remote Access in Windows 2000 supports two tunneling protocols that provide authentication and data

encryption for creating VPN connections:

PPTP

L2TP

PPTP

PPTP is a de facto industry standard tunneling protocol that was first supported

in Windows NT 4.0 PPTP is an extension of PPP and improves upon the authentication, compression, and encryption mechanisms of PPP Microsoft Point-to-Point Encryption (MPPE) is used to encrypt PPP frames

A PPTP frame consists of a PPP frame carrying the encrypted payload with a Generic Routing Encapsulation (GRE) header The encrypted payload can be an

IP datagram, an IPX datagram or a NetBEUI frame

By default, Routing and Remote Access is configured for five PPTP ports If your design requires more ports, then you must plan for the creation of these ports

To describe the tunneling

protocols used to secure

data and authenticate

Explain how PPTP and

L2TP frames are secured

over a tunnel

In an L2TP-based virtual private networking connection, the sender and receiver must support both L2TP and IPSec The routers between the peer endpoints are required to support only IP

L2TP encapsulates the original payload inside a PPP frame and performs compression whenever possible This compressed frame is then encrypted by IPSec and transported inside a User Datagram Protocol (UDP) packet

By default, Routing and Remote Access is configured for five L2TP ports If your design requires more ports, then you must plan for the creation of these ports

IPSec can be used in tunnel mode without L2TP IPSec tunnel mode is not supported for clients in remote access VPN scenarios In this mode, IPSec is used for interoperability with other routers, gateways, or end systems

Select compulsory VPN tunnels if the client cannot support tunnel protocols directly If clients can support the VPN protocols, select voluntary end-to-end VPN tunnels to provide the highest level of data protection

Note

Integrating VPN Servers with the Internet

Firewall or NAT Device VPN Server

Integrating VPN Servers and Firewalls Integrating VPN Servers and NAT Devices

Integrating VPN Servers and Firewalls Integrating VPN Servers and NAT Devices

The placement of a VPN server can significantly affect network security for a network that contains a firewall or a network address translation (NAT) device

A correctly placed VPN server must be accessible without compromising network security

Integrating VPN Servers and Firewalls

Firewalls filter IP traffic based on the IP address and port number of the packet Proper placement of the VPN server relative to the firewall will achieve the functionality, availability, and performance goals of the design without compromising the security aspects of the design

Outside the firewall

Place the VPN server outside the firewall if:

Exposing the Routing and Remote Access–based VPN server directly to the Internet does not compromise the security aspects of the design

The security risks associated with allowing access to the entire VPN IP address range through the firewall are unacceptable

All sensitive data is placed behind the firewall, and all remote access through the firewall is limited to the VPN server

positioned in one of several

ways to operate with the

Internet

If the VPN server resides outside the firewall, consider:

Providing an IPSec tunnel between the unprotected VPN server and the Routing and Remote Access–based router that is placed inside the firewall,

to reduce the number and complexity of the firewall filters

Configuring the firewall to allow communication between the unprotected VPN server and the Routing and Remote Access–based router inside the firewall

Encrypting all data between the unprotected VPN server and the internal Routing and Remote Access–based router by using the strongest encryption possible

Configuring the unprotected VPN server as a stand-alone server in Microsoft Windows 2000 Active Directory to reduce the exposure of the Active Directory database

Inside the firewall

Place the VPN server inside the firewall if:

The added security risk of exposing the Routing and Remote Access–based VPN server directly to the Internet compromises the security aspects of the design

The potential security problems associated with allowing access to the entire VPN IP address range through the firewall are acceptable

If the VPN server resides inside the firewall, you must configure the firewall filters to allow all PPTP-based and L2TP-based traffic across the entire VPN IP address range

Integrating VPN Servers and NAT Devices

NAT devices, such as a proxy server, translate private IP addresses into public

IP addresses and vice-versa Some application servers directly record the IP address and port number of the remote access client These applications require

a translation table on the NAT device to operate correctly The NAT device modifies the header of the IP packet in both directions to allow the application

to perform normally

Using PPTP tunnels with a NAT device

When configuring NAT devices for PPTP tunnels, remember that:

PPTP does not encrypt IP header, and it operates with any NAT device

The NAT device requires the appropriate application translation tables

Using L2TP tunnels with a NAT device

When configuring NAT devices for L2TP tunnels, remember that:

When using IPSec with Encapsulating Security Payload (ESP) to encrypt data, the IP headers are encrypted

The NAT device cannot perform the modifications to the IP header

L2TP and IPSec with ESP encryption does not work with applications that require NAT translation tables

Placing Remote Access Servers Within a Private Network

Remote Access Server

Multimedia

Server

Internet Screened Subnet

WAN Link

Firewall

Placing in a Subnet

Placing in a Screened Subnet

Placing in a Single Segment LAN

Placing in a Subnet

Placing in a Screened Subnet

Placing in a Single Segment LAN

Router

Router Router

In designing a remote access solution, you must consider the position of the remote access server The placement of a remote access server in a network can affect the delivery of data to remote access clients It can also affect the data traffic flowing to other users on the network

Placing the Remote Access Server in a Subnet

The server must be positioned in a subnet or on the segment with the most client-accessible resources if:

There is a switched nonrouted LAN with multiple physical segments This position minimizes unicast traffic flowing across segments, as the switch does not reflect traffic onto all segments

There is a routed network with multiple routers Position the remote access server to minimize cross-subnet traffic This position minimizes the effect of client data on the bandwidth available to other network users

Aggregate bandwidth considerations

The data for all dial-up clients passes through the remote access server interface

to the private network Even when the client data speeds are moderate, the aggregate throughput required because of this concentration can be significant

In any design, wherever possible, you must minimize the routed path to resources that are used by the dial-up clients Minimizing the routed path reduces both the client traffic delays, and the interaction of dial-up client traffic and normal network user traffic

Slide Objective

To describe the issues

pertaining to the placement

of remote access servers in

a network

Lead-in

The position of a remote

access server in a network

can affect the bandwidth

available to the network and

remote access clients

For example, consider a remote access server with 128*56 kilobits per second (Kbps) V.90 modems If you assume the following conditions:

1 At peak times all lines will be used

2 A multimedia training application is running on the remote access clients, requiring sustained throughput of 38 Kbps from server to client

The aggregate bandwidth required will be:

38Kbps * 128 = 4.864 megabits per second (Mbps) The simplified throughput calculation shows that the remote access server would use 49 percent of the available bandwidth on a 10 Mbps Ethernet segment The LAN traffic of other network users would increase this usage further and might make it impossible to service the dial-up clients’ multimedia needs A possible solution in this example is to move the multimedia files onto the remote access server so that network access is not required

Placing the Remote Access Server in a Screened Subnet

The server must be positioned in a screened subnet if:

Corporate policies exist with a mandate that client access be processed by a firewall or filter

Clients use a VPN tunnel to connect to the private network

The remote access server contains other data made available to the public networks

The majority of client resources exist in the screened subnet

Placing the Server in a Single Segment LAN

The remote access server can be positioned solely based on physical network requirements if:

There is a single segment, non-switched LAN

Clients are allowed to access only the remote access server resources

Discussion: Evaluating Routing and Remote Access Functional Requirements

Remote Access Server

Windows 2000–based Router

File and Print Server

Non-WINS Clients

Subnet 4 WINS

Clients

Router A1 Router A2

Subnet 5

Windows Multimedia Server

Router

To provide a functional remote access solution for an organization, you must decide on the number and placement of servers based on the throughput and access requirements of dial-up clients

The following scenario describes an organization’s current network configuration Read through the scenario, and then answer the questions Be prepared to discuss your answers with the class

Scenario

An organization has decided to restructure an existing remote access solution to give access to a larger number of employees You are assigned the task of evaluating the currently available configuration and providing a viable solution for the new requirements

The current network configuration provides:

Intranet access to all shared folders and Web-based applications

Access for 16 concurrent clients by using 56 Kbps modems

Network architecture as shown in the preceding diagram, with the routed network based on 10 Mbps Ethernet

Support for a mission-critical Web-based application that requires a-day, 7-days-a-week operation

24-hours-The organization requires the following new facilities:

Intranet access to all shared folders and Web-based applications for remote access clients

Access for a total of 160 concurrent clients by using 56 Kbps modems This requires average throughput of 7.5 Kbps per client

Routing and Remote Access

solution, you must decide on

the number of dial-up

clients, connection

technologies, client authority

and security requirements,

and client connection

protocols

Delivery Tip

Read the scenario to the

students and review the

questions as a group Give

the students time to

consider their answers and

then lead a discussion

based on their responses

Remind the students that

there can be more than one

possible solution to the

scenario