Tài liệu Remote Access pptx

Remote AccessThis chapter covers the remote access services provided with Windows 2000 to enable dial-up access client andserver for remote connectivity, including dial-up connections RA

Remote Access

This chapter covers the remote access services provided

with Windows 2000 to enable dial-up access (client andserver) for remote connectivity, including dial-up connections

RAS and RRAS are integrated into a single service in Windows

2000 This chapter examines the features in RRAS for dial-upnetworking that enable a Windows 2000 computer to function

as both a dial-up server and dial-up client

You’ll find a detailed explanation of the Routing andRemote Access Service and how to use it for routing inChapter 12

The following sections provide an overview of these RAS tures Later sections explain protocol, security, and configura-tion issues

fea-Overview of Windows 2000 RRAS

Remote access enables a client computer to connect to aremote computer or network and access the resources of theremote computer or network as if they were local For exam-ple, users who are frequently on the road can access the com-pany file server(s), printers, mail system, and other resourcesfrom remote locations Clients also can use remote accessservices to connect to public networks such as the Internet

Figure 15-1 illustrates one implementation of remote access

Connecting tothe Internet

Figure 15-1: RRAS enables remote users to connect to the local computer

or network, and also supports dial-out connections from Windows 2000 clients

The Routing and Remote Access Service in Windows 2000 provides three primaryfunctions:

✦ Dial-up client: You can use the RRAS service to create and establish dial-up

connections to remote networks, including the Internet, through a variety ofmedia, including modem, ISDN, infrared, parallel ports, serial connection,X.25, and ATM Windows 2000 dial-up clients support a wide range of authenti-cation protocols and other connectivity options, which are discussed in depth

in later sections of this chapter Support for tunneling protocols enablesclients to establish secure connections to remote networks through publicnetworks such as the Internet

✦ Dial-up server: A Windows 2000 server can function as a dial-up server,

allow-ing remote clients to connect to the local server and optionally to the localnetwork through the same types of media support for dial-out connections(see previous) You can also use RAS to support terminal service client ses-sions because RAS issues an IP address to the connecting clients and bindsthe necessary protocols to the RAS connection

RRAS Server

Remote useraccesses networkshares and printers

Windows 2000 supports several authentication protocols and can cate users against local or domain user accounts, or it can use RADIUS(Remote Authentication Dial In User Service), an industry standard authenti-cation mechanism Once connected, a remote user can browse, print, mapdrives, and perform essentially all other functions possible from either thelocal server or local area network

authenti-✦ Routing services: The routing components of RRAS enable a Windows 2000

server to function as a unicast and multicast router Windows 2000 providesfor routing, packet filtering, connection sharing, demand-dial routing, and sev-eral other features that make it an excellent choice for LAN and WAN routing

RRAS in Windows 2000 integrates the remote access and routing services that merly were separate services in Windows NT Server RRAS in Windows 2000 is anextension and improvement upon Windows NT’s Routing and Remote AccessService, which was issued as an add-on for Windows NT Server Although Windows

for-2000 RRAS integrates dial-up networking and routing into a single service, they aretreated as separate issues in this book because of the different focus for each

One of the key benefits of Windows 2000 RRAS is its integration with the Windows

2000 operating system On the client side, integration means that once a remoteconnection is established, the client can access resources on the server transpar-ently as if they were local resources The client can map remote shares to localdrive letters, map and print to remote printers, and so on Except in very rare cir-cumstances, applications can use remote resources seamlessly without modifica-tion to make them RAS- or network-aware

On the server side, integration means that Windows 2000 can use a single cation mechanism to authenticate users both locally and from remote locations

authenti-RRAS can authenticate against the local computer’s user accounts or accounts inthe domain, or it can use an external authentication mechanism such as RADIUS

Through its support for RADIUS, Windows 2000 RRAS enables a Windows 2000server to function as a gateway of sorts to the network while offloading authentica-tion to another server, which could be any RADIUS platform including a UNIXserver

RADIUS stands for Remote Authentication Dial-In User Service RADIUS is astandard, cross-platform protocol for authentication commonly used for dial-inauthentication

Windows 2000 RRAS also provides close integration with the Active Directory (AD)

This AD integration provides for replication of users’ remote access settings,including access permissions, callback options, and security policies, amongothers AD integration also means simplified administration with other AD-relatedservices and properties

Note

As you’ll learn later in the section “RAS Connection Types and Protocols,” Windows

2000 RRAS supports a wide range of connection protocols, including PPP, SLIP, andMicrosoft RAS Protocol Windows 2000 RRAS supports authentication methods,including MS-CHAP, EAP, CHAP, SPAP, and PAP Network protocols supportedinclude TCP/IP, IPX/SPX, NetBEUI, and AppleTalk to support Microsoft, UNIX,NetWare, and Macintosh resources and clients

New Features of Windows 2000 RRAS

If you’re familiar with RAS or RRAS in Windows NT, you’ll find all of those same tures in Windows 2000 RRAS You’ll also find several enhancements to existingfeatures along with many new features, including those discussed in the followingsections

fea-AD integration

As mentioned previously, Windows 2000 RRAS integrates with the Active Directory

AD integration enables client settings to be replicated throughout the organization

to provide expanded access by clients and easier administration Integration withthe AD also can simplify administration by enabling you to browse and managemultiple RRAS servers through the AD-aware RRAS management console snap-in,providing a single point of management for RRAS services in an organization

Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol

The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation ControlProtocol (BACP) enable Windows 2000 RAS to dynamically add or remove links in amultilink PPP connection as bandwidth requirements for the connection change.When bandwidth utilization becomes heavy, RAS can add links to accommodate theincreased load and enhance performance When bandwidth utilization decreases,RAS can remove links to make the connection more cost efficient You configureBAP policies through a remote access policy that you can apply to individual users,groups, or an entire organization

MS-CHAP version 2

Previous versions of RAS supported Microsoft Challenge Handshake AuthenticationProtocol (MS-CHAP) to authenticate remote clients MS-CHAP v2 provides strongersecurity and is designed specifically to support Virtual Private Network (VPN) con-nections, which enable remote clients to establish secure connections to a privatenetwork through a public network such as the Internet MS-CHAP v2 provides sev-eral security enhancements:

✦ LAN Manager coding of responses, formerly supported for backward bility with older remote access clients, is no longer supported for improvedsecurity MS-CHAP v2 no longer supports LAN Manager encoding of passwordchanges for the same reason

compati-✦ MS-CHAP v2 supports mutual authentication, which provides bi-directional

authentication between the remote client and the RAS server Previously, CHAP only provided one-way authentication and did not provide a mechanismfor the remote client to determine if the remote server actually had access toits authentication password for verification Version 2 not only enables theserver to authenticate the client’s request, but also allows the client to verifythe server’s ability to authenticate its account

MS-✦ MS-CHAP v2 also provides stronger encryption The 40-bit encryption used inprevious versions operated on the user’s password and resulted in the samecryptographic key being generated for each session Version 2 uses theremote client’s password, along with an arbitrary challenge string, to create

a unique cryptographic key for each session, even when the client passwordremains the same

✦ Version 2 provides better security for data transmission, using separatecryptographic keys for data sent in each direction

Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) enables authentication methods to

be added to RAS without redesigning the underlying RAS software base, much likenew features in NTFS 5.0 enable new functionality to be added to the file systemwithout redesigning the file system (see Chapter 21 for a complete discussion)

EAP enables the client and server to negotiate the mechanism to be used toauthenticate the client Currently, EAP in Windows 2000 supports EAP-MD5 CHAP(Challenge Handshake Authentication Protocol), EAP-TLS (Transport LevelSecurity), and redirection to a RADIUS server Each of these topics is covered

in more detail later in this chapter

RADIUS support

Windows 2000 RRAS can function as a RADIUS client, funneling logon requests to aRADIUS server, which can include the Internet Authentication Service, also includedwith Windows 2000, running on the same or a different server The RADIUS serverdoesn’t have to be a Windows 2000 system, however, which enables RRAS to alsouse UNIX-based RADIUS servers or third-party RADIUS services you might alreadyhave in place One of the advantages to using RADIUS is its capability for account-ing, and several third-party utilities have been developed to provide integrationwith database back-ends such as SQL Server to track and control client access

See the section “Using RADIUS” later in this chapter for detailed information onconfiguring and using RADIUS

Remote access policies

Windows 2000 improves considerably on the flexibility you have as an tor to control a user’s remote access and dial-up settings Windows NT RAS gaveyou control only over callback options, and settings were assigned on a user-by-user basis Although Windows 2000 still lets you assign remote access permissions

administra-

Cross-Reference

through a user’s account, you also can use a remote access policy to define theremote access settings for one or several users Remote access policies give you

a fine degree of control over users’ settings, controlling options such as allowedaccess time, maximum session time, authentication, security, BAP policies, andmore

See the section “Remote Access Policy” later in this chapter for additional mation on configuring and using RAS policies

infor-Support for Macintosh clients

Windows 2000 adds remote access support for Macintosh clients by supportingAppleTalk over PPP for Macintosh clients This enables Macintosh clients toconnect to a Windows 2000 RAS server using the standard PPP and AppleTalkprotocols

Account lockout

Windows 2000 RAS enhances security by supporting account lockout, which locks

a RAS account after a specified number of bad logon attempts This feature helpsguard against dictionary attacks in which a hacker attempts to gain remote access

by repeatedly attempting logon using a dictionary of passwords against a validaccount You can configure two settings that control lockout — the number of badlogon attempts before the account is locked out, and how long the account remainslocked before the lockout counter is reset

The Routing and Remote Access Management Console

Microsoft has integrated most administration and management functions intoMicrosoft Management Console (MMC) snap-ins, and RRAS is no exception TheRouting and Remote Access console snap-in enables you to configure and manage

an RRAS server Figure 15-2 shows the Routing and Remote Access console

Figure 15-2: The Routing and Remote Access console

Cross-Reference

The RRAS console serves as a central control center for managing most RRAS erties In addition to configuring ports and interfaces, you can configure protocols,global options and properties, and RRAS policies through the RRAS console Latersections of this chapter explain how to use the RRAS console to perform specificconfiguration and administration tasks Open the console by choosing Start ➪Programs ➪ Administrative Tools ➪ Routing and Remote Access.

prop-RAS Connection Types and Protocols

Windows 2000 supports several connection types and network protocols forremote access The following sections explore these connection types and networkprotocols

Serial Line Internet Protocol

The Serial Line Internet Protocol (SLIP) is a connection protocol that originated inthe UNIX realm SLIP offers limited functionality in that it does not support errordetection or correction Windows 2000 clients can use SLIP to connect to UNIXservers (or other servers requiring SLIP), but Windows 2000 Server does notsupport SLIP for dial-in connections

Point-to-Point Protocol

The Point-to-Point Protocol (PPP) was developed as a standardized alternative toSLIP that offered better performance and reliability Unlike SLIP, PPP is designedaround industry-designed standards and enables essentially any PPP-compliantclient to connect to a PPP server Windows 2000 supports PPP for both dial-in anddial-out connections On a Windows 2000 RAS server, PPP enables remote clients

to use IPX, TCP/IP, NetBEUI, AppleTalk, or a combination thereof Windows-based

clients including Windows 2000, Windows NT, Windows 9x, and Windows 3.x can

use any combination of IPX, TCP/IP, or NetBEUI, but AppleTalk is not supported forthese clients Macintosh clients can use either TCP/IP or AppleTalk PPP supportsseveral authentication protocols, including MS-CHAP, EAP, CHAP, SPAP, and PAP

Microsoft RAS Protocol

The Microsoft RAS Protocol is a proprietary protocol developed by Microsoft tosupport NetBIOS and is used for Windows NT 3.1, Windows for Workgroups, MS-DOS, and LAN Manager remote access Clients must use the NetBEUI protocol, andthe remote access server acts as a NetBIOS gateway for the client, supportingNetBEUI, NetBIOS over TCP/IP, and NetBIOS over IPX The Microsoft RAS Protocol

is provided for backward compatibility with older Microsoft operating platforms

Unless you are connecting to one of these older systems, choose PPP as your nection protocol

con-Point-to-Point Multilink Protocol and BAP

The Point-to-Point Multilink Protocol (PPMP, or simply Multilink) enables multiplePPP lines to be combined to provide an aggregate bandwidth For example, youmight use Multilink to combine two analog 56Kbps modems to give you an aggre-gate bandwidth roughly equivalent to 112Kbps Or, you might combine both Bchannels of an ISDN Basic Rate Interface (BRI) connection to provide double thebandwidth you would otherwise get from a single channel

The Bandwidth Allocation Protocol (BAP) works in conjunction with Multilink toprovide adaptive bandwidth As bandwidth utilization increases, BAP enables theclient to aggregate additional connections to increase bandwidth and improve per-formance As bandwidth utilization decreases, BAP enables the client to drop con-nections from the aggregate link to reduce connection costs (in cases wheremultiple connections incur their own charges)

See the section “Using Multilink and BAP” later in this chapter to configure anduse multilink connections

Point-to-Point Tunneling Protocol

The TCP/IP protocol suite by itself does not provide for encryption or data security,

an obvious concern for users who need to transmit data securely across a publicnetwork such as the Internet The Point-to-Point Tunneling Protocol (PPTP) pro-vides a means for encapsulating and encrypting IP and IPX for secure transmission.PPTP is an extension of PPP that enables you to create a Virtual Private Network(VPN) connection between a client and server

PPP frames in a PPTP session are encrypted using Microsoft Point-to-PointEncryption (MPPE) with encryption keys generated using the MS-CHAP or EAP-TLSauthentication process PPTP by itself does not provide encryption, but ratherencapsulates the already encrypted PPP frames In order to provide a secure con-nection, the client must use either MS-CHAP or EAP-TLS authentication Otherwise,the PPP frames are encapsulated unencrypted (plain text) Figure 15-3 illustrateshow PPTP encapsulates data PPTP is installed by default when you installWindows 2000 RRAS

PPTP is a good choice for creating secure connections to a private networkthrough a public network such as the Internet when the remote network isn’t con-figured to support IPSec

Layer Two Tunneling Protocol

Layer Two Tunneling Protocol (L2TP) is a draft protocol that combines the features

of PPTP with support for IP Security (IPSec) to provide enhanced security Unlike

Tip Cross-

Reference

PPTP, which relies on MPPE for encryption, L2TP relies on IPSec to provide tion Therefore, the source and destination routers must support both L2TP andIPSec Figure 15-3 illustrates how L2TP encapsulates data L2TP is installed bydefault when you install Windows 2000 RRAS.

encryp-Figure 15-3: PPTP and L2TP use different methods for encapsulation and encryption.

L2TP provides better security than PPTP by supporting IPSec and is a better choicefor creating VPN connections than PPTP when the remote network is configured

to support IPSec See Chapter 3 for a discussion of Windows 2000 security andIPSec

Transport Protocols

As mentioned previously in this chapter, RRAS supports four network protocols:

TCP/IP, IPX, NetBEUI, and AppleTalk A Windows 2000 RAS server supports all fourprotocols for incoming connections Windows 2000 RAS clients support all exceptAppleTalk When you install RRAS, Windows 2000 enables all currently installedprotocols for incoming and outgoing RAS connections As you’ll learn later in thesection “Configuring RAS for Incoming Connections,” you can configure the sup-ported protocols to enable clients to access only the RAS server or access the LAN

You configure access on a protocol-by-protocol basis

TCP/IP

As a dial-out protocol, TCP/IP enables you to connect a Windows 2000 client tonearly any TCP/IP-based network including the Internet You can statically assignthe IP address, subnet mask, default gateway, and other settings for the dial-outconnection or allow the remote server to assign the connection properties As a

Tip

IP Header GRE Header PPP Header PPP Payload including IP datagram, IPX datagram, NetBEUI frame

UDP Header L2TP Header IP

IPSec ESP Trailer

IPSec Auth.

Trailer

PPP Header PPP Payload including IP datagram, IPX datagram, NetBEUI frame

protocol for incoming connections, TCP/IP enables essentially any client that ports TCP/IP and PPP to connect to a Windows 2000 RAS server As you’ll learnlater in the section “Configuring RAS for Incoming Connections,” you can allocateaddresses from a static pool or use DHCP to allocate addresses and other connec-tion properties to remote clients In addition, clients can request a predefined IPaddress (defined at the client side through the connection properties).

sup-IPX

The IPX protocol is used primarily in environments where Novell NetWare clients orservers are used Support for IPX enables a Windows 2000 RAS server to coexistwith NetWare servers and enables clients to access NetWare resources through theRAS connection A Windows 2000 RAS server hosting IPX also serves as an IPXrouter, handling RIP, SAP, and NetBIOS traffic between the local network and theremote client In addition to using the IPX protocol, the remote client must run aNetWare redirector The server must be running the IPX/SPX/NetBIOS-compatibleprotocol

The Windows 2000 Professional NetWare redirector is Client Service for NetWare

In Windows 2000 Server, the redirector is Gateway Service for NetWare

A Windows 2000 RAS server allocates IPX network numbers and node numbers toconnecting clients The server can generate the IPX network number automatically

or, as it can for TCP/IP, allocate numbers from a static pool assigned by an trator If assigning a number dynamically, the server first verifies that the number

adminis-is not already in use on the network The server then allocates that number to allremote access clients Assigning the same network number to all clients reducesRIP announcements from the RAS server

NetBEUI

NetBEUI is a good protocol choice for small, non-routed networks (NetBEUI is not aroutable protocol) Because it is non-routable, NetBEUI can offer some measure ofsecurity for a private network that is connected to the Internet Internal systemsthat don’t require Internet access can use NetBEUI and be invisible to computers onthe Internet Supporting NetBEUI for Windows 2000 RAS enables NetBEUI clients todial into the RAS server and gain access to resources shared on the server or onthe network by other NetBEUI clients However, NetBEUI clients will need access

to a WINS server on the network where they connect to resolve IP-addressedresources

AppleTalk

The AppleTalk protocol is used by Macintosh network clients Windows 2000 RASsupports AppleTalk to enable remote Macintosh clients to connect to the serverand access resources shared by the server or other AppleTalk clients on the net-work In order to use AppleTalk for RAS dial-in, you must install the AppleTalkprotocol on the RAS server

Note

Configuring RAS for Inbound Connections

RRAS in Windows 2000 really takes three distinct directions: routing, inboundconnections (RAS server), and outbound connections (RAS client) This sectionexplains how to configure a Windows 2000 server as a RAS server When you installWindows 2000, Setup by default installs RRAS, so you don’t need to install it sepa-rately You do, however, need to configure it The following sections explain how toconfigure modems, ports, protocols, encryption, and other properties to set up andmanage a RAS server

Enabling RRAS

Although Windows 2000 installs RRAS by default, you still need to enable theservice to begin configuring and using it To do so, choose Start ➪ Programs ➪Administrative Tools ➪ Routing and Remote Access to open the RRAS console

Right-click the server in the left pane and choose Configure and Enable Routing andRemote Access to start the RRAS Setup Wizard You can use the wizard to automati-cally configure RRAS for specific applications, or you can configure the servicemanually The following sections explain the options offered by the wizard

If you enable RRAS and choose to configure it manually, then later decide you’dlike to run the wizard, you can do so but will lose the current configuration set-tings To reconfigure the service through the wizard, open the RRAS console, right-click the server, and choose Disable Routing and Remote Access After the servicestops, right-click the server again and choose Configuring and Enable Routing andRemote Access

Internet connection server

Select this option to configure the RRAS server to enable local network clients toconnect to the Internet As such, the RRAS server functions as an Internet gateway

See the section on network address translation in Chapter 12 for detailed tion on configuring RRAS to function as an Internet connection gateway Optionally,you can configure the server to use Internet Connection Sharing (ICS) to allowshared access by local clients to an existing Internet connection on the server Thepreviously mentioned section of Chapter 12 also covers ICS

informa-Remote access server

Select this option to configure the RRAS server to enable remote access clients toconnect through the server to access resources on the server or on the local net-work The wizard prompts for the following:

✦ Protocols: Specify the protocols to be supported, which must already be

installed on the RRAS server All installed protocols are enabled for RRAS bydefault You can, however, disable specific protocols after the wizard finishes

Tip

✦ Network interface: The wizard prompts for the network interface to which

to assign remote clients, which determines where the addresses and otheraccess properties come from In a multi-homed server, select the networkinterface where the DHCP server is located, if allocating addresses throughDHCP

✦ IP address assignment: You can choose to assign addresses through DHCP

(see previous option) or from a static address pool If you choose to use astatic pool, the wizard prompts you for the range of addresses to use See thesection “Configuring Protocols” later in this chapter for detailed informationregarding address assignment

You can allow remote clients to request a pre-assigned IP address configured atthe client side See the section “Configuring Protocols” later in this chapter for adetailed explanation

✦ RADIUS: You can configure the RRAS server to use RADIUS for authentication

and accounting You specify the IP address or host name for the primary andalternate RADIUS servers, along with the RADIUS shared secret, which essen-tially is a password the RRAS server uses to authenticate its right to accessthe RADIUS servers Windows 2000 includes a RADIUS server called InternetAuthentication Service (IAS) that you can use for RRAS and other applicationsrequiring RADIUS authentication, or you can use any RADIUS server See thesection “Using RADIUS” later in this chapter for more information

Virtual private network server

Select this option to configure RRAS as a VPN server, enabling clients to use PPTP

or L2TP to dial in from a public network such as the Internet (or direct dial-up) andestablish a secure connection to the local network By default, RRAS configures fiveports each for PPTP and L2TP, but you can add or remove ports as desired Thewizard prompts for the same information described in the previous section andalso prompts for the network interface through which the RRAS server connects

to the Internet The VPN server must have a second network interface for theinternal LAN

Network router

Select this option to configure the RRAS server to function as a router The wizardprompts you to verify that the required protocols are installed (listing them foryou), then prompts you to choose whether or not you want to use demand-dial con-nections to access remote networks If you choose No, the wizard completes theconfiguration and terminates If you answer Yes, the wizard asks if you want toassign IP addresses through DHCP or a static address pool (if IP is installed on theserver) Choosing Yes does not cause the wizard to configure any demand-dial con-nections; you configure those through the RRAS console after the wizard finishes

Cross-Reference

Manually configured server

Select this option if you want to manually configure all RRAS server settings

Windows 2000 configures the server as a RAS server and router with default tings You can run the wizard again if desired to automatically configure the server,although you’ll lose the current configuration settings See the previous section,

set-“Enabling RRAS,” to learn how to restart the wizard

The following sections assume you are configuring the server manually rather thanusing the wizard, or fine-tuning settings after running the wizard

Configuring Modems and Ports

One of the first steps to take in setting up a Windows 2000 RAS server is to installand configure the hardware and ports that will handle the incoming calls You con-figure a standard modem through the Control Panel If the modem is not alreadyinstalled, open the Control Panel and double-click the Phone and Modem Optionsobject Click the Modems tab, then click Add to start the Add/Remove Hardwarewizard You have the option of selecting the modem manually or letting Windows

2000 search for it Repeat the process for any additional modems you are installing

on the system

For additional help installing hardware, refer to Chapter 6

Other types of dial-up equipment require different installation and configurationsteps that vary from one item to the next It isn’t practical to cover all types in thischapter, so you might have to refer to the manufacturer’s documentation to learnhow to properly install the hardware If you’re setting up a server connected to theInternet to act as a VPN server for your local network, install the network hardware,connect the system to the Internet, and verify that the server has connectivity toboth the LAN and Internet You configure ports for incoming access through theRRAS console If you click on the Ports node, the console displays the installed RASports Windows 2000 by default installs both the PPTP and L2TP protocols for VPNsupport and adds five ports for each protocol (to support up to five incoming con-nections of each type.) You can view the status of a given port by double-clickingthe port in the list or right-clicking the port and choosing Status Windows 2000 dis-plays a Port Status dialog box for the port that shows line speed, errors, and proto-col-specific data such as IP address, IPX address, and so on

To configure ports, right-click Ports in the right pane of the RRAS console andchoose Properties Windows 2000 displays a Ports Properties dialog box listingeach of the port types For example, all PPTP ports appear under a single item inthe list, as do all L2TP ports and individual modems Select the port type you want

to configure and click Configure Windows 2000 displays the Configure Device log box shown in Figure 15-4

dia-

Cross-Reference

Note

Figure 15-4: The Configure Device

dialog box

The following list explains the options in the Configure Device dialog box:

✦ Remote access connections (inbound only): Select this option to allow the

selected port to handle incoming connections only and not function as ademand-dial router for outgoing connections

✦ Demand-dial routing connections (inbound and outbound): Select this

option to allow the port to handle incoming calls and function as a dial router to service local clients for outgoing calls

demand-✦ Phone number for this device: This option is used for Called-Station-ID and

BAP-enabled connections and to identify the IP address for PPTP and L2TPports Some devices support automatic recognition of the device’s phonenumber for Called-Station-ID, so you only need to add the number manually ifthe device doesn’t support automatic recognition The number must matchthe number defined in the Called-Station-ID attribute of the remote access pol-icy that is in effect, or the call is rejected For BAP, this property is passed tothe client when it requests an additional connection so it knows what number

to dial for the new connection For PPTP and L2TP ports, enter the IP address

in dotted decimal format to assign to the VPN interface of the server

✦ Maximum ports: Use this control to specify the maximum number of ports

enabled on a multiport device or protocol (such as PPTP or L2TP)

Configuring Protocols

In addition to configuring the ports used by the RRAS server, you also need to figure the protocols to be used by remote access clients You should verify that youhave the necessary protocols installed prior to attempting to configure the proto-cols for RRAS The following sections explain the options you have for each of thesupported RRAS protocols

con-TCP/IP

You can assign IP addresses to remote access clients using one of three methods:DHCP, a static address pool, or by allowing the client to request a pre-assigned

IP address

Assigning addresses through DHCP

When the RRAS service starts, it checks for the availability of a DHCP server (if figured to use DHCP for address assignment) and obtains ten leases from the DHCPserver The RRAS server uses the first lease for itself and assigns the remainingaddresses to RAS clients as they connect, recovering and reusing addresses asclients disconnect When the pool of ten addresses is exhausted, the RRAS serverobtains ten more, and the process repeats as needed When the RRAS servicestops, it releases all addresses, making them available for other DHCP clients onthe network

con-The RRAS service will use Automatic Private IP Addressing (APIPA) if it is unable tolocate a DHCP server at startup APIPA enables Windows 2000 to assign addresses

in the class B address range 169.254.0.1 through 169.254.0.254 (subnet mask of255.255.0.0) APIPA is designed to allow automatic IP configuration when no DHCPserver is available Because APIPA is intended for use in internal, single-segmentnetworks, it does not allocate settings for default gateway, DNS servers, or WINSservers

RRAS by default selects a network interface at random from which to obtain theDHCP leases for RAS clients You can, however, specify the interface to pulladdresses from a specific network segment/server when the RRAS server is multi-homed (multiple network interfaces) You do so through the IP page of the server’sproperties In the RRAS console, right-click the server and choose Properties, thenclick the IP tab (Figure 15-5) Use the Adapter drop-down list at the bottom of theproperty page to select the adapter, or choose “Allow RAS to select adapter” if youwant to allow RRAS to automatically select an adapter

Figure 15-5: The IP tab

The Adapter drop-down list only appears on multi-homed systems.

Using a static address pool

You can assign addresses to RAS clients from a static pool if you have no DHCPserver on the network or simply prefer not to use DHCP for the RAS server In previ-ous versions of RRAS (Windows NT), you could configure included and excludedaddress ranges In Windows 2000, however, you only create included ranges Youcan achieve the same effect as an excluded range by simply creating multipleincluded ranges that don’t include the address range you want to exclude

You configure the static address pool through the IP property page for the server

In the RRAS console, right-click the server, choose Properties, and then click the IPtab Select the option “Static address pool” and then click Add to display the NewAddress Range dialog box You specify a starting address for the range, then eitherthe ending address or the number of addresses to include in the pool Windows

2000 determines the ending address for you if you specify the number of addresses,and it also determines the required subnet mask based on the selected addressrange Click OK to add the range, then repeat the process if you need to add otherranges

When defining static address pools for RRAS, make sure you don’t use addressesalready allocated to other systems or to DHCP servers on the network If the staticaddress pool is in a different subnet from the local network, you must either enable

IP routing on the RRAS server (configured through the IP page of the server’s globalproperties) or add static routes for the subnet

Allowing clients to use pre-assigned IP addresses

In some situations, it’s advantageous for clients to be able to use the same IPaddress for each remote session For example, users might work with applicationsthat expect remote users to be at specific IP addresses Arbitrarily allowing clients

to request pre-assigned IP addresses could lead to address havoc and potentialrouting problems, but Windows 2000 overcomes that problem by allocating theremote client’s IP address through his or her account properties Enabling a client

to request a pre-assigned IP address requires two steps First, you must configurethe applicable remote access policy to allow the user to request a pre-assigned IPaddress Second, you must specify the address in the user’s account properties

You configure the remote access policy through the RRAS console See the tion “Remote Access Policy” later in this section for detailed information on con-figuring and managing remote access policies

sec-Where you modify the user’s account properties depends on the network tion On a standalone server (no domain), you modify the user’s properties throughthe Local Users and Groups node of the Computer Management console Open the

configura-

Cross-Reference

Note

account’s properties and click the Dial-In tab Select the option “Assign a Static IPAddress” and specify the desired address in the associated text box For informa-tion on other properties on the Dial-Up page, see the section “Remote AccessPolicy” later in this chapter You’ll find the same properties for users in a domain inthe Active Directory Users and Computers console Configure properties as youwould on a standalone server.

Enabling/disabling IP for RRAS

Windows 2000 RRAS by default enables for RRAS all protocols installed on theserver You can selectively disable a protocol if you don’t want to allow that proto-col to be used for remote connections To enable or disable IP for RAS, open theRRAS console, right-click the server, and choose Properties On the IP propertypage, select or deselect the option “Allow IP-based remote access and demand-dialconnections” to enable or disable IP for RAS, respectively

IP routing and restricting access to the RAS server

By default, the RRAS server allows remote clients access not only to the localserver, but also to the network (subject to permissions and policies applied to theremote client or local resources) As such, the RRAS server provides IP routing tothe remote clients, routing traffic between the remote client and the LAN You canprevent remote clients from accessing the LAN by disabling IP routing on the RRASserver To do so, open the RRAS console, right-click the server, and choose Proper-ties On the IP page, deselect the option “Enable IP routing” to prevent remoteclients from accessing the LAN and to restrict their access only to resources onthe RRAS server

IP routing must be enabled if you’re using the RRAS server to provide LAN ordemand-dial routing See the section “Network Address Translation” in Chapter

12 for a detailed discussion of Windows 2000 routing through RRAS

NetBEUI

One of the advantages to NetBEUI is that as a simple, non-routable protocol, it iseasy to configure For RRAS, you have three options that control how NetBEUI isused for remote clients You configure these properties through the server’s proper-ties Open the RRAS console, right-click the server, choose Properties, and click theNetBEUI tab Use the following options to configure NetBEUI:

✦ Allow NetBEUI based remote clients to access: Select this option to allow

remote clients to use NetBEUI; deselect to disable NetBEUI for RRAS on theselected server

✦ This computer only: Select this option to allow remote clients to access only

resources shared on the RRAS server, but not the network to which the server

is attached

Cross-Reference

✦ The entire network: Select this option to allow remote clients to access

resources on the RRAS server as well as resources shared on the LAN towhich the server is connected Access to resources is subject to objectpermissions and policies just like local users

IPX

The first step in configuring IPX is to decide how IPX network and node numberswill be assigned to remote clients You also can enable/disable IPX for RAS connec-tions and control which resources the IPX clients can access Open the RRAS con-sole, right-click the server, choose Properties, and click the IPX tab to configure thefollowing properties:

✦ Allow IPX based remote access and demand-dial connections: Select this

option to enable IPX for RRAS; deselect to prevent remote clients from usingIPX for remote connections

✦ Enable network access for remote clients and demand-dial connections:

Select this option to allow remote IPX clients to access IPX-based resources(NetWare servers, for example) on the LAN to which the RRAS server is con-nected; deselect to allow remote IPX clients only access to resources on theRRAS server

✦ Automatically: This option allows the RRAS server to automatically allocate

IPX network numbers to remote access clients and demand-dial routers thatrequest connections to the RRAS server

✦ In the following range: Use this option to specify a range of IPX network

num-bers the RRAS server will use to allocate network numnum-bers to remote clientsand demand-dial routers

✦ Use the same network number for all IPX clients: Use this option to have the

RRAS server assign the same IPX network number to all clients, reducing RIPannouncements and corresponding network traffic

✦ Allow remote clients to request IPX node number: Select this option to allow

remote access clients and demand-dial routers to request a specific IPX nodenumber when the connection is established

AppleTalk

There is essentially no configuration necessary for AppleTalk on a RRAS server Usethe AppleTalk page of the server’s properties to enable or disable AppleTalk forremote connections

Configuring Authentication

After you have configured protocols on the RRAS server, you need to turn yourattention to authentication and encryption, configuring the server to suit yourneeds

Configuring PPP

Windows 2000 offers a few options you can configure that control PPP connections

to the server In the RRAS console, right-click the server, choose Properties, andclick the PPP tab The PPP page offers the following options:

✦ Multilink connections: Select this option to allow remote clients to request

and use multilink connections This option enables multilink connections butdoes not explicitly enable dynamic link management through BAP or BACP,which is controlled by the following option See the section “Using Multilinkand BAP” later in this chapter for additional information

✦ Dynamic bandwidth control using BAP or BACP: This option enables the

server and client to use Bandwidth Allocation Protocol and Bandwidth cation Control Protocol to dynamically multilink connections, adding linkswhen bandwidth utilization increases and removing links when bandwidthutilization decreases

Allo-✦ Link control protocol (LCP) extensions: LCP extensions enable LCP to send

Time-Remaining and Identification packets, and to request callback duringLCP negotiation Deselect this option only if the remote clients don’t supportLCP extensions

✦ Software compression: Select this option to have the RRAS server use

Microsoft Point-to-Point Compression protocol (MPPC) to compress datatransmitted to remote clients Deselect this option if the remote clientsdon’t support MPPC

Configuring authentication

As mentioned earlier in this chapter, Windows 2000 RRAS supports several tication standards You can configure RRAS to accept multiple authentication meth-ods, and the server will attempt authentication using the selected protocols inorder of decreasing security For example, RRAS attempts EAP first if EAP isenabled, then MS-CHAP version 2, then MS-CHAP, and so on

authen-You configure the authentication methods for RRAS through the Security page ofthe RRAS server’s properties (accessed from the RRAS console) Click Authentica-tion Methods on the Security page to access the Authentication Methods dialog boxshown in Figure 15-6 Select the authentication methods you want to allow, thenclick OK The following sections provide an overview of each method and whereapplicable, and how to configure and enable them

You can require a specific authentication method for a client through a remoteaccess policy The following sections don’t cover configuring authenticationthrough a remote policy for each authentication protocol, but you will find cover-age of that topic in the section “Remote Access Policy” later in this chapter

Cross-Reference

Figure 15-6: You can configure multiple

authentication methods through theAuthentication Methods dialog box, andRRAS attempts them in decreasingorder of security provided

EAP

EAP stands for Extensible Authentication Protocol EAP enables the client andserver (or IAS, if used for RAS authentication) to negotiate an authenticationmethod from a pool of methods supported by the server Windows 2000 EAP pro-vides support for two EAP types: EAP-MD5 CHAP and EAP-TLS Both the client andauthentication server must support the same EAP type for authentication throughEAP, and you can install additional EAP types from third parties on a Windows 2000server

EAP-MD5 CHAP functions much the same as standard CHAP, but challenges andresponses are sent as EAP messages EAP-MD5 CHAP authenticates with usernames and passwords EAP-TLS, on the other hand, uses certificates to authenti-cate remote clients, using a secured private key exchange between client andserver EAP-TLS provides the most secure authentication of all the methods sup-ported by Windows 2000

Windows 2000 supports EAP-TLS only in domain environments (either mixedmode or native) RRAS on a standalone server does not support EAP-TLS

Enabling RRAS to support EAP requires three steps First, enable EAP as an tication method in the Authentication Methods dialog box through the RRASserver’s properties Then, if necessary, configure the remote client’s remote accesspolicy to allow EAP, as explained later in the section “Remote Access Policy.”Finally, configure the client to use the appropriate EAP type See the section

authen-“Configuring Outgoing Dial-Up Networking Connections” in this chapter for adetailed explanation

Note

Configuring EAP-RADIUS

In addition to supporting the two EAP types described previously, Windows 2000also enables authentication messages for any EAP type to be relayed to RADIUSservers (such as Windows 2000 systems running IAS) EAP-RADIUS encapsulatesand formats the messages going from the RRAS server to the RADIUS server asRADIUS messages The RADIUS server encapsulates the EAP response as a RADIUSmessage and passes it to the RRAS server, which relays it to the client In this way,the RRAS server functions as a relay and doesn’t actually perform the authentica-tion, nor does it require the EAP type used to be installed on the RRAS server

Instead, the EAP type must be installed on the RADIUS server

In addition to configuring the client to use EAP and the appropriate EAP type, youmust enable EAP authentication on the RRAS server, configure it to point to theappropriate RADIUS server, and also install the required EAP type on the RADIUSserver You configure the RRAS server to accommodate EAP through the Authenti-cation Methods dialog box for the server, as explained previously To point theRRAS server to the RADIUS server, open the server’s Security property page andselect RADIUS Authentication from the Authentication Provider drop-down list

Click Configure ➪ Add to display the Add RADIUS Server dialog box shown inFigure 15-7

Figure 15-7: The Add RADIUS Server

dialog box

Use the following list as a guide to configure RADIUS server options:

✦ Server name: Specify the FQDN or IP address of the RADIUS server.

✦ Secret: Enter the secret string used by the RADIUS server to authenticate

access to the RADIUS server You can use any alphanumeric characters andspecial characters in the string, up to 255 characters The shared secret iscase-sensitive

✦ Time-out (seconds): This is the period of time the RRAS server will wait

for a response from the RADIUS server before timing out and failing theauthentication

✦ Initial score: This value indicates the overall responsiveness of the RADIUS

server This number changes dynamically as the responsiveness of theRADIUS server changes RRAS queries the servers in order of highest to low-est score (the higher the score, the better the responsiveness) Use thisoption to specify an estimated initial score

✦ Port: Specify the UDP port used by the RADIUS server for incoming

authenti-cation requests The default is 1812 for newer RADIUS servers and 1645 forolder RADIUS servers

✦ Always use digital signatures: Select this option to force the RRAS server to

send a digital signature with each RADIUS message The signature is based onthe shared secret Make sure the RADIUS server supports and is configuredfor receipt of digital signatures before enabling this option If you’re using IASand the client for this server is configured to require the RRAS server toalways send a digital signature, you must select this option

See the section “RAS Logging and Accounting” later in this chapter to configurethe RRAS server for RADIUS authentication

Repeat the process described previously to add other RADIUS servers as required

MS-CHAP version 2

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol) is animprovement on the original MS-CHAP v1 that addresses a handful of securityissues With MS-CHAP v2, the authentication server sends a challenge to the clientcontaining a session ID and arbitrary challenge string The client returns the username, an arbitrary peer challenge string, and a one-way encryption of the receivedchallenge string, peer challenge string, session ID, and user password The serverchecks the client response and returns a success/failure and an authenticatedresponse that is based on the two challenge strings, the encrypted client response,and the user password The client verifies the authentication and, if it’s valid,accepts the connection The RAS client terminates the connection if the authentica-tion is not valid

See the section “New Features of Windows 2000 RRAS” earlier in this chapter for

a list of improvements MS-CHAP v2 offers over v1

MS-CHAP v2 is enabled by default for authentication on Windows 2000 RRASservers There are no other configuration steps to take other than to configurethe client to use MS-CHAP v2 See the section “ Configuring Outgoing Dial-UpNetworking Connections” later in this chapter for more information To disable MS-CHAP v2 on the RRAS server, open the RRAS console and then open the prop-erty sheet for the server On the Security tab, click Authentication Methods andthen deselect the MS-CHAP v2 option

Cross-Reference

Cross-Reference

MS-CHAP represents version 1 of the Microsoft Challenge Handshake tion Protocol With MS-CHAP, the authentication server sends a challenge to theclient containing a session ID and arbitrary challenge string The remote clientresponds with the user name and encryption of the challenge string, session ID, anduser’s password The server checks the supplied credentials and authenticatesaccess if the credentials are valid

Authentica-MS-CHAP is enabled by default for Windows 2000 RRAS servers, and there are

no other configuration steps except to verify that the client is configured to use MS-CHAP

CHAP

This option enables the server to use Message Digest 5 Challenge HandshakeAuthentication Protocol (MD-5 CHAP, or simply CHAP) CHAP uses a standardmechanism for encrypting the authentication response and is supported by severalnon-Microsoft remote access clients As such, CHAP provides a means of support-ing remote clients that do not support MS-CHAP or EAP (while still providing somelevel of encryption and security)

The first step to enable remote clients to authenticate on a Windows 2000 RRASserver with CHAP is to enable CHAP in the Authentication Methods dialog box Inthe RRAS console, open the properties for the server and click the Security tab,then click Authentication Methods Select “Encrypted authentication (CHAP).”

Then, if you’re using remote access policies to control allowed authentication ods, modify the policy as needed to allow the appropriate clients to use CHAP

meth-In order to support CHAP, user passwords must be stored using reversible tion While you can enable reversibly encrypted passwords for all users in thedomain, you might wish to only enable reversible encryption for those clientsrequiring CHAP authentication You can selectively enable reversible encryption ifthe accounts are stored in the Active Directory To do so, open the Active DirectoryUsers and Computers console, then open the user’s property sheet On the Accounttab, select the option “Store password using reversible encryption” in the AccountOptions group, then click OK or Apply

encryp-You need to modify the default domain policy if you want to apply reversibleencryption for all users in the domain On a domain controller, choose Start ➪Programs ➪ Administrative Tools ➪ Domain Security Policy Open the branchSecurity Settings/Account Policies/Password Policy and enable the option “Storepassword using reversible encryption for all users in the domain.” On a standaloneserver, choose Start ➪ Programs ➪ Administrative Tools ➪ Local Security Policy tomodify the password policy to enable reversible encryption

Each user for which reversible encryption has been enabled needs to modify his orher password so that the new password will be stored with reversible encryption.Configuring the user’s account or the domain or local policy for reversible encryp-tion does not automatically change the way the passwords are stored You canreset the users’ passwords yourself or have the users change passwords duringtheir next logon session Since the users can’t change passwords through CHAPauthentication, they must either log on to the LAN to change their passwords oruse MS-CHAP through the remote connection to change their passwords, and thenswitch to CHAP for future remote sessions The alternative for those users whocan’t log on to the LAN or use MS-CHAP is for the administrator to reset thepassword.

The final step is to configure the remote client to use CHAP See the section

“Configuring Outgoing Dial-Up Networking Connections” to learn how to ure Windows 2000 remote access clients

config-SPAP

SPAP stands for Shiva Password Authentication Protocol Shiva is a corporationthat develops and markets several remote access solutions, including the ShivaLAN Rover Clients connecting to a Shiva LAN Rover use SPAP for authentication,

as do Shiva clients connecting to a Windows 2000 RRAS server SPAP is disabled bydefault for a Windows 2000 RRAS server SPAP offers a lower degree of security thanthe methods described previously, so you should enable SPAP only if you need tosupport Shiva clients You can enable SPAP through the Authentication Methodsdialog box in the RRAS server’s properties

PAP

Password Authentication Protocol (PAP) uses plain text to transmit passwords,making it susceptible to compromise You should therefore only use PAP to supportclients that do not support any of the other authentication methods, or in situa-tions where security is not an issue Enable PAP for the RRAS server through theAuthentication Methods dialog box in the RRAS server’s properties

Unauthenticated access

You can configure a Windows 2000 RRAS server to allow unauthenticated remoteaccess, enabling any user to log on whether he or she provides a valid user nameand password or not While unauthenticated access can pose a security risk, it nev-ertheless has some uses Because unauthenticated access is applicable in few situa-tions, it is not covered in detail here To learn more about unauthenticated access,open the RRAS console, open Help, and open the topic Remote Access/Concepts/Remote Access Security/Unauthenticated Access

Disabling Routing (Remote Access Server Only)

If you’re using RRAS to only provide dial-in remote access and don’t require routing,you can disable routing and allow the server to function as a remote access serveronly This reduces some of the overhead in the RRAS server and can improve

Cross-Reference

performance somewhat You might also want to disable routing for security reasonsthat might be applicable to your network.

To disable routing, open the RRAS console and then open the properties for theserver on which you want to disable routing On the General page, deselect theRouter option and leave the Remote access server option selected Click OK andallow Windows 2000 to restart RRAS to make the change take effect

RRAS Logging and Accounting

Windows 2000 RRAS, like many other services, logs events to the Windows 2000System log, which you can view and manage with the Event Viewer console Youconfigure logging options on the Event Logging page of the RRAS server’s propertysheet Open the RRAS console, open the property sheet for the server, and click theEvent Logging tab The Event Logging page offers a handful of options that controlthe amount of information logged to the System event log; the options are self-explanatory You also can enable logging of PPP events for troubleshootingpurposes

By default, a Windows 2000 RRAS server uses Windows 2000 accounting, whichmeans that certain aspects of remote sessions are logged to the log file designated

by the entry in the Remote Access Logging branch of the RRAS console Windowsaccounting is applicable when you are using IAS to provide authentication If you’reusing a RADIUS server, however, you’ll probably want to configure RADIUS to per-form the accounting for you The following sections explain both options

Using Windows accounting

Windows 2000 RRAS by default does not log remote sessions, but you can enablelogging for security and troubleshooting To use Windows accounting, open theRRAS console, right-click the server, choose Properties, and click the Security tab

Select Windows Accounting from the Accounting Provider drop-down list, then click

OK to close the property sheet

Then in the RRAS console, open the Remote Access Logging branch You’ll find oneitem in the right pane labeled Local File Double-click Local File, or right-click it andchoose Properties, to display the Local File Properties sheet The Settings page con-tains the following options:

✦ Log accounting requests: Select this option to log accounting requests from

the RRAS server to the accounting server to indicate that it is online andready to accept connections or going offline, and to start and stop accountingfor a user session

✦ Log authentication requests: Select this option to log authentication requests

sent by the RRAS server to IAS on behalf of the client, along with responsesfrom IAS to the RRAS server indicating acceptance/rejection of the remoteclient’s authentication request