The Routing and Remote Access Service is a service of Windows 2000 that can be used to establish Windows 2000 server as a work router, NAT server, demand dial router, and VPN tunnel end-
Trang 1M ANAGING AND L IMITING ISA
After you configure ISA Server for dial-on-demand connections, youmight want to limit ISA Server connections Remember that youhave the same options for controlling these connections as any oth-ers You can restrict user’s access to sites, reduce available hours forconnection, and so on Several tips for managing and restrictingdial-up connections are shown in Table 8.2
TA B L E 8 2
MA N A G I N G A N D RE S T R I C T I N G DI A L- UP CO N N E C T I O N S
Limit the time a user can use dial out (Web access) Create a schedule for the time
to deny or allow Internet access, then create
a site and content rule using that schedule that denies or allows all access to the Internet.
(All requests) Use this schedule in a protocol rule that denies access.
Prevent unnecessary Internet dial-up List all internal servers in Local Domain
Table to prevent Internet based DNS lookups.
Limit active caching Active caching is configured on the Active
Caching page of Cache Configuration erties If active caching is configured, dial-up occurs when it is necessary to refresh cache content To reduce automatic recovery of cache refresh, select Less Frequently (see Figure 8.5).
Setup for dial-up connections for ISA Server is fairly simple; theless, problems will occur Table 8.3 lists some potential troublespots and what to do about them
never-F I G U R E 8 5
Reducing active caching refresh.
Trang 2TA B L E 8 3
I S A SE R V E R DI A L- UP CO N N E C T I O N S TR O U B L E S H O O T I N G
The event Dial-on-Demand The connection could not be created because Determine why there is no answer or if the line was Failure is recorded in the event log the line was busy or there is no answer busy and make necessary changes.
The event Invalid Dial- The credentials are not valid Check validity of username and password for the On-Demand Credentials is dialed resource If the dial-up connection is to an recorded in the event log ISP, the account to be entered in the dial-up creden-
tials should be this information, not the W2K logon!
The event upstream The credentials are not valid Check validity of username and password for the Chaining Credentials is logged upstream server; this may be a W2K user account
and password.
No user is requesting Internet Active caching is enabled Active caching attempts to periodically refresh access and yet the ISA Server content in the cache If dial-on-demand has been periodically dials out to the configured, ISA Server will dials on its own to col- Internet lect the data If you do not want it to do so, disable
A requested server is internal but ISA Configure all internal domains in the Local Domain Server cannot resolve the name to Table that way, the ISA Server does not have to
IP address so it dials out to do DNS lookup dial-out to determine that the request is for a local
resource.
Event 14066 Can’t read dial-up entry configuration The dial-up configuration or the firewall service.
configuration can’t be recognized Check the dial-up entry configuration Message 14067 Failed to load rasapi32.dll Usually, a result of incorrect system configuration.
Manual dial to check the configuration and then restart the failed service.
14136 ISA Server dial-out connection failed Manually dial the number to be sure it can be
reached.
14142 Dial-out to the Internet failed Dial-up attempt failed possible due to
authentica-tion Verify the phone book entry Verify cation settings.
authenti-Dial-up server hangs even ISA Server is attempting to send requests Configure ISA Server to use only internal DNS when no dialing activity for DNS lookup to an external DNS servers Configure the DNS server as an ISA Server
server (even for internal requests) client Configure the DNS Server to forward
unre-solved requests to an external DNS server.
Trang 3Problem Possible Cause Resolution
Manual dial out works, but Dial-up entry credentials are not correct Reconfigure or modify the ISA Server dial-up entry
ISA Server doesn’t have permission to Reconfigure the W2K dial-up connection and allow use the dial-up connection everyone to use the connection.
Dial-up connection is dropped Someone inadvertently disconnected Restart ISA Server services This automatically
the session reestablishes the connection.
Dial-out failed as another Another service on the computer is connection Wait ISA tries again after another request is made connection is already being Or try restarting services.
dialed.
The Routing and Remote Access Service is a service of Windows
2000 that can be used to establish Windows 2000 server as a work router, NAT server, demand dial router, and VPN tunnel end-point ISA Server can provide a demand dial Internet connection,SecureNAT services, and act as a VPN endpoint Routing rules can
net-be defined that direct requests received by ISA ISA also provides away to further control these services through policies You shouldalways use the ISA Server components that are present instead ofusing other Windows 2000 services Be especially careful that you donot use the Routing and Remote Access services to make end-runsaround the ISA Server firewall service To do so would be a compro-mise to network security It compromises security because enabling aRouting and Remote Access router on the ISA Server and notenabling packet filtering turns the ISA Server into a router and allpackets are routed between the Internet and your private network
This is not what you purchased ISA Server to do (You presumablypurchased ISA Server to protect your network, not expose it touncontrolled access.)
Trang 4To control access always choose ISA Server when you provideremote access services via the ISA Server computer Services you maywant to provide and how they can be accomplished are
Checking a box on the General tab of the IP Packet Filters ties page enables packet filtering (The IP Packet Filters folder can befound at Internet Security and Acceleration Server\Servers and
proper-Arrays\name\Access Policy\IP Packet Filters See Figure 8.6.) Note
that Packet Filtering is not available in cache mode
IP Routing is enabled on the same property page Note that if youuncheck the Enable Packet Filtering box, the Enable IP Routingcheck box is grayed out (see Figure 8.7)
Remember: Create demand-dial connections, routing rules, packetfilters, and VPN endpoints using ISA Server
Connecting Remote ClientsMany employees now work from home, or are frequently on theroad These employees also need access to resources on the corporateprivate network In the past, this access was allowed through dial-upconnections to a remote access server, perhaps using a Windows NTRemote Access Server Although it is possible to configure this type
of remote access, it is strongly recommended that remote client nections use a VPN connection to the ISA Server Typical clientsoftware (Windows 9x, Windows ME, Windows NT Workstation,
Trang 5and Windows 2000 Professional) includes VPN client capabilitiesand ISA Server makes an excellent VPN tunnel endpoint For moreinformations see Chapter 9, “Virtual Private Networks (VPNs)Access.”
Static RoutesSet up and verify routing rules for static IP routes inRouting and Remote Access
One thing that ISA Server does not do is to provide facilities for ating static IP routes (routes that are manually defined versus beingautomatically created) on the ISA Server ISA Server does allow theuse of routing rules to specify how received requests should be for-warded, that is, to a specific dial-up connection, to all internal desti-nations, all external destinations, or to a destination set Destinationsets, which are defined separately from routing rules, can contain
cre-IP address ranges You can create a destination set and use it in ing rules that specify where requests should be routed However,these rules determine how internal requests for Web Internet accessare routed, or how external requests for hosted servers are routed,and are not useful for simple routing from one IP network toanother If you need to define static routes on the ISA , then youmust do so using Routing and Remote Access Services or using theroute command
rout-Using static routes is not recommended for large routing ments However, small, single path, static internetworks can benefit
environ-A small internetwork is defined as one composed of two to ten works Single path means that there is only one path, or route, forpackets to take to get from one endpoint to another Static, ofcourse, means that the network architecture doesn’t change overtime Several typical small internetwork scenarios are
Trang 6S T E P B Y S T E P
8.4 Create a Static Route Using RRAS
1 Open the Start\Programs\Administrative Tools\Routingand Remote Access Console
2 If RRAS has not been enabled, do so by right-clicking onthe server icon in the console and selecting EnableRouting and Remote Access Service
3 Select Routing and Remote Access\name\IP Routing\Static
Routes
4 Right-click Static Routes and click New Static Route
5 In the Static Route dialog box (see Figure 8.8) enter theInterface, Destination, Network Mask, Gateway, andMetric
S T E P B Y S T E P
8.5 Create a Route by Using the Route Command
1 Open a command prompt
2 Type the following command where network is the work address that you want to route to; subnetmask is the
net-subnet mast of network and gateway is the IP address of
the network card on the internal network The –p makesthe route persistent (a reboot does not remove the routefrom the computers routing table )
Figure 8.9 is an example command where the desired effect is toroute all traffic to the 192.168.5.0/24 network through the192.168.6.15 gateway
route add –p network mask subnetwork gateway
F I G U R E 8 8
Creating a static route.
F I G U R E 8 9
Using the route command.
Don’t Do This! If you enable RRAS and set up static routes without enabling packet filtering in ISA Server, you have made ISA Server just another router You compromise your firewall IP traffic from the untrusted network, that is, the Internet, flows freely into your private network.
Trang 7U SING RRAS FOR D IAL - ON -D EMAND
in the other network—DDPoint2
2 Create a static route that includes an interface nameDDPoint1, destination network, and network mask thatmatches router 2 (Demand-dial connections are point-to-point so you do not configure the gateway IP.)
3 If this static route is to be used to initiate a demand-dialconnection be sure the box Use This Route to InitiateDemand-Dial Connections is checked (see Figure 8.10)
4 On router 1: Create a Windows 2000 user account usingthe interface name, that is, DDPoint1 Be sure to clearUser Must Change Password at Next Logon and selectPassword Never Expires
5 Grant the user DDPoint1 dial-in permissions through theuser interface or through remote access policies
6 On router 2: Create a demand-dial interface (name itDDPoint2) that specifies the modem on that computerand the authentication credentials of Point1
Mixed Signals While vociferously demanding that ISA Server be used to configure dial-on-demand connections for its clients, Microsoft lists an exam objective that requires knowledge of using RRAS to
do this Part of the confusion here is that ISA Server adds policy management and more flexible protection for these types of connections The ISA Server packet filters and other security implementations can protect dial-on-demand connections and access to this feature can be managed by security policy So you could read this objective as referring to the ISA Server capabilities alone However, the wise stu- dent of Microsoft will be sure he or she clearly understands the capabilities and configuration of the separate service: Routing and Remote Access Service and how it can coexist with ISA Server.
F I G U R E 8 1 0
Use this route!
continues
Trang 87 On router 2: Create a static route with the interfaceDDPoint2, destination network and network mask thatmatches router 1.
8 On router 2: Create a Windows 2000 user account usingthe interface name, that is, DDPoint2 Be sure to clearUser Must Change Password at Next Logon and selectPassword Never Expires
Figure 8.11 illustrates the configuration described in Step by Step 8.6
Troubleshooting Common RRAS Problems
Configuring RRAS demand-dial connections can be irksome.Creating static routes might be confusing as well Some of the mostcommon problems and likely answers can be found in Table 8.4
Phone number RB945 Phone number BR459
192.168.4.50 192.168.5.50
Static route:
Network: 192.168.4.0 Interface: DDPoint1
Demand Dial Interface:
Name: DDPoint1 User: DDPoint2 Phone number RB459
Static route:
Network: 192.168.5.0 Interface: DDPoint2
Demand Dial Interface:
Name: DDPoint2 User: DDPoint1 Phone number RB945
continued
Trang 9TA B L E 8 4
TR O U B L E S H O O T I N G CO M M O N R R A S PR O B L E M S
1 A demand-dial IP routing is not enabled Do so on the IP properties page of the router.
connection occurs, but clients cannot No facility has been made for giving the Add DHCP or assignment from a static address pool reach locations incoming client an IP address on the local on the router (properties page of router).
behind the router network
The incoming call is interpreted as a router The user credentials must match the demand dial versus a remote access client interface.
The correct demand dial interface for the Add the correct interface for the protocol being used protocol being routed has not been added
Routes do not exist on the routers to Add static routes.
support this (No default route is created
by a demand-dial connection).
Packet-filters are preventing traffic flow Verify that the connection should occur, then correct
the packet filters.
Static routes on the router are not Correct the static routes.
Access\name\Routing Interface\name of demand dial
interface\and select “Enable.”
Static route does not have correct Reconfigure the static route.
interface information in it.
“Use this route to initiate demand-dial Select it.
connections” is not selected in the static route.
Dial-out hours prevent the connection Dial-out hours are configured by right-clicking from initiating the demand-dial interface
3 Cannot make a Routing and Remote Access Service is Check services on both routers to be sure they are
demand-dial connection not started on the calling router started.
The router is in an unreachable state If RRAS service is started and the connection cannot
be completed the router is said to be in an able state To check the unreachable state, right-click
unreach-on the demand-dial interface and click Ynreachability Reason.
continues
Trang 10TA B L E 8 4
TR O U B L E S H O O T I N G CO M M O N R R A S PR O B L E M S
Dial-up ports are note-enabled for Enable dial-up ports in the Routing and Remote inbound/outbound demand-dial Access\name\Ports\ Properties\Devices \Configure
connections Device dialog box.
All ports available for demand-dial Wait, or configure and enable more ports.
are already being used.
Routers do not share a common Check routing policies and add a common authentication method authentication method.
Routing is not enabled on the routers Enable routing.
Remote access policy settings for the Change policies to match.
demand-dial account are in conflict with the policy on the router.
The user account used by the demand Clear this check box.
dial-interface requires “User must change password at next logon.”
The user account password has expired Set the account password to never expire, and follow
a regular manual schedule to update passwords The user account password does not match Obtain the correct password and modify the demand
dial configuration.
Remote access policy settings for the demand dial account are in conflict with the policy on the router Change policies to match.
Not enough addresses are in the Wait until an address becomes free or modify static address pool or the DHCP configuration so that more addresses are available server has no free IP addresses to lease.
If Active Directory accounts are used Be sure Active Directory is available to the router for authentication: The answering
router cannot contact the Active Directory.
If certificates are used for authentication, Configure the router to use certificates.
the router is not correctly configured.
MS-CHAP v1 is used and the Reduce the length of the password or use password is over 14 characters MS-CHAP v2.
continued
Trang 11R EMOTE A DMINISTRATIONIt’s not always possible or practical to sit at every ISA Server console
in order to administer the server
If you are on the private network side of the ISA Server, you shouldnot experience problems Connection from the public side of theISA Server is not recommended
While remotely managing an ISA Server or Array, you may generatereports However, you must have the appropriate permissions to do
so Keep in mind that reports for an array are generated by accessingthe logs of all the ISA Servers in the array You must, therefore, havepermissions on all of the servers in the array You must
á Be a local administrator on every ISA Server in the array
á Be able to access and launch Distributed Component ObjectModel (DCOM) on every ISA Server in the array
Two methods for remote administration exist:
á Install ISA Management console on another system and connect to the ISA Server(s)
á Run Terminal Server client and connect to the ISA Servercomputer
You can also remotely manage ISA Server by writing DCOMscripts, but that’s just a little <grin> outside the scope of this exam
Using ISA Management Console from
a Remote ComputerThe ISA Management Console can be installed on Windows 2000Server or Windows 2000 Professional and used to manage ISAServer If the ISA Server installation CD-ROM is used, however,during the installation, you should choose the Custom installation
TE Like “OLE for Networks” DCOM is a
ser-vice that allows object communication across
a network from one computer to another Client objects on one computer connect to server objects on another for the purpose of sharing data and instructions Like a Word document linked to Excel, data changes in one DCOM component can mean updated changes in the other The capability to use DCOM objects on the ISA Server is managed
by applying security permissions Default missions are set for the local Administrators group It is through DCOM that remote admin- istration of ISA Server through the
per-Management console is possible.
Trang 12method and only install the management tools If you need to also manage the H.323 Gatekeeper service on the ISA computer you must install the H.323 management tool as well.
You can manage standalone ISA Server computers or arrays (see Step by Step 8.7) You must be a member of the Administratorsgroup on the ISA Server that you will manage, and you must man-age it from the same domain or a trusted domain
S T E P B Y S T E P
8.7 Connecting for Remote Administration by Usingthe Management Console
1 Open the ISA Server Management Console
2 Right-click Internet Security and Acceleration Server
3 Click Connect To
4 If you want to manage a standalone ISA Server, clickConnect to This Standalone Server
5 If you want to manage an enterprise or an array, clickConnect to Enterprise and Arrays
6 Type the name of the computer to administer (see Figure8.12)
7 Click OK
Using Terminal Services to Manage ISA Server
To use terminal services to manage ISA Server:
á The terminal services client must be installed on the clientcomputer
á Terminal server services must be installed on the ISA Servercomputer
á You must be a member of the Administrators group on theISA Server Computer
F I G U R E 8 1 2
Connecting to remotely manage ISA Server(s)
Trang 13Dial-up connections can be some of the most annoying tions to create, test, and understand ISA Server makes this processeasy, but the complexity of ISA Server can challenge the unwarywith extra dial-up issues If you are comfortable with your under-standing of firewall chaining and routing rule uses of dial-up access,and the requirements of name resolution, you will find this processless of a headache Although ISA Server is doing several connectivityprocesses that you have configured under Routing and RemoteAccess services, you should always choose ISA Server to performthose functions that it can.
Trang 14AP P L Y YO U R KN O W L E D G E
Exercises8.1 Configure ISA Demand-Dial Routing
If you configure demand-dial routing, you will have anappreciation for the issues this process can bring about,
as well as its convenience for the small business If you
do not have a modem in your ISA Server test puter, you can still step through the process, and youwill probably trigger some connectivity issues similar tothose experienced by improperly configured sites andconnections that fail to answer If you take thisapproach, be sure to limit connections to the ISAServer or you will most certainly find the systemextremely slow and possible hang the system as the ISAServer strives to make a connection that it cannot pos-sibly do
com-Estimated Time: 30 minutes
1 Be sure you have ISA Server Installed in grated mode A server with a modem and net-work card is the best choice You can use apersonal account to dial to your ISP if you want
inte-2 Test the Internet connection and credentialswithout using the ISA Server
3 Configure the ISA Server to dial-on-demandwhen requests for Internet services are received
Configure a client machine to act as the ing client Any system with IE installed is okay
request-(You are just going to try to browse the Internetthrough your ISA Server.)
4 Be sure the client is on the same network as theinternal NIC of the ISA Server and does not have
an alternative route to the Internet
5 Be sure the ISA Server has a site and content ruleand a protocol rule that will allow requests to beretrieved from the Internet (and no rule thatmight block such requests)
6 Use the client system to access the Internetthrough the ISA Server
Review Questions
1 A single, standalone ISA Server is configured touse dial-on demand connection to the Internet asits Primary connection There is no secondaryconnection SecureNAT client HTTP requestsare intermittently fulfilled Web Proxy clientHTTP requests are being serviced What is themost likely cause?
2 No client requests are being made for Internetaccess and yet the ISA Server is periodically dial-ing out to the Internet What is the most likelycause(s)?
3 The Loomis Vacuum Company wants to lish Internet connectivity for Web browsing andInternet email for corporate headquarters andthree branch offices A small number of employ-ees work at the branch offices They do not want
estab-to establish direct Internet access at all offices andwant to control the schedule and type of accessallowed What type of a solution would you pro-pose?
4 Frederman Wax company has provided Internetaccess through a dial-up connection and connec-tion sharing software for the past year They pur-chased ISA Server as a replacement for theirconnection sharing software so they can havemore protection for their internal network and
Trang 15AP P L Y YO U R KN O W L E D G Emore control over their employees’ access to theInternet They removed the Internet connectionsharing software and configured ISA Server fordemand-dial access to the Internet It’s not work-ing You inspect their system and, in looking atvarious property pages you see the following: seeFigures 8.13, 8.14, and 8.15 What is causing theproblem? What is the solution?