70291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote A

1
70-291 MCSE Guide to Managing a Microsoft
Windows Server 2003 Network, Enhanced Chapter
10Remote Access
2
Objectives

• Describe the purpose and features of Windows
  Server 2003 remote access capabilities
• Enable and configure Routing and Remote Access
  Service as a dial-up server
• Enable and configure Routing and Remote Access
  Service as a VPN
• Configure a remote access server
• Allow remote clients access to network resources
• Create and configure remote access policies
• Troubleshoot remote access

3
Remote Access Overview

• Allows mobile users access to network resources
  on the internal network including files,
  printers, databases, and e-mail
• Windows Server 2003 has the ability to be a
  remote access server

4
Dial-up Remote Access

• Oldest type of remote access
• Allows two computers to connect and transfer
  information using modems and a phone line
• V.90 standard allows uploads at 33.6 Kbps while
  v.92 allows uploads at 48 Kbps
• Main advantage is availability
• Main drawback is speed

5
VPN Remote Access

• Uses a public network to transmit private
  information
• Encryption is used
• Public network most commonly used is Internet
• VPN is limited to the speed of the network access
  method
• Advantage high speed and reduced maintenance
• Drawback security risk presented by allowing
  access to network resources from the Internet

6
Enabling and Configuring a Dial-up Server

• Windows Server 2003 uses Routing and Remote
  Access Service to act as a dial-up server
• A modem must be installed
• Windows Server 2003 attempts to find a modem
  through Plug and Play by default
• A modem can be manually configured

7
Activity 10-1 Installing a Modem

• Objective Install a modem on your server
• Use the Phone and Modem Options utility under
  Control Panel
• You are only simulating the installation of a
  modem here

8
Enabling RRAS for Dial-up Connections

• Management of RRAS is done with the Routing and
  Remote Access snap-in
• A red arrow indicates that RRAS is not started
• Routing and Remote Access Wizard is used to
  enable and configure RRAS for the first time
• A green arrow indicates RRAS is started

9
Activity 10-2 Enabling RRAS as a Dial-up Server

• Objective Configure RRAS on your server to act
  as a remote access server
• Use Routing and Remote Access utility
• Right click your server and choose the
  configuration option
• Proceed as the wizard instructs

10
Dial-up Protocols

• LAN protocols supported by RRAS for dial-up
  networking are TCP/IP, IPX/SPX, and AppleTalk
• Remote access protocols supported by RRAS for
  dial-up networking are PPP and SLIP
• The same protocols required by LAN clients are
  also required by dial-up clients
• Remote access protocols are only for dial-up and
  not VPN connections
• PPP has a number of advantages over SLIP
  including the ability to automatically configure
  IP information

11
Dial-up Protocols (continued)
12
Dial-up Protocols (continued)

• PPP has several options that can be enabled to
  enhance performance
• Multilink Connections
• Dynamic Bandwidth
• LCP Extensions
• Software Compression

13
Dial-up Protocols (continued)
14
Activity 10-3 Creating a Dial-up Connection

• Objective Configure your server with a dial-up
  connection
• Start the New Connection Wizard
• Configure a SLIP Unix Connection

15
Enabling and Configuring a VPN Server

• Windows Server 2003 uses RRAS as a VPN server
• All connectivity accomplished through a regular
  network card
• Enabling VPN accomplished using Routing and
  Remote Access Server Setup Wizard
• Enabling packet filters should only be chosen if
  the server has multiple network cards with the
  filtered card connected to the Internet and the
  unfiltered cards connected to VPN traffic

16
Enabling and Configuring a VPN Server (continued)
17
Activity 10-4 Enabling RRAS as a VPN Server

• Objective Enable RRAS as a VPN server
• Ensure your IP address is x.0.0.1 where x is
  student number and subnet mask is 255.0.0.0
• Choose Disable Routing and Remote Access
• Choose Configure and Enable Remote Access
• Select VPN in the resulting wizard and proceed as
  instructed

18
VPN Protocols

• PPTP and L2TP are supported for VPN connections
  by Windows Server 2003
• By default, 128 PPTP ports and 128 L2TP ports are
  provided
• Can increase the number of ports or you can
  disable a protocol by setting the number of ports
  to zero
• PPTP is the most popular, widely supported, and
  can function through NAT
• L2TP cannot provide a VPN connection alone

19
VPN Protocols (continued)
20
Activity 10-5 Modifying the Default Number of
VPN Ports

• Objective Reduce the number of PPTP and L2TP
  ports to 10 each
• Use Routing and Remote Access Utility
• Set maximum ports for WAN miniport (PPTP) to ten
• Set maximum ports for WAN miniport (L2TP) to ten

21
Configuring Remote Access Servers

• Default configuration is generally sufficient for
  day-to-day operations
• Can specify whether or not the server is a remote
  access server
• Can control authentication and logging
• Can specify whether or not the server is a router
  for IP, and if it allows IP-based remote access
  connections
• Can enable broadcast name resolution

22
Authentication Methods

• Windows Server 2003 can use a number of different
  authentication methods
• No Authentication
• Password Authenticated Protocol
• Shiva Password Authentication Protocol
• Challenge Handshake Authentication Protocol
• Microsoft Challenge Handshake Authentication
  Protocol
• Microsoft Challenge Handshake Authentication
  Protocol version 2
• Extensible Authentication Protocol

23
IP Address Management

• When dial-up and VPN clients connect to Windows
  Server 2003, they are assigned an IP address
• Options for DNS and WINS server are taken from
  the configuration of a specified interface on the
  remote access server
• Windows 2000 and newer clients can send a
  DHCPINFORM packet after a remote access
  connection has been established

24
IP Address Management (continued)
25
IP Address Management (continued)
26
Allowing Client Access

• When remote access is first configured on Windows
  Server 2003, none of the users are granted remote
  access permission
• Remote access permission is controlled by their
  user object
• If RRAS does not participate in Active Directory,
  the user object is stored in the local user
  account database
• If RRAS belongs to an Active Directory domain,
  the user object is stored in the Active Directory
  database located on the domain controller

27
Allowing Client Access (continued)
28
Activity 10-6 Allowing a User Remote Access
Permission

• Objective Create a new user and allow it remote
  access permission
• Use the Computer Management tool
• Add a new user
• Allow the newly created user dial-in access

29
Creating a VPN Client Connection

• VPN clients are usually configured on client
  operating systems such as Windows XP
• Windows Server 2003 can be configured as a VPN
  client
• VPN connections are created using the New
  Connection Wizard

30
Creating a VPN Client Connection (continued)
31
Activity 10-7 Creating a Client VPN Connection

• Objective Create a client VPN connection and
  then test it
• Use the New Connection Wizard
• Select Virtual Private Network Connection
• Allow all users to use this connection
• Enter proper user name and password as instructed

32
Configuring a VPN Client Connection

• Most configuration is done with the New
  Connection Wizard
• You can
• Configure the IP address of the VPN server to
  which you are connecting
• Configure whether or not an initial connection is
  created
• Configure dialing and redialing options
• Specify if password and data encryption are
  required
• Configure the network configuration for VPN
  connection
• Configure an Internet connection firewall and
  Internet connection sharing

33
Remote Access Policies

• Critical in controlling and allowing remote
  access
• How the policies are applied depends on whether
  the domain is in mixed or native mode
• Policies applied to a user may vary depending on
  the machine you are connecting to
• To use remote access, you must understand
• Remote access policy components
• Remote access policy evaluation
• Default remote access policies

34
Remote Access Policies (continued)
35
Remote Access Policy Components

• Composed of conditions, remote access
  permissions, and a profile
• Conditions are criteria that must be met in order
  for remote access policy to apply to a connection
• Remote access permission set in a remote access
  policy has only two options Deny or Grant remote
  access permission
• The profile contains settings that are applied to
  a remote access connection if the conditions have
  been matched and permission has been allowed

36
Activity 10-8 Creating a Remote Access Policy

• Objective Create a new remote access policy on
  your server
• Use the Computer Management utility
• Add a new group
• Start the New Remote Access Policy Wizard
• Follow the instructions of the wizard

37
Remote Access Policy Evaluation

• Evaluation conditions follows the same process
  for mixed mode domain and native mode domains
• After a condition match has been found, the
  permissions of the user attempting the connection
  must be evaluated
• Even if remote access permission is granted, it
  does not guarantee that a remote connection will
  be successful as some profile settings may
  interfere

38
Remote Access Policy Evaluation (continued)
39
Remote Access Policy Evaluation (continued)
40
Activity 10-9 Testing Remote Policy Evaluation

• Objective Verify the process by which remote
  access permission is granted
• Partner A tasks
• Verify that the existing VPN is functional
• Verify the policy application
• Partner B tasks
• Create a new low security policy and place it
  first in order
• Verify remote access permission
• Set the Ignore-User-Dialin-Properties attribute
  to true
• Delete the LowSecurity remote access policy

41
Default Remote Access Policies

• Default policies are created to make managing
  remote access easier
• They reduce the amount of configuration required
  to have a functional remote access server
• First default policy listed is named Connections
  to Microsoft Routing and Remote Access Server
• Second default policy is named Connections to
  other access servers

42
Troubleshooting Remote Access

• Providing remote access is very complex
• Most problems are due to software configuration
  errors introduced by users and administrators
• Best troubleshooting tools include
• Log files
• Error messages
• Network Monitor
• Ipconfig
• Hardware errors can also cause problems

43
Software Configuration Errors

• The following are common software configuration
  errors
• Incorrect phone numbers and IP addresses
• Incorrect authentication settings
• Incorrectly configured remote access policies
• Name resolution is not configured
• Clients receive incorrect IP options
• The fact that the remote access server leases 10
  IP addresses from DHCP at startup is NOT an error

44
Hardware Errors

• The following are common hardware troubleshooting
  tips
• Ensure hardware is on the Microsoft hardware
  compatibility list
• Use ping to determine if the address is reachable
• See if you can dial in to a different remote
  access server
• Ensure there is a link light on the network card

45
Logging

• Can be configured in many places
• Check event log if RRAS is unable to start or is
  not performing as expected
• Can configure detailed connection logs

46
Activity 10-10 Modem Logging

• Objective Enable modem logging
• Enable the Record a Log option under the modem
  properties

47
Troubleshooting Tools

• Ping utility is used to determine if a host is
  reachable
• Ipconfig utility used to confirm that the correct
  IP settings are being delivered to the remote
  access client
• Network Monitor can be used to perform packet
  captures which may provide some further clues as
  to the cause of some error

48
Summary

• RRAS in Windows Server 2003 can be configured as
  a remote access server for dial-up and VPN
• RRAS supports several LAN protocols
• A VPN server is easier to maintain than a dial-up
  server
• VPN connections can use PPTP or L2TP/IPSec
• L2TP does not perform encryption IPSec is used
  to perform encryption

49
Summary (continued)

• Many authentication methods are supported by RRAS
• Windows 2000 and newer remote access clients can
  receive IP configuration options from a DHCP
  server rather than the interface of a remote
  access server
• In a mixed mode Active Directory domain, remote
  access permission is controlled using the
  properties of the user object in Active Directory
• Remote access policies are composed of
  conditions, remote access permissions, and a
  profile

50
Summary (continued)

• The most common problem with remote access
  connections is improper software configuration
• A variety of logs can be configured to help you
  troubleshoot remote access problems
• The most common troubleshooting tools for remote
  access are ipconfig, ping, and Network Monitor