Title: 70291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Remote A
170-291 MCSE Guide to Managing a Microsoft
Windows Server 2003 Network, Enhanced Chapter
10Remote Access
2Objectives
- Describe the purpose and features of Windows
Server 2003 remote access capabilities - Enable and configure Routing and Remote Access
Service as a dial-up server - Enable and configure Routing and Remote Access
Service as a VPN - Configure a remote access server
- Allow remote clients access to network resources
- Create and configure remote access policies
- Troubleshoot remote access
3Remote Access Overview
- Allows mobile users access to network resources
on the internal network including files,
printers, databases, and e-mail - Windows Server 2003 has the ability to be a
remote access server
4Dial-up Remote Access
- Oldest type of remote access
- Allows two computers to connect and transfer
information using modems and a phone line - V.90 standard allows uploads at 33.6 Kbps while
v.92 allows uploads at 48 Kbps - Main advantage is availability
- Main drawback is speed
5VPN Remote Access
- Uses a public network to transmit private
information - Encryption is used
- Public network most commonly used is Internet
- VPN is limited to the speed of the network access
method - Advantage high speed and reduced maintenance
- Drawback security risk presented by allowing
access to network resources from the Internet
6Enabling and Configuring a Dial-up Server
- Windows Server 2003 uses Routing and Remote
Access Service to act as a dial-up server - A modem must be installed
- Windows Server 2003 attempts to find a modem
through Plug and Play by default - A modem can be manually configured
7Activity 10-1 Installing a Modem
- Objective Install a modem on your server
- Use the Phone and Modem Options utility under
Control Panel - You are only simulating the installation of a
modem here
8Enabling RRAS for Dial-up Connections
- Management of RRAS is done with the Routing and
Remote Access snap-in - A red arrow indicates that RRAS is not started
- Routing and Remote Access Wizard is used to
enable and configure RRAS for the first time - A green arrow indicates RRAS is started
9Activity 10-2 Enabling RRAS as a Dial-up Server
- Objective Configure RRAS on your server to act
as a remote access server - Use Routing and Remote Access utility
- Right click your server and choose the
configuration option - Proceed as the wizard instructs
10Dial-up Protocols
- LAN protocols supported by RRAS for dial-up
networking are TCP/IP, IPX/SPX, and AppleTalk - Remote access protocols supported by RRAS for
dial-up networking are PPP and SLIP - The same protocols required by LAN clients are
also required by dial-up clients - Remote access protocols are only for dial-up and
not VPN connections - PPP has a number of advantages over SLIP
including the ability to automatically configure
IP information
11Dial-up Protocols (continued)
12Dial-up Protocols (continued)
- PPP has several options that can be enabled to
enhance performance - Multilink Connections
- Dynamic Bandwidth
- LCP Extensions
- Software Compression
13Dial-up Protocols (continued)
14Activity 10-3 Creating a Dial-up Connection
- Objective Configure your server with a dial-up
connection - Start the New Connection Wizard
- Configure a SLIP Unix Connection
15Enabling and Configuring a VPN Server
- Windows Server 2003 uses RRAS as a VPN server
- All connectivity accomplished through a regular
network card - Enabling VPN accomplished using Routing and
Remote Access Server Setup Wizard - Enabling packet filters should only be chosen if
the server has multiple network cards with the
filtered card connected to the Internet and the
unfiltered cards connected to VPN traffic
16Enabling and Configuring a VPN Server (continued)
17Activity 10-4 Enabling RRAS as a VPN Server
- Objective Enable RRAS as a VPN server
- Ensure your IP address is x.0.0.1 where x is
student number and subnet mask is 255.0.0.0 - Choose Disable Routing and Remote Access
- Choose Configure and Enable Remote Access
- Select VPN in the resulting wizard and proceed as
instructed
18VPN Protocols
- PPTP and L2TP are supported for VPN connections
by Windows Server 2003 - By default, 128 PPTP ports and 128 L2TP ports are
provided - Can increase the number of ports or you can
disable a protocol by setting the number of ports
to zero - PPTP is the most popular, widely supported, and
can function through NAT - L2TP cannot provide a VPN connection alone
19VPN Protocols (continued)
20Activity 10-5 Modifying the Default Number of
VPN Ports
- Objective Reduce the number of PPTP and L2TP
ports to 10 each - Use Routing and Remote Access Utility
- Set maximum ports for WAN miniport (PPTP) to ten
- Set maximum ports for WAN miniport (L2TP) to ten
21Configuring Remote Access Servers
- Default configuration is generally sufficient for
day-to-day operations - Can specify whether or not the server is a remote
access server - Can control authentication and logging
- Can specify whether or not the server is a router
for IP, and if it allows IP-based remote access
connections - Can enable broadcast name resolution
22Authentication Methods
- Windows Server 2003 can use a number of different
authentication methods - No Authentication
- Password Authenticated Protocol
- Shiva Password Authentication Protocol
- Challenge Handshake Authentication Protocol
- Microsoft Challenge Handshake Authentication
Protocol - Microsoft Challenge Handshake Authentication
Protocol version 2 - Extensible Authentication Protocol
23IP Address Management
- When dial-up and VPN clients connect to Windows
Server 2003, they are assigned an IP address - Options for DNS and WINS server are taken from
the configuration of a specified interface on the
remote access server - Windows 2000 and newer clients can send a
DHCPINFORM packet after a remote access
connection has been established
24IP Address Management (continued)
25IP Address Management (continued)
26Allowing Client Access
- When remote access is first configured on Windows
Server 2003, none of the users are granted remote
access permission - Remote access permission is controlled by their
user object - If RRAS does not participate in Active Directory,
the user object is stored in the local user
account database - If RRAS belongs to an Active Directory domain,
the user object is stored in the Active Directory
database located on the domain controller
27Allowing Client Access (continued)
28Activity 10-6 Allowing a User Remote Access
Permission
- Objective Create a new user and allow it remote
access permission - Use the Computer Management tool
- Add a new user
- Allow the newly created user dial-in access
29Creating a VPN Client Connection
- VPN clients are usually configured on client
operating systems such as Windows XP - Windows Server 2003 can be configured as a VPN
client - VPN connections are created using the New
Connection Wizard
30Creating a VPN Client Connection (continued)
31Activity 10-7 Creating a Client VPN Connection
- Objective Create a client VPN connection and
then test it - Use the New Connection Wizard
- Select Virtual Private Network Connection
- Allow all users to use this connection
- Enter proper user name and password as instructed
32Configuring a VPN Client Connection
- Most configuration is done with the New
Connection Wizard - You can
- Configure the IP address of the VPN server to
which you are connecting - Configure whether or not an initial connection is
created - Configure dialing and redialing options
- Specify if password and data encryption are
required - Configure the network configuration for VPN
connection - Configure an Internet connection firewall and
Internet connection sharing
33Remote Access Policies
- Critical in controlling and allowing remote
access - How the policies are applied depends on whether
the domain is in mixed or native mode - Policies applied to a user may vary depending on
the machine you are connecting to - To use remote access, you must understand
- Remote access policy components
- Remote access policy evaluation
- Default remote access policies
34Remote Access Policies (continued)
35Remote Access Policy Components
- Composed of conditions, remote access
permissions, and a profile - Conditions are criteria that must be met in order
for remote access policy to apply to a connection - Remote access permission set in a remote access
policy has only two options Deny or Grant remote
access permission - The profile contains settings that are applied to
a remote access connection if the conditions have
been matched and permission has been allowed
36Activity 10-8 Creating a Remote Access Policy
- Objective Create a new remote access policy on
your server - Use the Computer Management utility
- Add a new group
- Start the New Remote Access Policy Wizard
- Follow the instructions of the wizard
37Remote Access Policy Evaluation
- Evaluation conditions follows the same process
for mixed mode domain and native mode domains - After a condition match has been found, the
permissions of the user attempting the connection
must be evaluated - Even if remote access permission is granted, it
does not guarantee that a remote connection will
be successful as some profile settings may
interfere
38Remote Access Policy Evaluation (continued)
39Remote Access Policy Evaluation (continued)
40Activity 10-9 Testing Remote Policy Evaluation
- Objective Verify the process by which remote
access permission is granted - Partner A tasks
- Verify that the existing VPN is functional
- Verify the policy application
- Partner B tasks
- Create a new low security policy and place it
first in order - Verify remote access permission
- Set the Ignore-User-Dialin-Properties attribute
to true - Delete the LowSecurity remote access policy
41Default Remote Access Policies
- Default policies are created to make managing
remote access easier - They reduce the amount of configuration required
to have a functional remote access server - First default policy listed is named Connections
to Microsoft Routing and Remote Access Server - Second default policy is named Connections to
other access servers
42Troubleshooting Remote Access
- Providing remote access is very complex
- Most problems are due to software configuration
errors introduced by users and administrators - Best troubleshooting tools include
- Log files
- Error messages
- Network Monitor
- Ipconfig
- Hardware errors can also cause problems
43Software Configuration Errors
- The following are common software configuration
errors - Incorrect phone numbers and IP addresses
- Incorrect authentication settings
- Incorrectly configured remote access policies
- Name resolution is not configured
- Clients receive incorrect IP options
- The fact that the remote access server leases 10
IP addresses from DHCP at startup is NOT an error
44Hardware Errors
- The following are common hardware troubleshooting
tips - Ensure hardware is on the Microsoft hardware
compatibility list - Use ping to determine if the address is reachable
- See if you can dial in to a different remote
access server - Ensure there is a link light on the network card
45Logging
- Can be configured in many places
- Check event log if RRAS is unable to start or is
not performing as expected - Can configure detailed connection logs
46Activity 10-10 Modem Logging
- Objective Enable modem logging
- Enable the Record a Log option under the modem
properties
47Troubleshooting Tools
- Ping utility is used to determine if a host is
reachable - Ipconfig utility used to confirm that the correct
IP settings are being delivered to the remote
access client - Network Monitor can be used to perform packet
captures which may provide some further clues as
to the cause of some error
48Summary
- RRAS in Windows Server 2003 can be configured as
a remote access server for dial-up and VPN - RRAS supports several LAN protocols
- A VPN server is easier to maintain than a dial-up
server - VPN connections can use PPTP or L2TP/IPSec
- L2TP does not perform encryption IPSec is used
to perform encryption
49Summary (continued)
- Many authentication methods are supported by RRAS
- Windows 2000 and newer remote access clients can
receive IP configuration options from a DHCP
server rather than the interface of a remote
access server - In a mixed mode Active Directory domain, remote
access permission is controlled using the
properties of the user object in Active Directory - Remote access policies are composed of
conditions, remote access permissions, and a
profile
50Summary (continued)
- The most common problem with remote access
connections is improper software configuration - A variety of logs can be configured to help you
troubleshoot remote access problems - The most common troubleshooting tools for remote
access are ipconfig, ping, and Network Monitor