A Guide to Windows 2000 Server

Download Report

Transcript A Guide to Windows 2000 Server 

Chapter 12
Chapter 12:
Remote Access and Virtual
Private Networks
Learning Objectives
Chapter 12



Explain how remote access and virtual
private network (VPN) services work
Explain how to implement remote
access communications devices and
protocols
Configure remote access services,
security, dial-up connectivity, and client
access
Early Remote Access Methods
Chapter 12

An early method for accessing a
network, which is still used, is to
connect to a workstation through remote
access software such as Carbon Copy
Accessing a Workstation
Remotely
Chapter 12
Modem
Telephone line
Workstation
Server
Modem
Ethernet
Workstation
Workstation
Figure 12-1 Remotely accessing a workstations on a network
Microsoft Remote Access
Chapter 12

A modern way to access a network
remotely is by using Microsoft Remote
Access Services (RAS) in Windows
2000 Server
Using RAS
Chapter 12
Figure 12-2
Remotely accessing a
network through
Microsoft RAS
Modem
Telephone line
NetWare server
Windows 2000 server
with RAS
Modem
Ethernet
Modem
Telephone line
Client
workstation
Client
workstation
Modem
Virtual Private Network
Chapter 12

Virtual private network: A private
network that is like a tunnel through a
larger network – such as the Internet, an
enterprise network, or both – that is
restricted only to designated member
clients
Planning Tip
Chapter 12

Use a VPN to save money on modems
and telephone lines for remote access to
a network
VPN Architecture
Chapter 12
Figure 12-3
VPN network
architecture
VPN tunnels
Modem
177.28.44.129
Internet
Windows 2000 Server
with VPN/IIS
Windows 2000
servers
re
me
Fra
T-3
Subnet 177.28.44
Telephone line
lay
line
line
Subnet 177.28.19
Internet
Router
Router
Router
VPN Tunnels
Telephone line
Modem
Subnet 177.28.7
Subnet 177.28.23
VPN tunnel
Web server
177.28.23.10
Operating Systems Than Can
Connect to RAS
Chapter 12






MS-DOS
Windows 3.1 and 3.11
Windows NT (all versions)
Windows 95
Windows 98
Windows 2000 Server and Professional
Connection Types
Supported by RAS
Chapter 12





Asynchronous modems
Synchronous modems through an access
server
Null modem connections
Regular dial-up telephone lines
Leased telecommunications lines, such
as T-carrier
Connection Types
Supported by RAS (continued)
Chapter 12




ISDN lines (and digital modems)
X.25 lines
DSL lines
Frame relay lines
T-Carrier
Chapter 12


T-carrier: A dedicated leased telephone
line that can be used for data
communications over multiple channels
for speeds of up to 44.736 Mbps and
beyond
Two common varieties of T-carrier are:
 T-1
at 1.544 Mbps
 T-3 at 44.736 Mbps
Frame Relay
Chapter 12

Frame relay: A WAN communications
technology that relies on packet
switching and virtual connection
techniques to transmit at from 56 Kbps
to 45 Mbps
ISDN
Chapter 12

Integrated Services Digital Network
(ISDN): A telecommunications standard
for delivering data services over digital
telephone lines with a current practical
limit of 1.536 Mbps and a theoretical
limit of 622 Mbps
X.25
Chapter 12

An older packet-switching protocol for
connecting remote networks at speeds
up to 2.048 Mbps
DSL
Chapter 12

Digital subscriber line (DSL): A
technology that uses advanced
modulation technologies on regular
telephone lines for high-speed
networking at speeds of up to 60 Mbps
between subscribers and a
telecommunications company
Transport and Remote
Communication Protocols
Chapter 12

RAS supports protocols such as:
 TCP/IP
 NWLink
 NetBEUI
 PPP
 PPTP
 L2TP
Using Modems
Chapter 12


One of the most common ways to
connect through RAS is by using
modems either at the RAS server end,
the client end, or both
Cable TV modems are another
possibility, but verify that the end-to-end
connections can be made secure
ISDN Connectivity
Chapter 12


Digital “modems” can be used to
connect a RAS server to ISDN, but
these are really terminal adapters (TAs)
and not modems, because ISDN is
digital and does not use
modulation/demodulation
A design advantage of ISDN is that you
can aggregate multiple lines to appear
as one super fast connection
Access Server
Chapter 12


An effective way to connect different
telecommunications and WAN media to RAS
is through an access server
For example, an access server can provide
the following types of connectivity:
 Modems
 ISDN
 X.25
 T-carrier
Access Server Architecture
Chapter 12
Windows 2000 Server
with RAS
Ethernet
Figure 12-4
Using an
access server
T-1 line
Modular access server
X.2
ne
e
lin
Leased
telecommunications
connection
ISD
Nl
ine
DN
IS
5 li
Telecommunications
network
Telecommunications
network
Modem
Modem
Leased
telecommunications
connection
Remote Access Protocols
Chapter 12


Serial Line Internet Protocol (SLIP): An
older remote communications protocol that
is used by UNIX computers. The modern
compressed SLIP (CSLIP) version uses
header compression to reduce
communications overhead.
Point-to-Point Protocol (PPP): A widely used
remote communication protocol that
supports IPX/SPX, NetBEUI, and TCP/IP for
point-to-point communication.
SLIP and PPP Compared
Chapter 12
Feature
Network protocol support
Asynchronous communications support
Synchronous communications support
Simultaneous network configuration
negotiation and automatic connection with
multiple levels of the OSI model between the
communicating nodes
Support for connection authentication to guard
aginst eavesdroppers
SLIP
PPP
TCP/IP TCT/IP, IPX/SPX, and
NetBEUI
Yes
Yes
No
Yes
No
Yes
No
Yes
Table 12-1 SLIP and PPP Compared
Remote Access Protocols
(continued)
Chapter 12

Point-to-Point Tunneling Protocol
(PPTP): A remote communication
protocol that enables connectivity to a
network through the Internet and
connectivity through intranets and VPNs
Configuring RAS
Chapter 12

Use the Routing and Remote Access tool
to install RAS
Installing RAS
Chapter 12
Figure 12-5 Configuring routing and RAS
Installing RAS (continued)
Chapter 12
Figure 12-6 Selecting the option to install RAS
Routing and Remote
Access Options
Chapter 12
Option
Description
Internet connection server
Use this option so that networked computers in addition to the server can connect to the
Internet, which is especially useful in a small office environment in which all users need
Internet access, but there is only one dial-up, ISDN, or other outside line to an ISP
Remote access server
Use this option to set up remote access services to the network through the Windows
2000 server
Virtual private network
Use this option when you have an intranet (VPN) that you want users to be able to
(VPN) server
access through a remote connection or the Internet
Network router
Use this option to have Windows 2000 Server function as a router on the network –
directing traffic to other networks or subnetworks
Manually configure the
server
Use this option when you want to customize the routing and remote access capabilities
Installing RAS (continued)
Chapter 12
Figure 12-7 IP address assignment options
Viewing a RAS
Server’s Properties
Chapter 12
Figure 12-8 RAS server properties
DHCP Relay Agent
Chapter 12

If you configure RAS to use DHCP to
assign IP addresses, then you must
configure a DHCP Relay Agent:
 Double-click
the RAS server in the tree of
the Routing and Remote Access tool
 Click IP Routing in the tree
 Right-click DHCP Relay Agent and click
Properties
 Enter the IP address of the RAS server,
click Add, and then click OK
Security Set at the Client
Chapter 12

Set up security on the client’s account
properties via the Dial-in tab, including
whether to use a remote access policy for
security and callback security
Callback Options
Chapter 12



No Callback: access is allowed on the
first dial-up attempt
Set By Caller: the server calls back a
number provided by the remote
computer
Always Callback to: the server calls
back a number that has already been
entered in the Dial-in tab
Configuring Dial-in Security
Chapter 12
Figure 12-10 Configuring dial-in security for a user account
Remote Access Policies
Chapter 12

Configure remote access policies and a
profile to secure the RAS server and to
manage access including:
 Dial-in
constraints
 IP address assignment rules
 Authentication
 Encryption
 Allowing Multilink connections
Configuring Remote
Access Policies
Chapter 12
Figure 12-11 Granting remote access as a RAS policy
Authentication Options
Chapter 12

There are several authentication options
that can be set in a remote access
policies profile:
 Extensible Authentication
Protocol (EAP):
An authentication protocol employed by
network clients that use special security
devices such as smart cards, token cards,
and others that use certificate
authentication
Authentication Options
(continued)
Chapter 12
 Challenge
Handshake Authentication Protocol
(CHAP): An encrypted handshake protocol
designed for standard IP- or PPP-based exchange
of passwords. It provides a reasonably secure,
standard, cross-platform method for sender and
receiver to negotiate a connection.
 CHAP
with Microsoft extensions (MS-CHAP): A
Microsoft-enhanced version of CHAP that can
negotiate encryption levels and that uses the
highly secure RSA RC4 encryption algorithm to
encrypt communications between client and host
Authentication Options
(continued)
Chapter 12
 CHAP
with Microsoft extensions version 2 (MSCHAP v2): An enhancement of MS-CHAP that
provides better authentication and data encryption
and that is especially well suited for VPNs
 Password Authentication
Protocol (PAP): A nonencrypted plain-text password authentication
protocol. This represents the lowest level of
security for exchanging passwords via PPP or
TCP/IP
Authentication Options
(continued)
Chapter 12
 Silva’s
Password Authentication Protocol
(SPAP): A version of PAP that is used for
authenticating remote access devices and
network equipment manufactured by Silva (now
Intel Network Systems, Inc.)
Configuring Authentication
Chapter 12
Figure 12-12 Configuring authentication
Chapter Summary
Chapter 12


RAS and VPN servers enable clients to
remotely access Windows 2000 Server,
such as those who telecommute
Remote access can be configured
through many types of WAN
connectivity, such as dial-up telephone
lines, high-speed lines, Internet
connections, and routers
Chapter Summary
Chapter 12


RAS and VPN servers are compatible
with remote access protocols such as
PPP, PPTP, and L2TP
Manage RAS and VPN servers using
remote access policies and profiles