Transcript Windows Sever 2003 System Administration Part 1

Windows Server 2003
RRAS 安裝設定與管理維護
林寶森
[email protected]
Routing and Remote Access
• Routing
–
–
–
–
–
DHCP Relay Agent
IGMP Router and Proxy
NAT / Basic Firewall
Open Shortest Path First (OSPF)
RIP Version 2 for Internet Protocol
• Remote Access
– Dial-up
– VPN
How Dial-up Network Access Works
Dial-up networking is the process of a remote access client making a
temporary dial-up connection to a physical port on a remote access
server by using the service of a telecommunications provider
Remote Access
Server
Domain
Controller
Dial-up Client
1
Dial-up client calls
the RA server
3
RA server authenticates
and authorizes the client
2
RA server
answers the call
4
RA server transfers
data
Connecting to a Virtual Private Network
Corporate
Network
Network Adapter
Connected to the Internet
Network Adapter
Connected to the
Local Network
VPN Server
Tunnel
VPN Client
Internet
How a VPN Connection Works
A VPN extends the capabilities of a private network to
encompass links across shared or public networks, such as the
Internet, in a manner that emulates a point-to-point link
VPN Server
Domain
Controller
Transit Network
VPN Client
1
VPN client calls the
VPN server
3
VPN server authenticates
and authorizes the client
2
VPN server
answers the call
4
VPN server transfers
data
Encryption Protocols for a VPN Connection
Category
MPPE + PPTP
IPSec + L2TP
Description
Employs user-level Point-to-Point Protocol (PPP)
authentication methods and Microsoft Point-to-Point
Encryption (MPPE) for data encryption
Employs user-level PPP authentication methods over a
connection that is encrypted with IPSec
Recommended authentication method for VPN network
access is L2TP/IPSec with certificates
Examples of Remote Access Server Using VPN
Remote
Access Server
Remote User to Corp Net
Remote
Access Server
Branch Office to Branch Office
Selecting a Tunneling Protocol
PPP Frame
PPTP
IP
GRE
PPP
Header Header Header
Encrypted PPP Payload
(IP Datagram, IPX Datagram)
Remote
Resource Server
Client
Remote
Access
Server
Secure Tunnel
over Existing
Network
L2TP/IPSec
IP
Header
Private
Network
PPP Frame
IPSec
UDP
L2TP
PPP
ESP
Header Header Header
Header
PPP Payload
(IP Datagram,
IPX Datagram)
Encrypted by IPSec
Signed
IPSec
ESP
Trailer
IPSec
Auth
Trailer
Configuring Inbound Connections
Routing and Remote Access
Action
View
Routing and Remote Access
Server Status
SERVERX (local)
Configure and Enable Routing and Remote Access
Start Routing and Remote Access
Stop Routing and Remote Access
Remove Service
Save Configuration…
Load Configuration...
View
Refresh
Properties
Help
Configuring a Remote Access Server
Routing and Remote Access
Action
View
Routing and Remote Access
Server Status
SERVERX (local)
Ports
Remote Access Clients
IP Routing
Remote Access Policies
Name
Device
WAN Miniport (PPTP)(VPN3-4) VPN
Comment
Status
Inactive
WAN Miniport (PPTP)(VPN3-3)
VPN
Inactive
WAN Miniport (PPTP)(VPN3-2)
VPN
Inactive
WAN Miniport (PPTP)(VPN3-1)
VPN
Inactive
WAN Miniport (PPTP)(VPN3-0)
VPN
Inactive
WAN Miniport (L2TP)(VPN2-4)
VPN
Inactive
WAN Miniport (L2TP)(VPN2-3)
VPN
Inactive
WAN Miniport (L2TP)(VPN2-2)
VPN
Inactive
WAN Miniport (L2TP)(VPN2-1)
VPN
Inactive
WAN Miniport (L2TP)(VPN2-0)
VPN
Inactive
Direct Parallel (LPT1)
PARALLEL
Inactive
Modem (COM 3)
MODEM
PPTP Ports
L2TP Ports
Cable and
Inactive
Modem Ports
Configuring a RRAS Port
Ports Properties
Devices
Routing and Remote Access (RRAS) uses the devices
listed below.
Ports, Grouped
By Type
Device
WAN Minip
WAN Minip
Direct Para
Function of Port
Used By
Type Num...
Ras
PPTP 5
Ras Configure ports - WAN
L2TP
5 (PPTP)
Miniport
None
Parallel 1
You can use this device for remote access requests
or demand-dial connections.
Remote access connections (inbound)
Demand-dial routing connections (inbound/outbound)
Phone Number
(if applicable)
Phone number for this device:
Ports
Configure
You can set a maximum port limit for a device that
supports multiple ports.
Maximum ports:
Number of
Virtual Ports
5
OK
Cancel
Configuring Server Properties
LONDON (local) Properties
General
Security
IP
PPP
Event Logging
Enable IP routing
Allow IP-based remote access and demand-dial connections
IP address assignment
This server can assign IP addresses by using:
Dynamic Host Configuration Protocol (DHCP)
Static address pool
From
To
Add…
Number
Edit…
IP Add… Mask
Remove
Use the following adapter to obtain DHCP, DNS, and
WINS addresses for dial-up clients.
Adapter:
Corpnet
OK
Cancel
Apply
Bandwidth Allocation Protocol
Remote
Access
Server
A
B
Client C Cannot Connect
C
Remote
Access
Server
A
Multilink Without BAP
B
Multilink with BAP
Client C Can Connect
C
Connection Switches on Demand
What Is a Remote Access Policy?
A remote access policy is a named rule that
consists of the following elements:
Conditions. One or more attributes that are compared to the
settings of the connection attempt
Remote access permission. If all conditions of a remote
access policy are met, remote access permission is either
granted or denied
Profile. A set of properties that are applied to a connection
when it is authorized (either through the user account or
policy permission settings)
Following Policy Evaluation Logic
Yes
RRAS matches
Conditions
the
connection to the
No
Permissions
Profile
settings of the user
Denyaccount
Allow
and the policy profile.
checks
RRASRRAS
matches
Connection
Use Remote
Access Policy
Connection
Deny
Allow
the user’s of
dial-in
the conditions
the
permission
remote access
policy to in
the
No
Profile
Yes
Directory.
conditions
ofActive
the connection.
Evaluation
User Account Dial-in Properties
Assign a Static
IP Address
Apply Static
Routes
Callback
Options
Remote Access
Permission
Verify Caller ID
Dial-In Properties
Remote Access Policy Conditions
IP Addresses
Caller IDs
NAS-Port Type
Authentication
Type
Time of Day
User Groups
Attributes
What Is a Remote Access Policy Profile?
Dial-in Constraints
IP Properties
Multilink
IP Address Assignment
IP Filters
Authentication
Encryption
Remote
Access User
Advanced Settings
Authenticating Remote Access Clients
Select
When Providing Encrypted Authentication
MS-CHAP
For Windows 95, Windows 98, or Windows NT 4.0
MS-CHAP V2
For Windows 2000, Windows XP, Windows Server 2003
EAP-TLS
By using a smart card and the remote access clients are
equipped with smart card readers
CHAP
For a mixture of operating systems (UNIX, Mac)
SPAP
For Shiva LAN Rover remote access clients
PAP
When no other protocol is supported
Extensible Authentication Protocols
• Allows the Client and Server to Negotiate the
Authentication Method That They Will Use
• Supports Authentication by Using
– MD5-CHAP
– Transport Layer Security
– Additional third-party authentication methods
• Ensures Support of Future Authentication
Methods Through an API
Remote Authentication Dial-In User Service
RADIUS Client
Forwards requests to
RADIUS Server
Internet
RADIUS Server
Client
Authenticates requests
and stores accounting
information
What Is RADIUS?
RADIUS is a widely deployed protocol, based on a client/server
model, that enables centralized authentication, authorization, and
accounting for network access
RADIUS is the standard for managing network access
for VPN, dial-up, and wireless networks
Use RADIUS to manage network access centrally across
many types of network access
RADIUS servers receive and process connection
requests or accounting messages from RADIUS clients
or proxies
What Is IAS?
IAS, a Windows Server 2003 component, is an industry-standard
compliant RADIUS server. IAS performs centralized authentication,
authorization, auditing, and accounting of connections for VPN, dialup, and wireless connections
You can configure IAS to support:
Dial-up corporate access
RADIUS
Server
Extranet access for business partners
Internet access
Outsourced corporate access through service providers
IAS as an Authentication Server
Centralized remote access
policies
Authentication provider
RRAS
IAS
ISP
Internet
RRAS
Central
Office
Windows Server 2003
Domain Controller
= RADIUS Client and Server Connection
Remote
Office
How Centralized Authentication Works
4
2
Communicates to the RADIUS
client to grant or deny access
RADIUS Client
Forwards requests
to a RADIUS server
Remote
Access Client
Domain
Controller
Remote
Access Server
RADIUS
Server
1
Dials in to a local RADIUS client
to gain network connectivity
3
Authenticates requests
and stores accounting
information
Wireless Solution Considerations
IAS Server
Ports
Authentication
Domain
Controller
DHCP
Server
Wireless
Access Point
Address and Name Server Allocation
Wireless Client
(Station)
Configuring an IAS Server
Add RADIUS Client
Client Information
Specify information regarding the client.
Use an
IP address,
if possible
Client address (IP or DNS):
Verify…
192.168.1.200
Select Microsoft if
Microsoft
using Routing and
Client must always send the signature attribute in the request Remote Access
Client-Vendor
Shared secret:
Confirm shared secret:
< Back
Finish
Cancel
Configuring a RRAS to Use RADIUS
PHOENIX (local) Properties
General Security IP
PPP
Event Logging
The authentication provider validate credentials for
remote access clients and demand-dial routers.
Authentication provider:
RADIUS Authentication
Configure…
Change to RADIUS
Authentication
Authentication Methods…
The accounting provider maintains a log of connection
requests and sessions.
Add RADIUS Server
Accounting provider:
Configure…
Server name:
Windows Accounting
Radius Server
Enter the
Server Name
Change…
Secret:
Time-out (seconds):
5
Initial score:
30
Port:
1812
Always use digital signatures
OK
Cancel
Apply
OK
Cancel
Routing and Remote Access Logging
Type of logging
Event logging
Local authentication and
account logging
Description
Records remote access server errors,
warnings, and other detailed
information in the system event log
Tracks usage and authentication
attempts on the local remote access
server
Tracks remote access usage and
RADIUS-based authentication
authentication attempts centrally on
and account logging
the RADIUS server
What Are Routing Interfaces?
A routing interface is an interface over which IP packets
are forwarded
Two types of routing interfaces:
LAN
Demand-dial
What is IP Routing?
• The Process of Sending Packets Through Routers to
Other Networks
• A Routing Table Defines Paths to Other Networks
131.107.16.0
131.107.8.0
131.107.16.3
131.107.16.1
131.107.8.1
Router
Routing Table
131.107.16.0 131.107.16.3
Default
131.107.16.1
Routing Table
131.107.8.0 131.107.8.1
131.107.16.0 131.107.16.1
131.107.24.0 131.107.24.1
131.107.24.1
131.107.24.0
Build Routing Tables
1
2
Routing Table A
131.107.8.0 131.107.16.2
131.107.16.0 131.107.16.1
131.107.24.0 131.107.24.1
131.107.24.0 131.107.16.1
131.107.16.0 131.107.16.2
131.107.8.0 131.107.8.1
131.107.8.1
131.107.16.2
131.107.16.1
Router
131.107.24.1
Router
A
B
Default Gateway
131.107.8.1
131.107.8.z
3
Routing Table B
Default Gateway
131.107.24.1
131.107.16.z
131.107.24.z
What Are Routing Tables?
A routing table is a series of entries called routes that contain
information about the location of the network IDs in the internetwork
Three types of routing table entries:
Host route
Network route
Default route
Dual ISP Solution
ISP 2
ISP 1
0.0.0.0
0.0.0.0
Router-1
Router-2
Metric 1
Metric 2
Router-2
Router-1
0.0.0.0
0.0.0.0
Router-1
Router-2
Metric 2
Metric 1
Example of Routing Table
10.X.X.X
10.7.0.0/16
10.7.1.253
10.0.0.0/8
10.7.1.1
Default Gateway 10.7.1.254
10.7.1.0/24
10.7.1.1
10.7.1.254
10.7.1.253
10.7.3.0/24
Internet
10.7.2.0/24
Configuring Static IP Routes
Static Route
Interface:
LondonRouter
Destination
192 . 168 . 1
Network mask:
255 . 255 . 255 . 0
Gateway:
Metric:
.
.
. 0
.
1
Use this route to initiate demand-dial connections
OK
Cancel
Examining the Role of
Demand-Dial Routing
Corporate Intranet
Remote Network
PSTN,
ISDN, or
Internet
RRAS 1
RRAS 2
Creating a Demand-Dial Interface
Routing and Remote Access
Action
View
Routing and Remote Access LAN and Demand Dial Interfaces
Server Status
Loopback
LONDON (local)
Local Area Connection
Remote Access Polic
Internal
Remote Access Logg
Routing Interfaces
New Demand dial interface…
IP Routing
New IP Tunnel…
General
Static Routes
Refresh
RIP
Help
Type
Loopback
Dedicated
Internal
Status
Enabled
Enabled
Enabled
Connection S…
Connected
Connected
Connected
Static vs. Dynamic IP Routing
• Static Routing
– Routers do not share routing information.
– Routing tables are built manually.
• Dynamic Routing
– Routers share routing information automatically.
– Routing tables are built dynamically.
– Requires a routing protocol, such as RIP or OSPF.
What Are Routing Protocols?
A routing protocol is a set of messages that routers use to
determine the appropriate path to forward data
RIP
Designed for small to
medium-size networks
Uses a routing table
Easier to configure and
manage
Does not scale well
OSPF
Designed for large to very
large networks
Uses a link-state database
Complex to configure and
manage
Operates efficiently in large
networks
Routing and Routed Protocols
• Routing Protocols
–RIP, OSPF, EGP, BGP, HELO…
–SAP (IPX/SPX), RTMP (AppleTalk)
• Routed Protocols
–TCP/IP, IPX/SPX, AppleTalk
What Is Packet Filtering?
Packet filtering specifies what type of traffic is allowed into and out of a router
A packet filter is a TCP/IP configuration setting that is designed to allow or
deny inbound or outbound packets
Router
Inbound Filter
Outbound Filter
Use packet filtering to:
Prevent access by unauthorized users
Prevent access to resources
Improve performance by preventing unnecessary packets
from traveling over a slow connection
How Packet Filters Are Applied
Packet
Component
Router
Example
Source network
192.168.0.48
Inbound Exclusion Filter
Destination network
192.168.0.32
Component
Protocol
UDP
Source network
Destination network
How filters are applied:
AND is used within a filter
OR is used between filters
Example
Any
192.168.0.32
Protocol
UDP
Action: Drop
Configuring Network Address Translation
IP Routing
New Interface…
General
New Routing Protocol…
Status
Show TCP/IP Information…
IGM
Show Multicast Forwarding Table…
Remote
Remote
Show Multicast Statistics…
Network Address Translation (NAT) Properties
View
General Translation Address Assignment Name Resolution
Refresh
Export
List… address translator can automatically assign IP addresses to
The network
computers on the private network by using Dynamic Host Configuration
Properties
Protocol (DHCP).
HelpAutomatically assign IP addresses by using DHCP
IP address:
192 . 168 . 0 . 0
Mask:
255 . 255 . 255 . 0
Exclude…
OK
Cancel
Apply
What Is a DHCP Relay Agent?
A DHCP relay agent is a computer or router configured to listen for
DHCP/BOOTP broadcasts from DHCP clients and then relay those
messages to DCHP servers on different subnets
DHCP Relay Agent
DHCP Server
Unicast
Broadcast
Broadcast
Subnet A
Subnet B
Routers
Non-RFC 1542
Compliant
Client
Client
Client
Client
DHCP Relay Agent Hop Count
The hop count threshold is the number of routers that the packet can
be transmitted through before being discarded
DHCP Relay Agent 2
Hop Count = 2
DHCP Relay Agent 1
DHCP Server
DHCP Relay Agent Boot Threshold
The boot threshold is the length of time in seconds that the
DHCP Relay Agent will wait for a local DHCP server to
respond to client requests before forwarding the request
DHCP Server 2
Boot Threshold
= 10 seconds
DHCP Relay Agent
Local DHCP
Server
DHCP Server 3
Including the IGMP Routing Protocol
Private
Network
Routing and Remote
Access-based Router
Internet
IGMP Proxy
Mode Interface
IGMP Router
Mode Interface
IGMP Registrations
Multicast Traffic
Private
Network

IGMP Router Mode Interface

IGMP Proxy Mode Interface
Multicast
Mbone Server