NW_WK8x - carrieclasses
Download
Report
Transcript NW_WK8x - carrieclasses
Objectives
• Configure routing in Windows Server 2008
• Configure Routing and Remote Access Services in
Windows Server 2008
• Network Address Translation
1
Configuring Routing in 2008
• Routing and Remote Access Services (RRAS)
– A Server Role service used to configure and manage
network routing
– Recommended for use in small networks that require
simple routing directions
– Not recommended for large and complex environments
(use Cisco)
2
Configuring RRAS as a Router
• Routers
– Responsible for forwarding packets between
subnets, or networks with differing IP addressing
schemes
3
Working with Routing Tables
• Routing tables are composed of routes
• Routes
– Direct data traffic to its destination
• Routing tables
– A list of routes
– Can be managed in the RRAS console or from the
command line using the route command
4
Configuring Routes
• Static Routing Limitations:
– Requires manual creation and management
– Require reconfiguration if the network changes
– Used in small network with less than 10 subnet
• Dynamic protocols
– Route traffic based on information they discover about
remote networks from other routers
• Routing Information Protocol version 2 (RIPv2)
– Uses partner routers, or RIP neighbors, in determining
the dynamic routes it can use for forwarding packets of
data
5
Configuring a DHCP Relay Agent
• DHCP relay agent
– Manages the communication between a network’s
DHCP server and clients on subnets without a
DHCP server
• With RRAS
– Network adapters are added and configured to listen
for DHCP broadcast messages
6
Configuring Dial-on-Demand Routing
• Demand-dial routing
– Allows a server to initiate a connection only when it
receives data traffic bound for a remote network
– Can use dial-up networks instead of more expensive
leased lines
7
Configuring Remote Access Services
in Windows Server 2008
• Dial-up networking
– Connects remote users to their networks using a
standard phone line
• Virtual Private Networks
– Allow client connections to your network from remote
locations
– Works by creating a secure tunnel for transmitting
data packets between two points
– VPN tunneling protocols: Point-to-Point Tunneling
Protocol, Layer 2 Tunneling Protocol, Secure Socket
Tunneling Protocol
8
9
10
VPN Remote Access
•
•
•
•
Uses Internet to transmit private information
Encryption is used
High speed and reduced maintenance
Security risk presented by allowing access to
network resources from the Internet
• Windows Server 2008 uses RRAS as a VPN server
• Remote computers are configured as VPN clients
Enable and Configure a VPN Server
Enabling packet filters should only be chosen
if the server has multiple network cards with
the filtered card connected to the Internet and
the unfiltered cards connected to VPN traffic
VPN Protocols
• PPTP and L2TP are supported by Win. Server 2003
• By default, 128 PPTP ports and 128 L2TP ports
available
– Can increase the number of ports or
– Disable a protocol by setting the number of ports to
zero
• PPTP is the most popular and can function through
NAT
• L2TP requires IPSec to function
VPN Protocols (continued)
Configuring Remote Access Servers
• Control authentication and logging
• Specify whether or not the server is a router for IP,
and if it allows IP-based remote access connections
• Enable broadcast name resolution
Authentication Methods
• Windows Server 2003 can use a number of different
authentication methods:
–
–
–
–
–
–
No Authentication
Password Authenticated Protocol
Shiva Password Authentication Protocol
Challenge Handshake Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol
version 2
– Extensible Authentication Protocol
• Server and Client must support common protocol to
authenticate and connect
IP Address Management
• When dial-up and VPN clients connect to Windows
Server 2003, they are assigned an IP address
• Options for DNS and WINS server are taken from
the configuration of a specified interface on the
remote access server
• Windows 2000 and newer clients can send a
DHCPINFORM packet after a remote access
connection has been established
IP Address Management (continued)
Notice: Client DNS Option is
taking from RAS server, not
DHCP server
IP Address Management (continued)
Client DNS Option is
changed by DHCPINFORM
packets to DHCP server
settings
Allowing Client Access
• By W2K3 Server default, none
of the users are granted remote
access permission
• Remote access permission is
controlled by their user object
– If RRAS does not participate in
Active Directory, the user object
is stored in the local user
account database
– If RRAS belongs to an Active
Directory domain, the user
object is stored in the Active
Directory database located on
the domain controller
Creating a VPN Client Connection
• Configure VPN clients on client machines, e.g. Win XP
• Windows Server 2003 can be configured as a VPN client
• Create VPN connections using the New Connection
Wizard
Configuring a VPN Client Connection
• Most configuration is done with the New
Connection Wizard
• You can:
– Configure the IP address of the VPN server to which
you are connecting
– Configure whether or not an initial connection is
created
– Configure dialing and redialing options
– Specify if password and data encryption are required
– Configure the network configuration for VPN
connection
– Configure an Internet connection firewall and
Internet connection sharing
Remote Access Policies
• Control who is allowed to access remotely
• Depends on the domain’s functional level (mixed,
2000 native or 2003 native)
• Depend on the machine user is connecting to
• To use remote access, you must understand:
– Remote access policy components
– Remote access policy evaluation
– Default remote access policies
• Default Remote Access Policies
Remote Access Policy Components
• Composed of conditions, remote access
permissions, and a profile
– Conditions are criteria that must be met in order for
remote access policy to apply to a connection
– Remote access permission set in a remote access
policy has only two options: Deny or Grant remote
access permission
– The profile contains settings that are applied to a
remote access connection if the conditions have
been matched and permission has been allowed
Remote Access Policy Evaluation
• Evaluation conditions follows the same process for
mixed mode domain and native mode domains
• After a condition match has been found, the
permissions of the user attempting the connection
must be evaluated
• Even if remote access permission is granted, it
does not guarantee that a remote connection will
be successful as some profile settings may
interfere
Remote Access Policy Evaluation
(continued)
Remote Access Policy Evaluation
(continued)
Default Remote Access Policies
• Created by Microsoft
• First default policy
listed is named
Connections to
Microsoft Routing and
Remote Access Server
• Second default policy
is named Connections
to other access servers
Troubleshooting Remote Access
• Providing remote access is very complex
• Most problems are due to software configuration
errors introduced by users and administrators
• Best troubleshooting tools include:
–
–
–
–
Log files
Error messages
Network Monitor
Ipconfig
• Hardware errors can also cause problems
Software Configuration Errors
• Common software configuration errors:
–
–
–
–
–
Incorrect phone numbers and IP addresses
Incorrect authentication settings
Incorrectly configured remote access policies
Name resolution is not configured
Clients receive incorrect IP options
• The fact that the remote access server leases 10 IP
addresses from DHCP at startup is NOT an error
Hardware Errors
• Common hardware troubleshooting tips:
– Ensure hardware is on the Microsoft hardware
compatibility list
– Use ping to determine if the address is reachable
– See if you can dial in to a different remote access
server
– Ensure there is a link light on the network card
Troubleshooting Tools
• Ping utility is used to determine if a host is reachable
• Ipconfig utility used to confirm that the correct IP
settings are being delivered to the remote access
client
• Network Monitor can be used to perform packet
captures which may provide some further clues as
to the cause of some error
• Logging
– Check event log if RRAS is unable to start or is not
performing as expected
– Can configure detailed connection logs
Network Address Translation
• Allows you to shield internal IP address ranges
from public networks by allowing internal clients to
access the Internet through a shared IP address
33
Introduction to Network Policy Server
• Network Policy Server (NPS)
– Role service that provides a framework for creating
and enforcing network access policies for client
health
– Can be used to perform:
• Configure a RADIUS server
• Configure a RADIUS proxy
• Configure and implement Network Access Protection
(NAP)
34
Windows Server 2008 Editions and the
NPS Console
• NPS Console
– Central utility for managing
•
•
•
•
RADIUS clients and remote RADIUS servers
Network health and access policies
NAP settings for NAP scenarios
Logging settings
35