TNQ200-02 How To Design A Windows ® 2000 Server Networking
Download
Report
Transcript TNQ200-02 How To Design A Windows ® 2000 Server Networking
TNQ200-02
How To Design A Windows® 2000
Server Networking Infrastructure
To Interoperate With
Windows NT® Server 4.0
Tim Clark
Consultant
MCS – SoCal District
Microsoft Corporation
What You Will Learn Today
What is connection sharing
How to choose among VPN protocols:
PPTP, L2TP/IPSEC, IPSEC Transport
How to use Active Directory to manage
remote access users
How Active Directory handles authentication
of Windows NT® 4.0 user accounts
How to implement Windows Load Balancing
Services for increased performance
and scalability
How to use QoS to deliver converged
networking applications
Session Prerequisites
This is a level 200 session
This session assumes that you
understand the fundamentals of:
TCP/IP
DHCP, DNS, WINS
Active Directory
MMC
PKI, Certificates, Public and Private Keys
Routing and Remote Access, PPP
Presentation Format
Five Customer Scenarios
How do I connect my small office
to the Internet?
How do I stop my confidential data from
being transmitted in clear text on my
corporate network?
How do I control remote access to my
network using user groups
and the time of day?
How do I prioritize traffic on the network?
I need highly scalable and available IP
Services that offer flexible administration!
Scenario Format
Each scenario looks at…
Problem statement - I have a problem,
how do I solve it?
Here is my current environment
Why do I want Windows 2000?
How will Windows 2000 interoperate
with my existing infrastructure?
Scenario 1
How do I connect my small office
to the Internet?
Existing Environment
Windows NT 4.0 Servers,
Windows NT 4.0 Workstations, Windows 95/98
The Answer: Windows 2000
Connection Sharing
Two types
Internet Connection Sharing (ICS)
Network Address Translation (NAT)
Both provide
DHCP, DNS, and WINS
Network Address Translation
Scenario 1 Diagram
Windows 95
Windows 2000
NAT Server
www.microsoft.com
Internet
Windows 98
Private
192.168.0.x
Public
211.18.44.7
Windows NT
4.0 Workstation
Your entire network
is seen as one IP
address
Windows NT 4 Server
Any DHCP enabled OS
Why Not Use Proxy
Server?
If I do not have enough IP addresses for
my network, then I need the NAT
ICS offers a single click configuration
of NAT, DHCP, DNS, WINS
Proxy Servers
Increased performance- caches data
Accounting and Logging
Increased security – firewall functionality
Tip – ICS is great for the Home Office connected to
the internet with cable modem or xDSL
Pop Quiz
When would you want to use
Microsoft® Proxy Server instead of
Windows 2000 Connection Sharing?
When the following is required:
Accounting
Logging
Greater Security
Increased Performance
Demo: Scenario 1
Purpose:
To show the installation and
configuration of Windows 2000
Connection Sharing (NAT)
Demo: Scenario 1
Private Network Client IP settings
Scenario 2
How do I stop my confidential data from being
transmitted in clear text on my corporate network?
Existing Environment
Windows NT 4.0 Master Accounts Domain and Resource
Domain with Windows NT 4.0 and Windows 95/98 clients
Only a few clients access the confidential data that is located
on an Windows NT 4.0 Server
Answer: Windows 2000 VPN Protocols
Internet Protocol Security (IPSEC)
Layer 2 Tunneling Protocol (L2TP)
Point to Point Tunneling Protocol (PPTP)
No Active Directory required!
IPSEC
Series of standards that support the secured
communications across an IP network
Two Protocols
Encapsulated Security Payload (ESP) provides
encryption, integrity, authenticity
Authentication Header (AH) provides integrity
and authenticity
Two modes
Transport – secures IP packet from source
to destination (end-end)
Tunnel – encapsulates existing IP packets to be
sent to through tunnel to tunnel endpoint
Not All VPNs Are Tunnels
Tunneling (a.k.a., encapsulation) is the
process
ofBasics
delivering a payload
Tunneling
Tunnel Endpoints
Transit
Internetwork
Header
Packet
Packet
Transit Internetwork
Tunnel
Tunneled
Packet
The original IP packet is encapsulated
with an additional header which provides
routing information
Enterprise and Support Training
M
PPTP And L2TP
PPTP, Point to Point Tunneling
Protocol, is an extension to PPP
It encapsulates PPP frames into IP packets
for transmission over an IP network
without a public key infrastructure
It also tunnels in pure IP networks
L2TP, Layer 2 Tunneling Protocol,
is a combination of PPTP and Layer 2
Forwarding Protocol (L2F)
It encapsulates PPP frames to be sent over
IP, X.25, Frame Relay, or ATM
Which VPN Protocol
Should I Use? Customer Profile
Simplicity
Low Cost
Advanced
Security
Client-Gateway
PPTP
L2TP/IPSec
PPTP
L2TP/IPSec
IPSec Tunnel Mode
Gateway-Gateway
End-End
IPSec Transport Mode
Pop Quiz: VPN Protocols
What are the key points
of PPTP?
Secure Solution – username and
password used for encryption key
Affordable – no need for public key
infrastructure
What are the key points
of L2TP/IPSEC?
Stronger security - uses certificates
for authentication and keys
IPSEC – Policies And Rules
Each policy contains a rule(s)
Rules govern how and when the
policy is invoked
Rules have 5 components
Connection Type
Authentication Method
IP Filter List
Filter Action
Tunnel Settings
Scenario 2 Diagram
Security NTFS, Share
Permissions,
and IPSEC
Windows
NT 4.0
Windows 98
Windows 2000
Finance Server
Windows 95
Windows 2000 Finance Client
Windows NT 4.0
Finance Client
Encrypted data using
IPSEC Transport Mode
Clear Text data
Demo: Scenario 2
Purpose:
To demonstrate interoperability
of IPSEC polices with Windows NT 4.0
To create a Security Policy with
IPSEC Policy Manager MMC snap-in
This policy will enforce IPSEC ESP
Transport Mode communications
between the client and the server
Scenario 3
How do I control remote access to my network using
user groups and the time of day?
Existing Environment
Windows NT 4.0 Master Accounts Domain and Resource
Domain with Windows NT 4.0 and Windows 95/98 clients
Windows NT 4.0 PPTP RAS Servers
Only the sales group should have remote access
The Answer: Windows 2000
Windows 2000 Routing and Remote Access Policies
Provides granular control of remote access
Will interoperate in the Windows NT 4.0 Domain immediately
Active Directory is not immediately needed!
3 RAP Administrative Models
Access by user
Access by policy on mixed-mode
Permissions determined on a per-user basis by setting
either Allow access or Deny access on the Dial-in tab
of the user account
Most similar to Windows NT 4.0 admin style
Utilizes Default Policy as catch-all
User Account = Allow access
Default Policy deleted
Separate Policies created based on need
Interoperable with Windows NT 4.0
Access by policy in native-mode
User Account = Control access through Remote Access Policy
Permission determined by the remote access policy setting
Pop Quiz: Remote
Access Policies
If you inadvertently deleted the
default remote access policy and
there were no other policies, what
would happen?
Remote access will be denied
regardless of user’s account
dial-in access settings
Scenario 3 Diagram
Phase I
Windows 2000 server deployed
as RRAS server
Same user access – nothing changed
Using Access-by-User admin model
Interoperability of Windows 2000 RRAS Server
and Windows NT 4.0 RRAS Server
RRAS Server
Corporate
Internet
Windows NT 4.0
and Windows 9x
Windows 2000 or
Windows NT 4.0
Scenario 3 Diagram
Phase II
Tighten Security using Group Policy
Switch to Admin-by-Policy model
Configure Remote Access Policies
RRAS Server
Corporate
Internet
Windows NT 4.0
and Windows 9x
ONLY Windows 2000
Is the user in the sales group?
Is the attempt within the permitted time?
Connection Refused on
Windows 2000 RRAS Server !
Scenario 3 Diagram
Phase III
Add Windows 2000 as remote users
Maintain Admin-by-Policy model
Enhanced security with L2TP/IPSEC
Interoperable with Windows NT 4.0 RRAS Server
RRAS Server
PPTP
Windows NT 4.0
and Windows 9x
Corporate
Internet
L2TP/IPSEC
or PPTP
Windows 2000
Windows 2000
Demo: Scenario 3
Purpose:
To show the interoperability of
Windows 2000 with Windows NT 4.0
domains
To create a remote access policy using
the RRAS MMC
This policy will
Permit remote access for only the Sales
group
Deny remote access from 1 AM to 3 AM
Scenario 4
How do I prioritize traffic on the network?
Existing Environment
Windows NT 4.0 Master Accounts Domain and
Resource Domain with Windows NT 4.0
and Windows 95/98 clients
Assorted network equipment
The Answer: Windows 2000
Windows 2000 implements Quality of Service
(QoS), which guarantees network resources
for an application or user
Does require QoS-enabled network devices,
QoS aware applications and Active Directory
Scenario 4 Diagram
Network Bandwidth
Guaranteed between Windows 2000 servers and
Windows 2000 and Windows 98 clients
All devices (routers, NICs) must be QoS enabled
Windows NT 4.0
Workstation
Windows 95
QoS- enabled
Network
Windows 2000
Windows NT 4.0
Server
Windows 2000 Professional
Windows 98
QoS traffic
Non-QoS traffic
Windows 2000 QoS
QoS Implementation
Admission Control Services (ACS)
Two functions of ACS
Policy-Based control of network
resources using the Active Directory
Subnet Bandwidth Manager (SBM)
Admin Concerns
Policy Management
Enabled infrastructure
QoS enabled applications
Generic QoS API and the Traffic Control API
Tip – Plan your QoS network now since all devices
will need to be QoS aware.
Policy-Based Admission
Control Services (ACS)
Enforce bandwidth management:
Per user
Per group of users
Per computer
Policies can be based on flow
requirements
ACS checks the Active Directory
before granting resource requests
Demo: Scenario 4
Purpose:
To demonstrate that QoS will enhance the
performance of network applications
Video
Scenario 5
I need highly scalable and available IP
Services that offer flexible administration!
Existing Environment
Windows NT 4.0 IIS, Windows NT 4.0
PPTP servers, Web Farm
The Answer: Network Load Balancing (NLB)
Available today in Windows NT Server 4.0,
Enterprise Edition, as Windows Load Balancing
Service (WLBS)
Core part of Windows 2000 Advanced Server
and Datacenter Server
Does not require Active Directory
NLB Product Definition
What NLB does:
Distributes incoming network connections among the servers
Up to 32 servers!
Load balances connections to scale performance
Detects failed hosts and automatically redistributes traffic
(within 8 seconds)
Allows remote control from any Windows NT system
NLB Host
NLB Host
NLB Host
Ethernet LAN
One “Virtual” IP address
NLB Host
Network Load Balancing
Network
?
Virtual
IP Address
Provides Reliability
And Performance Gains
Separate
IP Addresses
Y2K Readiness for
Windows 2000
Y2K Compliance Rating (All
Languages): Will ship Compliant
Beta Product: Testing Ongoing
Known Y2K Issues: None
YEAR 2000 READINESS
DISCLOSURE
Discussion
Session Credits
Author: Tim Clark
Producer/Editor: Jim Stuart
Product Manager: Edison Yu
Thanks to Our Microsoft Technical Field
personnel who reviewed this session:
Mike Coleman
Mark Buckley
Donna Reineck
Jim Fine
Lance Lillie
Roger Podwoski
For More Information
http://www.microsoft.com/technet/
Whitepapers
http://www.microsoft.com/windows/server/Techni
cal/networking/
http://www.microsoft.com/ntserver/commserv/tec
hdetails/
Microsoft Official Curriculum
www.microsoft.com/train_cert/win2kmoc
Course #1562 - Designing a Microsoft Windows
2000 Networking Services Infrastructure
Four-day course on the design, installation, and
support Microsoft Windows 2000 networking
components for enterprise networks