Transcript Troubleshooting Remote Access Policies

Hands-On Microsoft
Windows Server 2003
Administration
Chapter 11
Administering Remote Access Services
Objectives
• Configure remote access and virtual private
network (VPN) connections
• Implement and troubleshoot remote access
policies
• Configure and troubleshoot network address
translation (NAT)
• Configure and troubleshoot Internet connection
sharing
• Configure and manage Terminal Services
2
Configuring Remote Access and
Virtual Private Network Connections
• Remote access server
– A computer running Windows Server 2003 and
the Routing and Remote Access Service (RRAS)
• RRAS authenticates remote or mobile users
• Options for providing a connection to a network
from a remote location
– Dial-up connections
– Virtual private network (VPN) connections
3
Configuring Remote Access and
Virtual Private Network Connections
(Continued)
• Dial-up connections
– Communication established via communication
networks such as a Public Switched Telephone
Network (PSTN)
– Point-to-Point Protocol (PPP)
• Enables remote access clients and servers to
communicate over a dial-up connection from any
operating system that supports the PPP standards
4
Configuring Remote Access and
Virtual Private Network Connections
(Continued)
• VPN
– Uses a LAN protocol and PPP, which are both
encapsulated within a VPN protocol, to send data
over a public network
– Common VPN protocols
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
5
Configuring Remote Access and
Virtual Private Network Connections
(Continued)
• PPTP and L2TP are both used to establish a
secure tunnel between two endpoints over an
insecure network
6
Configuring Remote Access and
Virtual Private Network Connections
(Continued)
• Remote access is implemented on a Windows
Server 2003 system by configuring RRAS
• Primary tasks for providing remote access:
– Configure RRAS with the appropriate remote
access configuration
– Configure clients to connect to the RRAS server
– Configure user rights, security, and conditions to
successfully and securely connect to the RRAS
server
7
Configuring Dial-Up Connections
• Advantages of dial-up connections
– Wide availability
• Disadvantages of dial-up connections
– Slow speed
• 56-Kbps is the maximum connection speed using a
single phone line
– Unreliability
8
Configuring Dial-Up Connections
(Continued)
• To provide remote access to clients
– Configure the physical modem on the server to
which the clients connect
– Configure Windows Server 2003 as a remote
access server
• Once the dial-up server is installed, you may
want to
– Configure IP-addressing options
– Configure protocol options
– Configure remote access clients
9
Implementing Virtual Private
Network Access
• A VPN
– Can be created to
• Ensure that data communication over a public
network, such as the Internet, is secure
• Connect two LANs, forming a type of WAN
connection using the Internet as the backbone link
between two locations
– Can be created over any existing connection to
the Internet, such as
• Dial-up
• Cable modem
• Digital subscriber line (DSL)
10
Virtual private network (VPN)
11
Implementing Virtual Private
Network Access (Continued)
• To configure the client for VPN
– The VPN connection is configured as a new
network connection using the New Connection
Wizard
• To configure the server for VPN
– RRAS is used to configure the VPN server
12
Configuring Remote Access
Authentication
• Windows Authentication
– Used by default for client requests
• Remote authentication dial-in user service
(RADIUS) authentication
– Can be chosen in environments with a configured
RADIUS server
• Authentication protocols enabled on a Windows
Server 2003 RRAS system by default
– EAP
– MS-CHAP v2
– MS-CHAP
13
Configuring Remote Access
Authentication (Continued)
• Authentication protocols supported by Windows
.NET Server
–
–
–
–
–
–
MS-CHAP
MS-CHAP v2
CHAP
SPAP
PAP
EAP
• EAP-MD5
• EAP-TLS
• You also have the option of implementing
unauthenticated remote access
14
Configuring Encryption Protocols
• Encryption protocols
– Used to encrypt the data sent between a client
and an RAS server
• When using MS-CHAP (v1 or v2) or EAP, two
forms of encryption can be used
– Microsoft Point-to-Point Encryption (MPPE)
• Uses encryption keys varying in length from 40 bits
to 128 bits
• Used when IP security is not available
– IP Security (IPSec)
• Consists of a suite of cryptography-based
protection services and protocols that provide
machine-level authentication and data encryption
15
Configuring Encryption Protocols
(Continued)
• Encryption levels supported on an RRAS server
–
–
–
–
No Encryption
Basic
Strong
Strongest
16
Troubleshooting Remote Access
• Possible solutions to dial-up or VPN connection
problems
– Verify that all dial-up credentials such as user
name and password are correct
– Ensure that remote access is enabled on the
RRAS server
– Check to see that ports such as PPTP or L2TP
are enabled for inbound remote access
connections
– If attempting to connect to a VPN server using
L2TP, ensure that the client has a computer
certificate properly installed
17
Troubleshooting Remote Access
(Continued)
• Possible solutions to dial-up or VPN connection
problems (Continued)
– Ensure that the remote access server and remote
access client are configured with at least one
common authentication and encryption method
between the two
– Check the remote access policy to be sure that it
is configured to allow access
– Verify that there are enough addresses in the
static IP address range
18
Troubleshooting Remote Access
(Continued)
• Possible solutions to dial-up or VPN connection
problems (Continued)
– Ensure that a DHCP Relay Agent has been
configured
– Ensure that packet filters are not being used that
may restrict access
– Check to be sure that the network adapter that is
connected to the Internet is configured with a
static IP address
19
Implementing and Troubleshooting
Remote Access Policies
• To grant users the ability to dial into an RRAS
server, Windows Server 2003 uses both
– Dial-in properties of user accounts
– Remote access policies
• By default, all user accounts in an Active
Directory domain have the dial-in properties
configured to the Control Access through
Remote Access Policy setting
20
Elements of a Remote Access Policy
• A remote access policy consists of
– Conditions
• Attributes that are compared to a connection
attempt
– Permissions
• A combination of user account permissions as well
as those defined in the policy
– Profile
• Consists of settings such as dial-in constraints,
multilink properties, authentication protocols, and
encryption properties
• Each element of a remote access policy must be
evaluated before a user is allowed to dial in
21
Creating a Remote Access Policy
• When RRASs are installed, two default policies
are created
– Connections to Microsoft Routing and Remote
Access server
– Connections to other access servers
• Remote Access Policies container
– Found within the Routing and Remote Access
snap-in
– Lists all the remote access policies
– Can be used to
• Configure the order of policy processing
• Add, delete, or edit individual policies
22
Creating a Remote Access Policy
(Continued)
• Additional settings can be configured with the
default profile to further control which clients can
access the RRAS server
23
Troubleshooting Remote Access
Policies
• Possible solutions to problems with remote
access policies
– Verify that the connection attempt matches the
conditions of at least one remote access policy
– Check to be sure the user is not a member of any
groups that have been denied access
– Ensure that the user attempting to connect has
been granted permission to dial in either through
a user account property or through a remote
access policy
24
Troubleshooting Remote Access
Policies (Continued)
• Possible solutions to problems with remote
access policies (Continued)
– Verify dial-in settings configured for the user
account are not conflicting with those of the
remote access policy
– Verify that the connection attempt matches all of
the settings configured in the profile of the policy
25
Configuring and Troubleshooting
Network Address Translation
• Network address translation (NAT)
– Allows a group of computers to access the
Internet using a single Internet connection and a
single IP address
• Services provided by a computer running NAT
–
–
–
–
–
Address translation
IP addressing
Name resolution
Basic Firewall
Static Packet Filters
26
Installing NAT
• If RRAS is not already installed
– NAT can be configured by installing and enabling
RRAS
• If RRAS is already installed and configured
– NAT can be added to the server manually
• Routing and Remote Access snap-in
– Can be used to configure the NAT protocol
27
Configuring NAT
28
Troubleshooting NAT
• Possible problems and solutions
– If clients are not receiving IP addresses from the
NAT computer, verify that
• NAT addressing has been enabled
• There is no other DHCP server running on the
network
– If name resolution is not working for NAT clients,
check
• That name resolution has been enabled using the
Name Resolution tab in the NAT properties dialog
box
• The configuration of the NAT computer using the
ipconfig command to verify DNS settings
29
Troubleshooting NAT (Continued)
• Possible problems and solutions (Continued)
– If packets are not being properly translated, verify
• That both the Internet and LAN interface have
been added to the NAT protocol
• The range of IP addresses that has been
configured on the NAT computer
• That IP packet filtering is not preventing certain
Internet traffic from being sent and received
30
Configuring Internet Connection
Sharing
• Internet connection sharing (ICS)
– Provides all computers on a LAN with complete
access to Internet resources using a single public
IP address
– Provides the following for computers on the
internal network
• NAT services
• IP addressing
• Name resolution
31
Configuring Internet Connection
Sharing (Continued)
• After installing ICS on the computer connected
to the Internet
– The IP address of the internal network adapter is
automatically set to 192.168.0.1
– A simplified version of DHCP is installed, which
assigns internal clients an IP address (from the
network ID of 192.168.0.0/24)
– A DNS proxy service is installed to pass internal
DNS requests to the DNS server that the
computer running ICS is configured to use
32
Configuring Internet Connection
Sharing (Continued)
• ICS and NAT are both used to connect a small
or home office to the Internet
33
Enabling ICS
• Enabling ICS
– Relatively straightforward
– Does not require any configuration unless you
want to change the applications and services that
outside Internet users are able to access on an
internal private network
34
Configuring Internet Connection
Sharing for a dial-up connection
35
Troubleshooting ICS
• Techniques to troubleshoot common problems
– After ICS is installed, use the ipconfig command
to verify that the network adapter has been
assigned the IP address of 192.168.0.1 and the
subnet mask is 255.255.255.0
– If client computers are unable to connect to the
Internet
• Use the ipconfig command to verify that
– An IP address in the range of 192.168.0.2 through
192.168.0.254 has been assigned
– The subnet mask is 255.255.255.0
– The default gateway is set to 192.168.0.1
• Use the ping command to verify
– TCP/IP connectivity with the computer running ICS
36
Troubleshooting ICS (Continued)
• Techniques to troubleshoot common problems
(Continued)
– Verify that there is no DHCP server already
running on the network
– If clients are unable to access the Internet using
an FQDN, verify that the IP address of a DNS
server is configured in the TCP/IP properties of
the connection to the Internet
– If clients can only connect to the Internet after you
manually establish a connection, verify that
demand dialing is enabled on the ICS computer
37
Configuring Terminal Services and
Remote Desktop for Administration
• Terminal Services
– The ability of users to connect to a server for the
purpose of running applications
– Not installed unless explicitly added to a server
by an administrator
• Remote Desktop for Administration
– The ability of an administrator to connect to a
server for administration purposes
– Installed as part of Windows Server 2003, but
disabled by default
38
Enabling Remote Desktop for
Administration
• To enable Remote Desktop for Administration
– Only a single setting in the Control Panel System
program needs to be changed
• Permissions regarding connecting to a server
using Remote Desktop for Administration
– By default, only members of the Administrators
group are granted access
– Additional users can be granted access via the
System program
39
Enabling Remote Desktop for
Administration
40
Enabling Remote Desktop for
Administration (Continued)
• To connect to a server using Remote Desktop
for Administration
– Users must access the Remote Desktop
Connection software from their client system
41
Installing Terminal Services
• To install Terminal Services
– Use the Add/Remove Windows Components
section from within the Add or Remove Programs
applet found in Control Panel
• To set up an application server
– One Windows Server 2003 server on the network
must be configured as a Terminal Services
licensing server
42
Managing Terminal Services
• Primary tools used for Terminal Services
administration
– Terminal Services Manager
– Terminal Services Configuration
– Terminal Services Licensing
43
Managing Terminal Services
(Continued)
• Connection settings for a Terminal Server are
configured from the properties of a Terminal
Server connection object
44
Managing Terminal Services
(Continued)
• Authentication
– Can be set to use either no authentication or
standard Windows authentication when the
clients are Windows 95, 98, NT, or 2000
• Encryption options include
– Client Compatible
• All data sent from the client to the server is
encrypted using a key based on the maximum
strength supported on the client
– High
• Data sent from the client to the server and from the
server to the client is encrypted using the highest
encryption level available at the server
45
Terminal Services Client Software
• %Systemroot%\system32\clients\tsclient\win32
folder on the Terminal Server
– Contains the files necessary to install the Remote
Desktop Connection software that is used by
clients to connect to a Windows Server 2003
Terminal Server
• Installing applications
– When you install Windows Server 2003 Terminal
Server, applications need to be installed in a
compatible mode for multiple users to access
them simultaneously
46
Terminal Services Client Software
(Continued)
• Configuring Terminal Services User Properties
– Extra tabs added when Terminal Server is
installed
•
•
•
•
Terminal Services Profile
Remote control
Sessions
Environment
47
Summary
• Remote access server
– A computer running Windows Server 2003 with
Routing and Remote Access Services installed
and enabled
– Authenticates remote and mobile users, providing
a gateway to internal network resources
• Remote access solutions include dial-up,VPN,
and NAT
• Each RAS server can be configured using the
Routing and Remote Access console
• Windows .NET Server supports two VPN
protocols: PPTP and L2TP
48
Summary (Continued)
• Authentication and encryption protocols can be
used to secure communications between the
RAS server and a dial-up client
• Authentication protocols supported by Windows
.NET Server
– MS-CHAP v1 and v2, CHAP, SPAP, PAP, and
EAP
• Dial-in access can be controlled through user
account properties and Remote Access policies
• Remote Access policies consist of conditions,
permissions, and profiles
49
Summary (Continued)
• Network address translation (NAT) and Internet
connection sharing (ICS)
– Provide a way of connecting computers in a small
or home office to the Internet using a single
connection
• Terminal Server
– Enables clients to access applications on a
terminal server
• Remote Desktop for Administrators
– Gives administrators the ability to remotely
administer network servers
50