MCSE 05 Implementing of a Network Infrastructure 10 Theory

8/6/2019 MCSE 05 Implementing of a Network Infrastructure 10 Theory

1/45

ADVANTAGE PRO Chennais Premier Networking Training Center

RoutingRouting

andand

Remote AccessRemote Access


2/45

ADVANTAGE PRO Chennais Premier Networking Training Center2

Successor to Windows NT 4.0 Remote Access ServiceSuccessor to Windows NT 4.0 Remote Access Service(RAS)(RAS)

AddAdd--on feature for Windows NT 4.0 also called Routingon feature for Windows NT 4.0 also called Routing

and Remote Access (RRAS)and Remote Access (RRAS)

High performance service that allows one computer toHigh performance service that allows one computer tohandle remote users through dialhandle remote users through dial--up or VPN, routingup or VPN, routing

between branch offices, routing to the Internet, andbetween branch offices, routing to the Internet, androuting between network segmentsrouting between network segments

What is Routing and Remote Access?What is Routing and Remote Access?


3/45


Open the Routing and Remote Access tool fromOpen the Routing and Remote Access tool fromAdministrative ToolsAdministrative Tools

RightRight--click on your server name to run the wizardclick on your server name to run the wizard

Configuring an RRASServerConfiguring an RRASServer


4/45


5/45


This option walks you through setting up NetworkThis option walks you through setting up NetworkAddress TranslationAddress Translation

If you are not in a domain, it will ask if you want to set upIf you are not in a domain, it will ask if you want to set up

simple ICS insteadsimple ICS instead

Allows you to create a demand dial connection to yourAllows you to create a demand dial connection to yourISPISP

Asks if you want to set up the DHCP Allocator and DNSAsks if you want to set up the DHCP Allocator and DNSProxyProxy

Internet Connection ServerInternet Connection Server


6/45


Configured after the wizardConfigured after the wizard

Properties of externalProperties of externalnetwork interfacenetwork interface

Address PoolAddress Pool


7/45


8/45


Configured after wizardConfigured after wizard

Properties of external networkProperties of external network

interfaceinterface

Port to IP mappingPort to IP mapping FTPFTPserver, WWW serverserver, WWW server

Special PortsSpecial Ports


9/45


This option helps configure a RAS serverThis option helps configure a RAS server

If you are not in a domain, it will ask if you want to set upIf you are not in a domain, it will ask if you want to set upsimple incoming connections insteadsimple incoming connections instead

Allows you to select how you want to handle IP addressAllows you to select how you want to handle IP addressassignmentassignment

Asks if you want to use a radius server for authenticationAsks if you want to use a radius server for authentication(IAS)(IAS)

Remote Access ServerRemote Access Server


10/45


It will set up all modem and ISDN devices for dialIt will set up all modem and ISDN devices for dial--in, andin, andalso five PPTP and five L2TP connections (you can addalso five PPTP and five L2TP connections (you can addmore later)more later)

Configures DHCP relay agent automatically so RASConfigures DHCP relay agent automatically so RASclients will use DHCP informclients will use DHCP inform

Configures IGMP so RAS clients can run multicastConfigures IGMP so RAS clients can run multicast

applications over their connectionapplications over their connection

Configures a default Remote Access PolicyConfigures a default Remote Access Policy



11/45


This option helps configure a VPN serverThis option helps configure a VPN server

Asks similar questions to RAS server setupAsks similar questions to RAS server setup

Asks for which interface is your Internet connectionAsks for which interface is your Internet connection

Must have an Internet connection through a network cardMust have an Internet connection through a network card

Will not work if you have only one network card in theWill not work if you have only one network card in thecomputercomputer

Virtual Private Network ServerVirtual Private Network Server


12/45


Configures 128 PPTP and 128 L2TP connections (youConfigures 128 PPTP and 128 L2TP connections (youcan change this later)can change this later)

Configures DHCP Relay, IGMP, and RAS policies justConfigures DHCP Relay, IGMP, and RAS policies justlike RAS serverlike RAS server

Configures IP filters on the selected Internet interface soConfigures IP filters on the selected Internet interface soit accepts only PPTP and L2TP connectionsit accepts only PPTP and L2TP connections

Virtual Private Network ServerVirtual Private Network Server


13/45


Configures a basic IP or IPX network routerConfigures a basic IP or IPX network router

Allows you to configure for demandAllows you to configure for demand--dial connectionsdial connections

You must add and configure routing protocols laterYou must add and configure routing protocols later(IGMP, NAT, DHCP, RIP, OSPF)(IGMP, NAT, DHCP, RIP, OSPF)

Network RouterNetwork Router


14/45


Use this option if you just want to start RRAS with defaultUse this option if you just want to start RRAS with defaultoptionsoptions

Routing for LAN and demandRouting for LAN and demand--dial is turned ondial is turned on

RAS server with default settings is installedRAS server with default settings is installed

Configures DHCP Relay, IGMP, and RAS policies, justConfigures DHCP Relay, IGMP, and RAS policies, just

like RAS serverlike RAS server

Configures for five PPTP and five L2TP connectionsConfigures for five PPTP and five L2TP connections

Manually Configured ServerManually Configured Server


15/45


After you have run the RRAS wizard and configured yourAfter you have run the RRAS wizard and configured yourserver, you can still change it laterserver, you can still change it later

You can easily make a VPNYou can easily make a VPN--only server a RAS serveronly server a RAS serveror router later on by removing the IP filtersor router later on by removing the IP filters

You can add additional routing protocols after you areYou can add additional routing protocols after you are

configured for NATconfigured for NAT

Important to RememberImportant to Remember


16/45




17/45


General issuesGeneral issues

VPN/routing IssuesVPN/routing Issues

NAT issuesNAT issues

Troubleshooting Common IssuesTroubleshooting Common Issues


18/45


Manually configured serverManually configured server

Remote registry serviceRemote registry service

DOD static routeDOD static route

BrowsingBrowsing

General IssuesGeneral Issues


19/45


Firewalls/routers must allow GRE traffic on port 1723Firewalls/routers must allow GRE traffic on port 1723

Use the same IP scheme as the local network for RRAS

Use the same IP scheme as the local network for RRAS

PPP loggingPPP logging -- Q234014Q234014

VPN/Routing IssuesVPN/Routing Issues


20/45


Set adapter to use internal interfaceSet adapter to use internal interface

VPN/Routing IssuesVPN/Routing Issues


21/45


NAT address assignment and name resolutionNAT address assignment and name resolution

Troubleshooting NATTroubleshooting NAT


22/45


Troubleshooting NATTroubleshooting NAT Internet connection sharingInternet connection sharing cannot be used incannot be used in

conjunction with NATconjunction with NAT

Public and private interfacePublic and private interface

Obvious but commonObvious but common be sure the adapters selectedbe sure the adapters selectedare correctare correct


23/45

ADVANTAGE PRO Chennais Premier Networking Training Center

Microsoft IAS RADIUSServer:Microsoft IAS RADIUSServer:Features and AdvantagesFeatures and Advantages


24/45


Understand the features and benefits of MicrosoftsUnderstand the features and benefits of MicrosoftsRemote Authentication DialRemote Authentication Dial--In UserService (RADIUS)In UserService (RADIUS)server: Internet Authentication Services (IAS)server: Internet Authentication Services (IAS)

ObjectivesObjectives


25/45


IntroductionIntroduction

Overview of the features of IAS

Overview of the features of IAS

Benefits of IASBenefits of IAS

ConclusionConclusion

AgendaAgenda


26/45

ADVANTAGE PRO Chennais Premier Networking Training Center 26

RADIUS definitionRADIUS definition

Availability in Microsoft Windows 2000 Server andAvailability in Microsoft Windows 2000 Server andMicrosoft Windows Server2003Microsoft Windows Server2003

Interoperable through standardsInteroperable through standards



27/45


Client Gateway

Allow or deny network access

Specify restrictions for permitted connections

Securely transfer keys used for data encryption

Collect connection accounting and auditing information

Federated control of network connection

Network access control

Any gateway to any database

Single identity to any network

RADIUSRADIUS

3Com

User

Database



28/45


PolicyPolicy--based accessbased access

Different authentication protocolsDifferent authentication protocols

AccountingAccounting

ExtensibilityExtensibility

RADIUS proxyRADIUS proxy

CommandCommand--line configurationline configuration

FeaturesFeatures


29/45


FeaturesFeatures


30/45


Access control evolved through releases.Access control evolved through releases.

Windows NT 4.0 Server:U

ser properties.Windows NT 4.0 Server:U

ser properties.

Windows 2000/Windows Server2003: UserWindows 2000/Windows Server2003: Userproperties and remote access policies.properties and remote access policies.

Policies are evaluated against connections.Policies are evaluated against connections.

Policy restriction settings are applied to authorizedPolicy restriction settings are applied to authorizedconnections.connections.

FeaturesFeatures11-- PolicyPolicy--Based AccessBased Access


31/45


FeaturesFeatures11-- PolicyPolicy--Based AccessBased Access


32/45


Password based:Password based:

802.1x Protected Extensible Authentication Protocol802.1x Protected Extensible Authentication Protocol--

Microsoft Challenge Handshake AuthenticationMicrosoft Challenge Handshake AuthenticationProtocol version 2 (PEAPProtocol version 2 (PEAP--MSCHAPv2)MSCHAPv2)

DialDial--up connection and virtual private network (VPN):up connection and virtual private network (VPN):MSCHAPv2 (also support previous protocols: PAP,MSCHAPv2 (also support previous protocols: PAP,

CHAP, MSCHAPv1)CHAP, MSCHAPv1)

FeaturesFeatures22-- Different Authentication ProtocolsDifferent Authentication Protocols


33/45


Ability to change passwords (MSCHAP family ofAbility to change passwords (MSCHAP family ofprotocols)protocols)

EAPEAP--MD5MD5

Certificates and smart cards: Extensible AuthenticationCertificates and smart cards: Extensible AuthenticationProtocolProtocol--Transport LayerSecurity (EAPTLS)Transport LayerSecurity (EAPTLS)

Token cards: EAPToken cards: EAP--SecureIDSecureID

Other: thirdOther: third--party EAPparty EAP


34/45


FeaturesFeatures22-- Different Authentication ProtocolsDifferent Authentication Protocols


35/45


Three modes of logging:Three modes of logging:

Log filesLog files

SQL ServerSQL Server (Windows Server2003)(Windows Server2003)

Event viewerEvent viewer

FeaturesFeatures33-- AccountingAccounting


36/45


FeaturesFeatures33-- AccountingAccounting


37/45


Extensible authentication infrastructureExtensible authentication infrastructure

EAP software development kit (SDK)EAP software development kit (SDK)

Write authentication protocolsWrite authentication protocols

Internet Authentication ServiceInternet Authentication Service

IAS SDKIAS SDK Write RADIUS extensions for authentication,Write RADIUS extensions for authentication,authorization, and loggingauthorization, and logging

IAS SDOIAS SDO API to configure IASAPI to configure IAS

FeaturesFeatures44-- ExtensibilityExtensibility


38/45


RADIUS proxy available on Windows Server2003.RADIUS proxy available on Windows Server2003.

Requests can be routed to a different RADIUS serverRequests can be routed to a different RADIUS serverbased on specific criteria.based on specific criteria.

Load balancing and failLoad balancing and fail--over.over.

FeaturesFeatures55-- Radius ProxyRadius Proxy


39/45


FeaturesFeatures55-- Radius ProxyRadius Proxy


40/45


Netsh aaa:Netsh aaa:

Easy to useEasy to use

Save, copy, restore all or detailed IAS configurationSave, copy, restore all or detailed IAS configuration

FeaturesFeatures66-- CommandCommand--Line ConfigurationLine Configuration


41/45


Integrated identity managementIntegrated identity management

Single authentication model for all network entry points:Single authentication model for all network entry points:wired, wireless, VPN, or dialwired, wireless, VPN, or dial--upup

Industry leadingIndustry leading

EAP, ProtectedEAP, Protected--EAPEAP

Flexible access policyFlexible access policy

XML SQL loggingXML SQL logging

BenefitsBenefits


42/45


Standards based (RADIUS, EAP, ProtectedStandards based (RADIUS, EAP, Protected--EAP)EAP)

11--factor or2factor or2--factor authenticationfactor authentication

Passwords, certificates, or smart cardsPasswords, certificates, or smart cards

ThirdThird--party plugparty plug--ins: Security Dynamicsins: Security Dynamics

Extensible platformExtensible platform

Split authentication: authenticate remotely, authorizeSplit authentication: authenticate remotely, authorizelocallylocally


43/45


Works with Active DirectoryWorks with Active Directory

Low cost of ownershipLow cost of ownership

BenefitsBenefits


44/45


45/45


ALL THE BESTALL THE BEST

MCSE 05 Implementing of a Network Infrastructure 10 Theory

Documents

Transcript of MCSE 05 Implementing of a Network Infrastructure 10 Theory