Managing Remote Access

As with most server roles, when a server has been configured, you most likely have to perform management tasks in the form of configuration changes or daily management tasks . The following section discusses some of the topics that pertain to managing a remote access server.

Managing Packet Filters

Packet filtering enables an administrator to specify the type of inbound and outbound traffic that is allowed to pass through a Windows Server 2003 router. When configuring packet filters, you can allow all traffic except traffic prohibited by filters. Or, you can deny all traffic except traffic that is allowed by filters.

Packet filters can be created and configured through the RRAS console by performing the following steps:

  1. Within the Routing and Remote Access console, expand the IP Routing container listed under your remote access server.

  2. Select the General container and, within the Details pane, right-click the interface for which you want to configure packet filtering; click Properties.

  3. From the General tab, select either Inbound Filters or Outbound Filters.

  4. From the Inbound or Outbound Filters dialog box, click New. Specify the settings for the IP filter. Click OK.

  5. Specify the action for the new packet filter. Click OK.

After a packet filter is created, it can be edited at any time by selecting the filter from the list and clicking the Edit button.

Manage Routing and Remote Access Routing Interfaces

Two types of demand-dial connections can be created for routing: on-demand connections and persistent connections . With demand-dial connections, a connection with the remote router is established only when necessary. A connection is established to route information and is terminated when the link is not in use. The benefit of this connection is obviously the cost savings associated with not using a dedicated link. With persistent connections, the link does not need to be terminated . Even when it is not in use, it remains open . Connections between network routers can be one-way or two-way initiated, meaning that a connection can be initiated by only one router or by both the routers. With one-way initiated connections, one router is designated as the answering router and the other is designated as the calling router, which is responsible for initiating any connections.

graphics/tip_icon.gif

To enable routing, right-click the remote access server and click Properties. On the General tab, select the Router option.


Creating a One-Way Demand-Dial Interface

Demand-dial connections can be created within the Routing and Remote Access snap-in. How you configure the connection depends on whether you are configuring a one-way or two-way initiated connection. To create a demand-dial interface on the calling router, perform the following steps:

  1. Right-click Network Interfaces within the RRAS console and click New Demand-Dial Interface. This launches the Demand-Dial Interface Wizard. Click Next.

  2. Type a name for the interface. Click Next. Select the connection type. Click Next. Select the device that is used for making the connection. Click Next.

  3. Type in the phone number of the remote server you are dialing. Click Next.

  4. From the Protocols and Security window (see Figure 5.14), select the necessary options from the list that follows .

    • Route IP Packets on This Interface

    • Add a User Account So a Remote User Can Dial In

    • Send a Plain-Text Password If That Is the Only Way to Connect

    • Use Scripting to Complete the Connection with the Remote Router

    Figure 5.14. Configuring demand-dial protocols and security.

    graphics/05fig14.gif

  5. Configure a static route to the remote network. Click Next.

  6. From the Dial Out Credentials window, specify the username and password that the dial-out router will use to connect to the remote router (see Figure 5.15). Click Next.

    Figure 5.15. Configuring dial-out credentials.

    graphics/05fig15.gif

  7. Click Finish.

graphics/tip_icon.gif

Before you attempt to create a new demand-dial interface, make sure the router is enabled for LAN and demand-dial routing instead of just a LAN router. You can enable this option by right-clicking the RRAS server and choosing Properties. From the General tab, select the LAN and demand-dial routing.


The answering router also needs to be configured for one-way demand-dial connections. A user account must be created on the answering router with dial-in permissions and the appropriate policy permissions. The user account is used to authenticate connections from the calling routers. A static route can then be configured on the user account. Also make sure when creating a user account that the Password Never Expires option is selected and the User Must Change Password at Next Logon option is not selected.

graphics/alert_icon.gif

When configuring the calling router, make sure that the dial-out credentials match the user account name configured on the answering router.


Creating a Two-Way Demand-Dial Interface

Creating a two-way demand-dial connection is similar to configuring a one-way connection, but there are a few distinct differences. A demand-dial interface is created on each RRAS server using the process outlined previously to create a one-way demand-dial connection. You must assign a name to the interface and specify the phone number to dial, the device to be used, the protocol and security settings, and the dial-out credentials. You must also configure a user account, with the appropriate remote access permissions, on each RRAS server. Keep in mind that the user account name must be identical to the name assigned to the demand-dial interface of the calling router. Finally, you must configure a static route using the demand-dial interface.

graphics/alert_icon.gif

Remember when you are configuring two-way demand dialing that the user account names on the answering router must be identical to the demand-dial interface names on the calling routers.


Configuring a Demand-Dial Connection

When a demand-dial connection has been created, you can configure it further using the Properties window for the connection. From the Options tab (see Figure 5.16), configure the connection type: either demand dial or persistent. You can also set the dialing policy by specifying the number of times that the calling router should redial if there is no answer and by specifying the interval between redial attempts.

Figure 5.16. Using the Options tab to configure a connection type.

graphics/05fig16.gif

The Security tab enables you to configure the security options for the dial-out connection (see Figure 5.17). This configuration includes whether unsecured passwords are permitted, whether the connection requires data encryption, and whether a script will be run after dialing.

Figure 5.17. Configuring security options via the Security tab.

graphics/05fig17.gif

As shown in Figure 5.18, the Networking tab is used to configure the type of dial server you use and the different network components that the connection uses.

Figure 5.18. Configuring network settings for a demand-dial connection.

graphics/05fig18.gif

You can make several other configurations to a demand-dial interface. Demand-dial filtering enables you to control the type of IP traffic that can initiate a connection. You can allow or deny a connection based on the type of IP traffic. For example, you might want only Web and FTP traffic to initiate the demand-dial connection. Dial-out hours determine the times of day that a connection can be initiated. This enables an administrator to control when the demand-dial connection is used.

Managing Routing Protocols

After the demand-dial or LAN interfaces have been created, configuring the appropriate routing protocol interfaces is the last step to configure the RRAS server as a network router. You must first add the routing protocol; you right-click the General node and choose New Routing Protocol. The window that appears lists the protocols from which you can choose (see Figure 5.19). Select RIPv2 or OSPF and click OK.

Figure 5.19. Adding a new routing protocol to the General node.

graphics/05fig19.gif

After the routing protocol has been added, you must add the interfaces. To do so, right-click the appropriate routing protocol and select New Interface. After you select an interface and click OK, the Properties window for the interface appears, enabling you to configure it. The available options are discussed in the sections entitled "Configuring RIP Interface Properties" and "Configuring OSPF Interface Properties."

Configuring Routing Protocols

After RIP or OSPF has been installed, you can configure a general set of properties for each of the protocol types. Because RIP requires little configuration, the Properties window for the protocol has only two tabs, as shown in Figure 5.20.

Figure 5.20. Configuring RIP properties.

graphics/05fig20.gif

From the General tab, you can configure the Maximum Delay value, which determines how long a router waits to send an update notification message to other routers on the network. The remaining options enable you to set up event logging for the protocol. The Security tab enables you to configure from which routers the local router can accept announcements.

Because OSPF is slightly more complex than RIP, it requires more detailed configuration and, as a result, has more options in its Properties window (see Figure 5.21).

Figure 5.21. Configuring OSPF properties.

graphics/05fig21.gif

From the General tab, the router can be assigned an IP address that it can use to identify itself. You can also enable autonomous system boundary router, which means that the router will advertise external routes that it learns from other sources. Using the remaining options, you can enable OSPF event logging.

The Areas tab lists all the areas for the router. With OSPF, areas can be used to subdivide a network. This can be done to reduce the size of the database routers within an area by maintaining database information only for the area in which they belong. Using this tab, areas can be added, deleted, and edited. The Virtual Interface tab lists all the configured virtual interfaces. A virtual interface is a virtual connection between an area border router and a backbone area border router. This logical connection allows the two routers to share information.

If the Enable Autonomous System Boundary Router option is selected, you can use the External Routing tab to control which sources from which routes are accepted or ignored. The Ignore Filters button defines the specific routes that should be accepted or ignored.

Configuring RIP Interface Properties

Every RIP interface has it own Properties window from which you can configure a number of options. Within the RRAS console, expand IP Routing, RIP; then right-click one of the available interfaces and click Properties.

The General tab enables you to configure the operation mode. You can select either Autostatic Update Mode or Periodic Update Mode. With autostatic update , RIP announcements are sent when other routers request updates. Any routes learned while in autostatic update mode are marked as static and remain in the routing table until the administrator manually deletes them. In periodic update mode , announcements are sent out periodi-cally. (The Periodic Announcement Interval determines how often.) These routes are automatically deleted when the router is stopped and restarted. The outgoing and incoming packet protocol enables you to configure the type of packets, such as RIPv1 or RIPv2, the router sends and accepts.

The Activate Authentication and Password options enable you to maintain an added level of security. If authentication is enabled, all outgoing and incoming packets must contain the password specified in the password field. When using authentication, make sure that all neighboring routers are configured with an identical password.

From the Security tab, an administrator can configure RIP route filters. The router can be configured to send and accept all routes, send and accept only routes from the ranges specified, or accept and send all routes except for those specified.

The Neighbors tab is used to configure how the router will interact with other RIP routers. The Advanced tab has several configurable options, which are summarized in Table 5.5.

Table 5.5. Advanced RIP Options

Option

Description

Periodic Announcement Interval

Controls the interval at which periodic update announcements are made.

Time Before Route Expires

Determines how long a route remains in the routing table before it expires.

Time Before Route Is Removed

Determines how long an expired route remains in the routing table before being removed.

Enable Split Horizon Processing

Ensures that routing loops do not occur because the routes learned from a router are not rebroadcast to that network.

Enable Triggered Updates

Controls whether changes in the routing table are sent out immediately.

Send Clean-Up Updates when Stopped

Controls whether the router sends an announcement when it is stopped, to notify other routers that the routes for which it was responsible are no longer available.

Process Host Routes in Received Announcements

Controls whether host routes received in RIP announcements are accepted or denied .

Include Host Routes in Send Announcements

Controls whether host routes are included in RIP announcements.

Process Default Routes in Received Announcements

Controls whether default routes received in RIP announcements are accepted or denied.

Process Default Routes in Send Announcements

Controls whether default routes are included in RIP announcements.

Disable Subnet Summarization

This option is available only for RIPv2. It controls whether subnets are advertised to routers on different subnets.

graphics/note_icon.gif

Demand-dial interfaces are configured by default for autostatic update mode, whereas LAN interfaces are configured for periodic update mode.


Configuring OSPF Interface Properties

If OSPF has been installed, each of the OSPF interfaces can be configured using its Properties window, just as RIP interfaces can be configured. An OSPF interface can be added the same way as a RIP interface. Simply right-click OSPF under the General node and click New Interface. Select the interface that the protocol will run on and click OK. Figure 5.22 shows the OSPF Properties window that appears.

Figure 5.22. Configuring an OSPF interface via the Properties window.

graphics/05fig22.gif

From the General tab, you can enable OSPF and configure the area ID, router priority, cost, and password. The Network Type options enable you to configure whether the OSPF is a broadcast interface, a point-to-point interface, or a nonbroadcast multiple access interface.

The NBMA Neighbors tab enables you to specify the IP address of neighboring routers and associate a priority with the neighbor. Table 5.6 summarizes the options available from the Advanced tab.

graphics/note_icon.gif

If you are on a nonbroadcast multiple access (NBMA) networka Frame Relay network that does not support broadcaststhe NBMA option on the General tab must be selected. You must also configure the IP addresses of OSPF neighbors using the NBMA Neighbors tab.


Table 5.6. Advanced OSPF Options

Option

Description

Transit Delay

An estimation of the number of seconds for a link-state update to be transmitted over the network

Retransmit Interval

The number of seconds between link-state advertisement retransmissions

Hello Interval

How often hello packets are sent out to discover other routers

Dead Interval

The number of seconds until a neighboring router determines this router to be down

Poll Interval

The number of seconds between poll intervals sent to a dead neighbor

Maximum Transmission Unit (MTU) Size (Bytes)

The maximum byte size of an OSPF IP packet

Managing Devices and Ports

Devices and ports can be managed through the RRAS console. To do so, right-click the Ports container under your remote access server and click Properties. Select the device you want to configure and click the Configure button. From the Configure Devices window, you can enable remote access inbound connections, demand-dial inbound and outbound connections, and demand-dial outbound connections only. You can also configure a phone number for the device and configure additional ports.

Managing Routing and Remote Access Clients

Managing a remote access server also entails managing the clients that are connecting to it. You can use a number of tools with the Routing and Remote Access management console to manage remote access clients.

The management console provides administrators with a quick and easy way of viewing which clients are currently connected to a remote access server. To do so, click the Remote Access Clients container listed under your remote access server. The left pane displays the users currently connected. You can view status information for specific users by right-clicking their username and clicking the Status option. You can also disconnect a specific user by right-clicking the username and selecting the Disconnect option.

You also have the option of sending a message to a single user or all users connected to a remote access server. For example, if the server is going offline for maintenance, you can send a message to all connected users informing them of this. To send a message to a specific user, right-click the username and select Send Message. To send a message to all users currently connected to the server, right-click the Remote Access Clients container and select Send to All.



Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291)
MCSA/MCSE 70-291 Exam Cram: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736187
EAN: 2147483647
Year: 2002
Pages: 118
Authors: Diana Huggins

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net