As with most server roles, when a server has been configured, you most likely have to perform management tasks in the form of configuration changes or daily management tasks . The following section discusses some of the topics that pertain to managing a remote access server. Managing Packet FiltersPacket filtering enables an administrator to specify the type of inbound and outbound traffic that is allowed to pass through a Windows Server 2003 router. When configuring packet filters, you can allow all traffic except traffic prohibited by filters. Or, you can deny all traffic except traffic that is allowed by filters. Packet filters can be created and configured through the RRAS console by performing the following steps:
After a packet filter is created, it can be edited at any time by selecting the filter from the list and clicking the Edit button. Manage Routing and Remote Access Routing InterfacesTwo types of demand-dial connections can be created for routing: on-demand connections and persistent connections . With demand-dial connections, a connection with the remote router is established only when necessary. A connection is established to route information and is terminated when the link is not in use. The benefit of this connection is obviously the cost savings associated with not using a dedicated link. With persistent connections, the link does not need to be terminated . Even when it is not in use, it remains open . Connections between network routers can be one-way or two-way initiated, meaning that a connection can be initiated by only one router or by both the routers. With one-way initiated connections, one router is designated as the answering router and the other is designated as the calling router, which is responsible for initiating any connections.
Creating a One-Way Demand-Dial InterfaceDemand-dial connections can be created within the Routing and Remote Access snap-in. How you configure the connection depends on whether you are configuring a one-way or two-way initiated connection. To create a demand-dial interface on the calling router, perform the following steps:
The answering router also needs to be configured for one-way demand-dial connections. A user account must be created on the answering router with dial-in permissions and the appropriate policy permissions. The user account is used to authenticate connections from the calling routers. A static route can then be configured on the user account. Also make sure when creating a user account that the Password Never Expires option is selected and the User Must Change Password at Next Logon option is not selected.
Creating a Two-Way Demand-Dial InterfaceCreating a two-way demand-dial connection is similar to configuring a one-way connection, but there are a few distinct differences. A demand-dial interface is created on each RRAS server using the process outlined previously to create a one-way demand-dial connection. You must assign a name to the interface and specify the phone number to dial, the device to be used, the protocol and security settings, and the dial-out credentials. You must also configure a user account, with the appropriate remote access permissions, on each RRAS server. Keep in mind that the user account name must be identical to the name assigned to the demand-dial interface of the calling router. Finally, you must configure a static route using the demand-dial interface.
Configuring a Demand-Dial ConnectionWhen a demand-dial connection has been created, you can configure it further using the Properties window for the connection. From the Options tab (see Figure 5.16), configure the connection type: either demand dial or persistent. You can also set the dialing policy by specifying the number of times that the calling router should redial if there is no answer and by specifying the interval between redial attempts. Figure 5.16. Using the Options tab to configure a connection type.
The Security tab enables you to configure the security options for the dial-out connection (see Figure 5.17). This configuration includes whether unsecured passwords are permitted, whether the connection requires data encryption, and whether a script will be run after dialing. Figure 5.17. Configuring security options via the Security tab.
As shown in Figure 5.18, the Networking tab is used to configure the type of dial server you use and the different network components that the connection uses. Figure 5.18. Configuring network settings for a demand-dial connection.
You can make several other configurations to a demand-dial interface. Demand-dial filtering enables you to control the type of IP traffic that can initiate a connection. You can allow or deny a connection based on the type of IP traffic. For example, you might want only Web and FTP traffic to initiate the demand-dial connection. Dial-out hours determine the times of day that a connection can be initiated. This enables an administrator to control when the demand-dial connection is used. Managing Routing ProtocolsAfter the demand-dial or LAN interfaces have been created, configuring the appropriate routing protocol interfaces is the last step to configure the RRAS server as a network router. You must first add the routing protocol; you right-click the General node and choose New Routing Protocol. The window that appears lists the protocols from which you can choose (see Figure 5.19). Select RIPv2 or OSPF and click OK. Figure 5.19. Adding a new routing protocol to the General node.
After the routing protocol has been added, you must add the interfaces. To do so, right-click the appropriate routing protocol and select New Interface. After you select an interface and click OK, the Properties window for the interface appears, enabling you to configure it. The available options are discussed in the sections entitled "Configuring RIP Interface Properties" and "Configuring OSPF Interface Properties." Configuring Routing ProtocolsAfter RIP or OSPF has been installed, you can configure a general set of properties for each of the protocol types. Because RIP requires little configuration, the Properties window for the protocol has only two tabs, as shown in Figure 5.20. Figure 5.20. Configuring RIP properties.
From the General tab, you can configure the Maximum Delay value, which determines how long a router waits to send an update notification message to other routers on the network. The remaining options enable you to set up event logging for the protocol. The Security tab enables you to configure from which routers the local router can accept announcements. Because OSPF is slightly more complex than RIP, it requires more detailed configuration and, as a result, has more options in its Properties window (see Figure 5.21). Figure 5.21. Configuring OSPF properties.
From the General tab, the router can be assigned an IP address that it can use to identify itself. You can also enable autonomous system boundary router, which means that the router will advertise external routes that it learns from other sources. Using the remaining options, you can enable OSPF event logging. The Areas tab lists all the areas for the router. With OSPF, areas can be used to subdivide a network. This can be done to reduce the size of the database routers within an area by maintaining database information only for the area in which they belong. Using this tab, areas can be added, deleted, and edited. The Virtual Interface tab lists all the configured virtual interfaces. A virtual interface is a virtual connection between an area border router and a backbone area border router. This logical connection allows the two routers to share information. If the Enable Autonomous System Boundary Router option is selected, you can use the External Routing tab to control which sources from which routes are accepted or ignored. The Ignore Filters button defines the specific routes that should be accepted or ignored. Configuring RIP Interface PropertiesEvery RIP interface has it own Properties window from which you can configure a number of options. Within the RRAS console, expand IP Routing, RIP; then right-click one of the available interfaces and click Properties. The General tab enables you to configure the operation mode. You can select either Autostatic Update Mode or Periodic Update Mode. With autostatic update , RIP announcements are sent when other routers request updates. Any routes learned while in autostatic update mode are marked as static and remain in the routing table until the administrator manually deletes them. In periodic update mode , announcements are sent out periodi-cally. (The Periodic Announcement Interval determines how often.) These routes are automatically deleted when the router is stopped and restarted. The outgoing and incoming packet protocol enables you to configure the type of packets, such as RIPv1 or RIPv2, the router sends and accepts. The Activate Authentication and Password options enable you to maintain an added level of security. If authentication is enabled, all outgoing and incoming packets must contain the password specified in the password field. When using authentication, make sure that all neighboring routers are configured with an identical password. From the Security tab, an administrator can configure RIP route filters. The router can be configured to send and accept all routes, send and accept only routes from the ranges specified, or accept and send all routes except for those specified. The Neighbors tab is used to configure how the router will interact with other RIP routers. The Advanced tab has several configurable options, which are summarized in Table 5.5. Table 5.5. Advanced RIP Options
Configuring OSPF Interface PropertiesIf OSPF has been installed, each of the OSPF interfaces can be configured using its Properties window, just as RIP interfaces can be configured. An OSPF interface can be added the same way as a RIP interface. Simply right-click OSPF under the General node and click New Interface. Select the interface that the protocol will run on and click OK. Figure 5.22 shows the OSPF Properties window that appears. Figure 5.22. Configuring an OSPF interface via the Properties window.
From the General tab, you can enable OSPF and configure the area ID, router priority, cost, and password. The Network Type options enable you to configure whether the OSPF is a broadcast interface, a point-to-point interface, or a nonbroadcast multiple access interface. The NBMA Neighbors tab enables you to specify the IP address of neighboring routers and associate a priority with the neighbor. Table 5.6 summarizes the options available from the Advanced tab.
Table 5.6. Advanced OSPF Options
Managing Devices and PortsDevices and ports can be managed through the RRAS console. To do so, right-click the Ports container under your remote access server and click Properties. Select the device you want to configure and click the Configure button. From the Configure Devices window, you can enable remote access inbound connections, demand-dial inbound and outbound connections, and demand-dial outbound connections only. You can also configure a phone number for the device and configure additional ports. Managing Routing and Remote Access ClientsManaging a remote access server also entails managing the clients that are connecting to it. You can use a number of tools with the Routing and Remote Access management console to manage remote access clients. The management console provides administrators with a quick and easy way of viewing which clients are currently connected to a remote access server. To do so, click the Remote Access Clients container listed under your remote access server. The left pane displays the users currently connected. You can view status information for specific users by right-clicking their username and clicking the Status option. You can also disconnect a specific user by right-clicking the username and selecting the Disconnect option. You also have the option of sending a message to a single user or all users connected to a remote access server. For example, if the server is going offline for maintenance, you can send a message to all connected users informing them of this. To send a message to a specific user, right-click the username and select Send Message. To send a message to all users currently connected to the server, right-click the Remote Access Clients container and select Send to All. |