Summary of Exam Objectives | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Now that we have completed the chapter, let's review the exam objectives. Windows 2000 supports several authentication protocols, including the Password Authentication Protocol (PAP), the Challenge Handshake Authentication Protocol (CHAP), the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and MS-CHAP version 2, and finally, the Extensible Authentication Protocol (EAP). These protocols are used in conjunction with the Windows 2000 Routing and Remote Access Service (RRAS) to provide authentication for both remote dial-in and remote VPN users. A server running the Windows 2000 RRAS can act as a dial-in server, allowing users to connect directly with a modem using the PPP protocol or as a VPN server, supporting VPN access using the PPTP or L2TP/IPSec protocols.

All configuration for remote access using Windows 2000 is done via the Routing and Remote Access Service console, a Microsoft Management Console snap-in. Be sure you are familiar with this tool, since you will need it to configure and manage both your dial-in and VPN ports, server configuration, and server policies.

PPTP and L2TP/IPSec are both supported for VPN connections. PPTP can be used to tunnel any Windows 2000 supported protocol and can traverse a network using Network Address Translation (NAT). This is also considered a proprietary Microsoft protocol, and widespread adoption of the standard has not occurred. The L2TP/IPSec protocol is based on Cisco Systems L2F and the standards-based IPSec protocol.

Once there framework is installed, you need to set up your access policies. Remote access policies are a set of conditions and connection settings that determine connection permissions. With a remote access policy, you can configure Grant or Deny permissions based on the time of day or day of the week, by Windows 2000 group, by protocol or VPN protocol, by connection type, and a number of other factors. You can also use the remote access profile portion of the policy to set idle timeouts, maximum session times, authentication protocols, encryption strengths, and several other connection parameters.

One part of the remote access policy that you need to be familiar with is the remote access profile. A remote access profile lets you configure dial-in constraints, IP characteristics, multilink parameters, authentication protocols, encryption protocols, and advanced configurations settings.

There are three ways to administer permissions in a Windows 2000 RRAS environment. They are:

Access by user In this model, remote access permissions are determined by the remote access permission on the Dial-in tab of the user account, much as they were in the pre-Windows 2000 RAS environment. Remote access permissions are set on a per-user basis by setting the remote access permission to either Allow access or Deny access.
Access by policy in a Windows 2000 native-mode domain In this model, the remote access permission on every user account is set to control access through Remote Access Policy.
Access by policy in a Windows 2000 mixed-mode domain In this model, every user account's remote access permission is set to Allow access, the default remote access policy is deleted, and separate remote access policies are created for each type of connections that is allowed.

When configuring a secure client for a VPN connection, remember that this capability is built into Windows 2000 and Windows XP, but for other Windows operating systems, you need to download the Microsoft L2TP/IPSec VPN Client.

The Connection Manager Administration Kit (CMAK) is used to configure a service profile, the set of files required to configure remote user's connection details bundled into a self-installing executable file that you distribute to users who need remote access. This service profile works on any 32-bit Windows platform and requires, in all, about 1MB free hard disk space. Users must have the Connection Manager v1.2 software installed in order to use your configuration options, which can be included in the service profile. If users already have this software installed, the hard disk space required is greatly reduced (requires about 200KB).

Finally, you need to recall how to troubleshoot these connections. Keep in mind the generic troubleshooting methodology we covered in the chapter:

Identify the symptoms.
Determine the problem scope; how big is this problem?
Look for changes.
Try the most likely solution; fix it already!
Is it fixed?
Did you break anything else?
Write it down.

Next, you need to consider the different areas in which you might encounter issues with your connection. If you are unable to establish a VPN connection across your ISP connection, check the following:

Do you have a connection to the Internet?
If you have Internet access, have you successfully connected before? If you have, think about what might have changed on your connection.
Other ISP-related issues can be firewall configurations, the use of transparent proxy servers, or, in some isolated networks, the lack of router support for either PPTP or L2TP/IPSec. This last issue is very rare these days, but was common when these protocols were introduced.

On client systems, you need to look for changes to the operating system—have you installed a new application, patch, or update? Have you verified that your user account and password are correct? When in doubt, delete your VPN connection and reinstall it.

Network Address Translation, or NAT, allows a single device, usually a router or firewall, to act as an intermediary between a public network and a private. This intermediary converts the private addresses, which can be duplicated in other locations on other private networks, to unique public addresses, allowing the private network to communicate across the public network, without any address conflicts. NAT can cause major problems with L2TP/IPSec, due to the limitations of the IPSec protocol. IPSec can't function as written in a NAT environment.

Then we have the Windows 2000 RRAS server issues. These can vary from the service being disabled to not having enough ports or having bad IP filters on an interface. The key to addressing server issues is identifying the scope of the problem. If there is one user with a problem, you should start with that user's machine and work your way back to the network. If a group of users is having trouble, look for common factors. Are they all in the same OU or AD group? Do they all connect using one protocol or the other? Are they all authenticating using the same protocol? Once you have identified the common factors, locating the solution becomes much easier. On the opposite end of the single-user issue is the situation in which the entire server is unavailable. Now you are looking to make sure the server is still connected to the network, that the RRAS service is running, whether you have run out of ports or addresses, or any of the other software, hardware, or configuration issues that could shut down your server.

Finally, we have the firewall issues. Occurring at either end of the connection these days, the key to firewalls is to make sure the ports you need for VPN connectivity are open. Although the process for opening these ports varies from firewall to firewall, the issues are almost always port-related. The one exception to that rule is when the firewall is providing NAT services. L2TP/IPSec won't work in a NAT environment, although Microsoft is hoping to address that shortcoming in the Windows .NET Server 2003 release.