Exam Objectives Fast Track | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Windows 2000 RRAS supports the following protocols:
- PAP Password Authentication Protocol
- CHAP Challenge Handshake Authentication Protocol
- MS-CHAP Microsoft Challenge Handshake Authentication Protocol
- MS-CHAP v2 Microsoft Challenge Handshake Authentication Protocol Version 2
- EAP Extensible Authentication Protocol
The Extensible Authentication Protocol comes in two main types:
- EAP-MD5 CHAP
- EAP-TLS
EAP also is used to support Smart Cards or X.509 certificate-based authentication.

Windows 2000 RRAS is installed as part of the Windows 2000 Server operating system. You do not need to install it.
Configuring a RAS server can be done using the wizard. This process configures five PPTP and five L2TP ports as part of the installation process.
Ports can be modified and monitored once the installation is complete using the Routing and Remote Access Service console.

Configuring a VPN server can be done using the Routing and Remote Access wizard. This process configures 128 PPTP and 128 L2TP ports as part of the installation process.
L2TP is a standards-based VPN protocol, but it cannot traverse a NAT environment. It uses one of the IPSec protocols, Encapsulating Security Payload (ESP), for encryption and is commonly referred to as L2TP/IPSec.
PPTP is a Microsoft proprietary protocol that supports NAT environments, but it is not widely implemented now that IPSec is available as a standard.
Windows 2000 Server RRAS also support IPSec in tunneling mode to provide support for non-Windows operating systems. This setup is not used very frequently, but it is available.

Remote access policies are sets of conditions and connection settings that determine connection permissions.
Remote access policies are stored locally on each Windows 2000 RRAS server. If you want to use centralized policies, you need to utilize RADIUS for policy authentication.
Some of the conditions that can be used in a remote access policy include:
- Time of day or day of the week
- Windows 2000 group
- Authentication protocol
- VPN protocol
- Connection type

Windows 2000 and Windows XP ship with the VPN client. All other Microsoft operating systems must download a client.
L2TP/IPSec is the default protocol the client will try to use. In a NAT environment, L2TP/IPSec will not work; in that circumstance, you need to use PPTP.
Under Windows 2000 and Windows XP, the VPN connection appears as an additional entry in Network and Dial-Up Connections.

For ISP-related problems, make sure that you can connect to the Internet and, if possible, to a server on the same segment as your VPN server, to ensure that you have end-to-end connectivity. Then look for NAT or firewall issues on the ISP's network.
For client computer operating system issues, verify user information, check for changes such as patches, updates, or new applications, and don't be afraid to reinstall the VPN client.
For NAT devices, NAT (RFC 3022) allows you to use one set of IP addresses on your internal LAN and a second set of IP addresses for the Internet connection. This is a great IP address conservation strategy, but L2TP/IPSec cannot traverse a NAT environment.
For Routing and Remote Access Server issues, identify the population of users who have issues:
- Single user Usually related to the user's account or profile.
- Group of users Identify the commonality between the users and start looking there for the source of the issues.
- All users Start checking to make sure all services are running, connectivity is available, and that there have been no global changes to the environment.