Migrating to Routing and Remote Access

Previous page
Table of content
Next page

Because there is no direct migration from RAS or RRAS to Routing and Remote Access, it is recommended that you document the configuration parameters of the computer that you intend to keep in your new Routing and Remote Access environment.

By documenting your current configuration, you will be able to more easily reuse the settings to configure Routing and Remote Access on a computer that is running Windows Server 2003. Even if you do not reuse all the settings that you document from your computer that is running Windows NT Server 4.0, documenting these settings will give you a record of your previous settings that you can refer to.

Tables 5.2 and 5.3 list the settings you might want to document and reuse in Routing and Remote Access on the Windows Server 2003 family. The exact settings that you document depend on which features of RAS or RRAS you use. Refer to Table 5.1 for more information about performing common remote access tasks in the Windows Server 2003 family.

You can record your information in this book or print out copies of these pages by downloading the online version of this chapter. To download this chapter from the Web, see the Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003 link on the Windows Deployment and Resource Kits Web site at http://www.microsoft.com/reskit/. You might need to attach additional sheets or create your own table if you need more space.

Table 5.2: Worksheet to Record Routing Settings_ ( continued )

Description of settings to record

Your existing settings

Open Shortest Path First (OSPF): Is this routing protocol enabled in your RRAS solution?

 

Routing Information Protocol (RIP): Is this routing protocol enabled in your RRAS solution?

 

Internet Control Message Protocol (ICMP) Router Discovery: Is this enabled in your RRAS solution?

 

DHCP relay agent: Is RRAS acting as a DHCP relay agent? If so, list appropriate DHCP server IP addresses and global settings.

 

If you migrate the DHCP server to a computer that is running Windows Server 2003 with a new IP address, also list the IP address for the replacement DHCP server. For more information about migrating DHCP servers, see Upgrading and Migrating WINS and DHCP Servers to Windows Server 2003 in this book.

 

Demand-dial interfaces: List the interface name, IP address of the router to which you are connecting, user name credentials, and configuration details.

 

IP packet filtering: List the source and destination IP address and subnet mask for input and output filters on each interface.

 

List logging and route preference levels.

 

Static routes: For each static route, list the interface destination, subnet mask, gateway, and metric.

 

List routemon scripts to convert to Netsh scripts.

 
Table 5.3: Worksheet to Record Remote Access Settings

Description of settings to record

Your existing settings

Multilink: Is this enabled in your RAS or RRAS solution?

 

List authentication methods to migrate to Routing and Remote Access and remote access policy settings.

 

List the encryption level to migrate to remote access policy.

 

Authentication provider settings. List RADIUS server connection information, if applicable , including server name, IP address, and configuration details.

 

List remote access server TCP/IP settings, including IP address, subnet mask, and default gateway.

 

List remote access service settings, including IP address ranges and other settings.

 

List the name and IP address of the VPN server. If you do not reuse these settings, ensure that all users that connect to this VPN server receive the new VPN connection information.

 

Before you begin to configure Routing and Remote Access on a computer running Windows Server 2003, you might want to read Deploying Dial-up and VPN Remote Access Servers in Deploying Network Services of the Microsoft WindowsServer2003 Deployment Kit (or see Deploying Dial-up and VPN Remote Access Servers on the Web at http://www.microsoft.com/reskit). Also, if you plan to use a dial-up or VPN connection for a site-to-site connectivity solution, then you might want to review Connecting Remote Sites in Deploying Network Services of the Microsoft WindowsServer2003 Deployment Kit (or see Connecting Remote Sites on the Web at http://www.microsoft.com/reskit).

For information about setting up VPN-based remote access in a test lab, see Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab. To find this guide, see the Web Resources page at http://www.microsoft.com/windows/reskits/webresources, click the Virtual Private Networks link, and search for Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab.

Configuring a VPN Remote Access Server

The configuration of a VPN remote access server involves the following tasks:

  • Configure TCP/IP on the server.

  • Configure the server as a VPN remote access server.

  • Configure name resolution on the server.

  • Configure packet filters for the server.

Configuring TCP/IP on the VPN Server

Before you configure the server as a remote access server, configure the TCP/IP settings for the Internet or perimeter network interface and for the intranet interface.

Note  

Because of routing issues related to configuring TCP/IP automatically, it is recommended that you not configure a VPN server as a DHCP client. Instead, manually configure TCP/IP on the intranet interfaces of a VPN server. For a full discussion of the routing options for a VPN server, see Configuring Routing on a VPN Server later in this chapter.

Manually configure the Internet or perimeter network interface of the VPN server with a default gateway. Configure the TCP/IP settings with a public IP address, a subnet mask, and the default gateway of either the firewall (if the VPN server is connected to a perimeter network) or an Internet service provider (ISP) router (if the VPN server is connected directly to the Internet).

To configure TCP/IP for the Internet or perimeter network interface

  1. In Control Panel , double-click Network Connections , and then double-click the network adapter for the Internet or perimeter network interface.

  2. In the network adapter status dialog box (for example, Local Area Connection Status ), click Properties .

  3. Click Internet Protocol (TCP/IP) , and then click Properties .

  4. On the General tab, configure the IP address, subnet mask, and default gateway.

    The IP address must be a public address assigned by an ISP. You can configure the VPN server with a private IP address but assign it a published static IP address by which it is known on the Internet. When packets are sent to and from the VPN server, a NAT that is positioned between the Internet and the VPN server translates the published IP address to the private IP address.

    When you configure a VPN connection, give your VPN servers names that can be resolved to IP addresses using DNS.

  5. Click Advanced to display the Advanced TCP/IP Settings dialog box.

To configure TCP/IP for the intranet interface

  1. In Control Panel , double-click Network Connections , and then double-click the network adapter for intranet interface.

  2. In the network adapter status dialog box (for example, Local Area Connection 2 Status ), click Properties .

  3. Click Internet Protocol (TCP/IP) , and then click Properties .

  4. On the General tab, configure the IP address, subnet mask, and the addresses of internal DNS servers.

    To prevent default route conflicts with the default route pointing to the Internet, do not configure the default gateway on the intranet connection.

  5. Click Advanced to display the Advanced TCP/IP Settings dialog box.

  6. On the WINS tab, specify the IP addresses of your WINS servers.

Configuring the Server as a VPN Remote Access Server

To configure the server as a VPN remote access server, use the Configure Your Server Wizard and click Remote access/VPN server as the server role, or use the Routing and Remote Access snap-in. You can use the information that you recorded in Tables 5.2 and 5.3 earlier in this chapter to assist you in configuring your VPN server. For instructions on using the wizard, see Remote access/VPN server role: Configuring a remote access/VPN server in Help and Support Center for Windows Server 2003.

Note  

If you are configuring your server as both a VPN and dial-up remote access server, specify both VPN and dial-up in the Routing and Remote Access Server Setup Wizard.

Configuring Name Resolution on a VPN Server

If you use Domain Name System (DNS) to resolve intranet host names or Windows Internet Name Service (WINS) to resolve intranet NetBIOS names, manually configure the VPN server with the IP addresses of the appropriate DNS and WINS servers.

During the PPP connection setup process, VPN clients receive the IP addresses of DNS and WINS servers. By default, the VPN clients inherit the DNS and WINS server IP addresses configured on the VPN server. However, VPN clients that are capable of sending a DHCPINFORM message (computers running Windows 2000, Windows XP, or Windows Server 2003) can also get their DNS and WINS server IP addresses from a DHCP server, provided the DHCP Relay Agent component is correctly configured.

Configuring Packet Filters for a VPN Server

Firewalls are configured with rules to filter the packets that a VPN server sends and receives and to control intranet traffic to and from VPN clients, based on your network security policies. Packet filtering is based on the fields of inbound and outbound packets.

The Routing and Remote Access Server Setup Wizard for Windows Server 2003 automatically configures the appropriate packet filters for VPN traffic. Alternatively, you can use the Routing and Remote Access snap-in to configure the packet filters.

For more information, see Deploying Dial-up and VPN Remote Access Servers in Deploying Network Services of the Microsoft WindowsServer2003 Deployment Kit (or see Deploying Dial-up and VPN Remote Access Servers on the Web at http://www.microsoft.com/reskit).

For procedures explaining how to configure packet filters, see VPN servers and firewall configuration in Help and Support Center for Windows Server 2003.

Configuring Routing on a VPN Server

To enable a VPN server to correctly forward traffic to locations on your intranet, perform one of two routing configurations:

  • Configure the server with static routes that summarize all possible IP addresses on the intranet.

  • Configure the server with routing protocols that enable it to act as a dynamic router, automatically adding routes for intranet subnets to its routing table.

In a small, stable networking environment, static routing might be an appropriate choice for a VPN solution. However, in most corporate networking environments, the increased administrative overhead required to maintain static routes is prohibitive. If applicable, you can use the information you recorded in Table 5.2 to assist you in configuring this information.

Configuring Static Routes on the Server

If you manually configure IP address ranges for a static address pool on any of your VPN servers, and if any of the ranges is an off subnet range, your intranet routing infrastructure must include routes representing the off subnet address ranges. To provide the best summary of address ranges for routes, choose your address ranges so that they can be expressed using a single prefix and subnet mask.

To ensure this, add static routes representing the off subnet address ranges to the routers neighboring the VPN servers, and then use the routing protocol of your intranet to propagate the off-subnet routes to other routers. When you add the static routes to the neighboring routers, specify that the gateway or the next hop address is the intranet interface of the VPN server.

For information about adding static routes, see Configuring the branch office network in Help and Support Center for Windows Server 2003.

Configuring the Server as a Dynamic Router

If you are using RIP or OSPF, you can configure any VPN server that is using off subnet address ranges as a RIP or OSPF router.

For OSPF, you must also configure the VPN server as an autonomous system boundary router (ASBR). For more information, see OSPF design considerations in Help and Support Center for Windows Server 2003.

If you use a routing protocol other than RIP or OSPF, such as Interior Gateway Routing Protocol (IGRP), on the VPN server s neighboring intranet router, configure the interface connected to the subnet to which the VPN server is assigned for RIP or OSPF, configure all other interfaces for IGRP, and then configure the router for route redistribution between protocols. See your router documentation for details on how to configure route redistribution.

For information about:

  • Configuring the VPN server as a RIP router, see Configure RIP for IP in Help and Support Center for Windows Server 2003.

  • Configuring the VPN server as an OSPF router, see OSPF design considerations and Configure OSPF in Help and Support Center for Windows Server 2003.

Configuring a Dial-up Remote Access Server

To provide dial up access to your organization s intranet, configure a computer running Windows Server 2003 as a dial up remote access server.

Use the Routing and Remote Access Server Setup Wizard to configure the server as a dial up remote access server and enable the Routing and Remote Access service, which is installed automatically with the Windows Server 2003 family. For instructions on using the wizard, see Remote access/VPN server role: Configuring a remote access/VPN server in Help and Support Center for Windows Server 2003.

With Routing and Remote Access enabled, configure the properties of a dial-up remote access server by using the Routing and Remote Access snap in. If applicable, you can use the information that you recorded in Table 5.3 to assist you in configuring your dial-up remote access server.

To configure a server for dial up remote access

  1. Open the Routing and Remote Access snap in.

  2. In the console tree, right-click the server name, and then click Properties .

  3. On the General tab of the properties dialog box for the server, verify that the Remote access server check box is selected.

  4. On the Security tab, set up authentication for dial up remote access clients:

    1. Click Authentication Methods , and in the Authentication Methods dialog box, select the check boxes for the authentication methods that the server will accept for dial up connections.

      Note  

      The server is configured by default to accept certain authentication methods. To allow additional authentication methods, you must configure Routing and Remote Access. You can use remote access policies to control which authentication methods to accept for specific types of connections. For more information about using Windows Server 2003 remote access policies, see Introduction to remote access policies in Help and Support Center for Windows Server 2003.

    2. Under Authentication Provider on the Security tab, specify the authentication provider to use for dial-up remote access clients.

    3. Under Accounting Provider , specify and configure the accounting provider to use for recording dial-up connection accounting information.

  5. On the IP tab, set up routing for dial-up remote access clients:

    1. Verify that the Enable IP routing and Allow IP-based remote access and demand-dial connections check boxes are selected.

    2. If you are using DHCP to obtain IP addresses for dial-up remote access clients, click Dynamic Host Configuration Protocol (DHCP).

    “or “

    Select Static address pool , and then configure ranges of IP addresses that are dynamically assigned to dial up remote access clients.

    If the static IP address pool consists of ranges of IP addresses for a separate subnet, either enable an IP routing protocol on the remote access server or add static IP routes for each range to your IP routing infrastructure. If the routes are not added, dial-up remote access clients cannot receive traffic from resources on the intranet.

Configuring a Connection to the Intranet

A network adapter provides the connection from a dial up remote access server to the intranet. To enable this connection, you must configure TCP/IP on the network adapter and, on the dial up remote access server, configure the modem ports for remote access.

Configuring TCP/IP on the Network Adapter

Configure the following TCP/IP settings on the network adapter that provides the connection from the dial up remote access server to the intranet:

  • The IP address and subnet mask assigned by a network administrator.

  • The default gateway of a local router.

  • The IP addresses of DNS and WINS servers.

Configuring a Connection to Dial-up Remote Access Clients

To enable multiple dial up clients to connect to the intranet simultaneously , the dial up solution must have a modem bank connected to a telecommunications provider. The modem bank adapter includes drivers that you install on the dial up remote access server.

Configuring Dial in Ports for Remote Access

With the modem bank adapter drivers installed, the modem bank appears as a device with multiple modem ports. Use the Routing and Remote Access snap in to configure all of the active modem bank ports on the server for remote access.

To configure the ports of a device for remote access

  1. Open the Routing and Remote Access snap in.

  2. In the console tree, right-click Ports , and then click Properties .

  3. In the Ports Properties dialog box, specify the device that you want to configure, and then click Configure .

  4. In the Configure Device dialog box, specify the appropriate connection options.

Configuring Encryption for a Dial-up Solution

In the remote access policy that governs connections to the dial up remote access server, use Routing and Remote Access to set the appropriate encryption level. For a procedure for setting an encryption level in a remote access policy, see Configuring authentication and data encryption in Help and Support Center for Windows Server 2003.

In the remote access policy for dial up connections on the dial up remote access server, choose one of the following encryption levels:

  • To use MPPE with a 40 bit encryption key, select the Basic check box.

  • To use MPPE with a 56 bit encryption key, select the Strong check box.

  • To use MPPE with a 128 bit encryption key, select the Strongest check box.

If applicable, you can use the information that you recorded in Table 5.3 to assist you in configuring encryption for your dial-up solution.

For more information about using Windows Server 2003 remote access policies, see Introduction to remote access policies in Help and Support Center for Windows Server 2003.



Previous page
Table of content
Next page
The Microsoft Windows Server Team Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003
Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003
ISBN: 0735619409
EAN: 2147483647
Year: 2004
Pages: 96
Authors: Microsoft Corporation
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Absolute Beginner[ap]s Guide to Project Management
The CISSP and CAP Prep Guide: Platinum Edition
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy