Lesson 1: Introducing Remote Access

Previous page
Table of content
Next page

The remote access feature of Microsoft Windows 2000 Server enables remote or mobile workers who use dial-up communication links to access corporate networks as if they were directly connected. Windows 2000 Server remote access also provides virtual private networking services so that users can access corporate networks over the Internet.

After this lesson, you will be able to

  • Explain the features of Routing and Remote Access service
  • Install Routing and Remote Access service
  • Describe the difference between remote access and remote control
  • Explain the effect of an upgrade on Routing and Remote Access service

Estimated lesson time: 25 minutes

Overview of Remote Access

Windows 2000 Server remote access, which is part of the integrated Routing and Remote Access service, connects remote or mobile workers to corporate networks. Remote users can work as if their computers were physically connected to the network. Users (or clients) run remote access software to initiate a connection to the remote access server. The remote access server, which is a computer running Windows 2000 Server with the Routing and Remote Access service enabled, authenticates users and services sessions until terminated. All services typically available to a user connected to a local area network (LAN), including file and print sharing, Web server access, and messaging, are enabled by means of the remote access connection.

Remote Access clients use standard tools to access network resources. For example, on a computer running Windows 2000, clients can use Microsoft Windows Explorer to map network drives and connect to printers. Connections are persistent, so users do not need to reconnect to network resources during their remote sessions. Because drive letters and universal naming convention (UNC) names are fully supported by remote access, most commercial and custom applications work without modification. A remote access server running Windows 2000 provides two different types of remote access connectivity:

  • Dial-up networking. Dial-up networking is used when a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider such as analog telephone, Integrated Services Digital Network (ISDN), or X.25. The best example of dial-up networking is that of a dial-up networking client who dials the telephone number of one of the ports of a remote access server.

    Dial-up networking over an analog telephone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.

  • Virtual private networking. Virtual private networking is the creation of secured, point-to-point connections across a private network or a public network such as the Internet. A virtual private networking client uses special Transmission Control Protocol/Internet Protocol (TCP/IP)-based protocols called tunneling protocols to make a call to a port on a virtual private network (VPN) server. The most practical example of a VPN is a dial-up user connecting across the Internet to a server on the corporate network. The remote access server answers the virtual call, authenticates the caller, and transfers data between the virtual private networking client and the corporate network.

    In contrast to dial-up networking, virtual private networking is a logical (rather than physical) connection between the VPN client and server. To ensure privacy, you must encrypt data sent over the connection.

Routing and Remote Access Features

The Windows Routing and Remote Access feature set provides Network Address Translation (NAT), multiprotocol routing, Layer Two Tunneling Protocol (L2TP), Internet Authentication Service (IAS), and Remote Access Policies (RAP). The lesson concludes with information about demand-dial filters, dial-out hours, dial-in user properties, remote access use of name servers and DHCP, Bandwidth Allocation Protocol (BAP), and monitoring remote access.

Router Discovery

Windows 2000 has a new feature called router discovery, which is specified in Request for Comments (RFC) 1256. Router discovery provides an improved method of configuring and detecting default gateways. When using DHCP or manual default gateway configuration, there is no way to adjust to network changes. Using router discovery, clients dynamically discover routers and can switch to backup routers if a network failure or administrative change is needed. Router discovery is made up of two types of packets:

  • Router solicitations. When a host that supports RFC 1256 needs to be configured with a default gateway, it sends out a router solicitation using an Internet Control Message Protocol (ICMP) message. The router solicitation can be sent to the all-routers Internet Protocol (IP) multicast address of 224.0.0.2, the local Internet Protocol (IP) broadcast address, or the limited broadcast address (255.255.255.255). In practice, hosts send router solicitation messages to the multicast address. Routers on the host's network that support RFC 1256 immediately respond with a router advertisement, and the host chooses the router with the highest preference level as its default gateway.
  • Router advertisements. Router advertisements are explicit notifications to the hosts on the network that the router is still available. A router sends out a periodic router advertisement using an ICMP message. The router advertisement can be sent to the all-hosts local IP broadcast address or the limited broadcast address. Like router solicitations, the router advertisement is sent to the multicast address in practice.

NOTE

Microsoft Windows 2000 supports router discovery as a host and router.

Network Address Translator

NAT is a standard defined in RFC 1631. A NAT is a router that translates IP addresses of an intranet or home LAN to valid Internet addresses. A NAT allows Internet connectivity for a private network with private addresses through a single Internet IP address. Windows 2000 Server includes a full-featured NAT implementation called Connection Sharing and a configuration-free version called Shared Access.

Multicast Routing

Windows 2000 Server implements a limited form of multicast routing using a multicast proxy. This proxy can be used to extend multicast support beyond a true multicast router. The multicast proxy is best used to provide multicast for remote access users or a single LAN network connected to the Internet. On one or more interfaces Windows 2000 acts like a multicast router, communicating with local clients about their multicast needs. On an interface that has direct access to a true multicast router, Windows acts as a multicast client, forwarding multicast traffic on behalf of the local clients.

Layer Two Tunneling Protocol

L2TP can be thought of as the next version of Point-to-Point Tunneling Protocol (PPTP). It works much like PPTP but is now a combined development effort with Cisco. L2TP combines Cisco's Layer 2 Forwarding (L2F) and PPTP technologies (created by Microsoft, Ascend, 3Com, U.S. Robotics, and ECI-Telematics). L2TP is currently an RFC draft, soon to be an industry standard. L2TP is an Open Systems Interconnection (OSI) layer 2 (Data-link layer) protocol used to create VPNs.

Internet Authentication Service

IAS is a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is a network protocol that enables remote authentication, authorization, and accounting of users who are connecting to a network access server (NAS). A network access server such as Windows Routing and Remote Access can be a RADIUS client or RADIUS server.

NOTE

Microsoft released a limited version of RADIUS server in the Windows NT 4.0 Option pack. A RADIUS server—IAS—is now available in Windows 2000.

Remote Access Policies

In Windows NT 3.5 and later versions, remote access was granted based on a simple Grant Dial-In Permission To User option in User Manager or the Remote Access Admin utility. Callback options were also granted on a per-user basis.

In Windows 2000, remote access connections are granted based on the dial-in properties of a user object and remote access policies (RAPs). A RAPs is a set of conditions and connection parameters that allows network administrators more flexibility in granting remote access permissions and usage. Some examples of conditions include time of day, group, and type of connection (VPN or dial-up). Some examples of connection parameters are authentication and encryption requirements, use of Multilink, and length of session. One benefit of this added control is requiring strong encryption on VPN connections and allowing no encryption on modem connections where it may not be needed.

RAPs are stored on the local computer and are shared between Windows 2000 Routing and Remote Access and Windows 2000 IAS. RAP is configured from the Internet Authentication Service Manager or from the Routing and Remote Access Manager.

Enabling Routing and Remote Access Service

Now that you have an understanding of Routing and Remote Access, you will enable the service. Before you enable this service, the Routing and Remote Access Manager will look like the illustration in Figure 12.1.

Figure 12.1 The Routing and Remote Access Manager before installation

Practice: Installing a Routing and Remote Access Server

In this practice, you install a Routing and Remote Access server using the Routing and Remote Access Manager.

NOTE

Before you continue with the lesson, run the Ch12.exe demonstration file located in the Media folder on the Supplemental Course Materials CD-ROM that accompanies this book. The file provides an overview of installing a Routing and Remote Access server.

Exercise 1: Installing a Routing and Remote Access Server

  1. Open the Routing and Remote Access Manager from within the Administrative Tools menu.
  2. Right-click your computer name and choose Configure And Enable Routing And Remote Access.
  3. In the Routing And Remote Access Server Setup wizard, click Next.
  4. On the Common Configurations page, select the Remote Access Server button, and then click Next.
  5. On the Remote Client Protocols page, under Protocols, make sure that TCP/IP is listed. Verify that Yes, All The Required Protocols Are On This List is selected, and then click Next.
  6. On the IP Address Assignment page, make sure From A Specified Range Of Addresses is selected, and then click Next.
  7. On the Address Range Assignment page, click New. Next to Starting Address type 10.0.0.10 (for computer 1, and 10.0.0.20 for computer 2). Under End Of IP Address type 10.0.0.19 (for computer 1, and 10.0.0.29 for computer 2). Under Number Of Addresses, verify that 10 is the number. Click OK to close the Edit Address Range window. Click Next.
  8. On the Managing Multiple Remote Access Servers page, verify that No, I Don't Want To Set This Server Up To Use RADIUS Now is selected, and then click Next.
  9. Click Finish.
  10. Click OK to any warning messages that pop up.

    The Routing and Remote Access Manager will look like the illustration in Figure 12.2.

Figure 12.2 The Routing and Remote Access Manager after installation

Exercise 2: Enabling Dial-in Permissions for the Administrator Account

  1. Open Active Directory Users And Computers (if in a domain) or Computer Management (if in a workgroup).
  2. Open the User Properties For Administrator, go to the Dial-In tab, and select Allow Access.

Remote Access Versus Remote Control

The distinctions between remote access and remote control solutions are the following:

  • The remote access server is a software-based multiprotocol router; remote control solutions work by sharing screen, keyboard, and mouse over the remote link. In remote access, the applications are run on the remote access client computer.
  • In a remote control solution, users share a central processing unit (CPU) or multiple CPUs on the server. In remote control, the applications are run on the server. The remote access server's CPU is dedicated to facilitating communications between remote access clients and network resources, not to running applications.

The Effect of a Windows Upgrade on Routing and Remote Access

A system upgraded from Windows NT 4.0 Remote Access Service (RAS)/Routing and Remote Access service (RRAS) to Windows 2000 has one minor problem. Windows NT 4.0 uses the LocalSystem account. When any service logs on as LocalSystem, it logs on with NULL credentials, meaning that the service does not provide a user name or password.

Active Directory directory service, by default, does not accept querying of object attributes through NULL sessions. Therefore, in a mixed environment, planning is necessary to allow Windows NT 4.0 Remote Access Service/Routing and Remote Access Service servers to retrieve user dial-in properties from Active Directory directory service. Remote Access Service/Routing and Remote Access Service servers require this access to determine whether the user has been granted dial-in permissions and whether any other dial-in settings, such as callback telephone numbers, have been configured.

NOTE

Using NULL credentials prevents an account from being able to access network resources relying on Windows NT LAN Manager (NTLM) authentication (unless the remote computer specifically allows NULL sessions).

Remote Access Server Upgrade Considerations

For a Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server to retrieve user properties from Active Directory, you must meet one of the following conditions:

  • You have a domain in Mixed mode and the Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server is also a Windows NT 4.0 backup domain controller. In this case, Remote Access Service/Routing and Remote Access Service has access to the local Security Accounts Manager (SAM) database.
  • You have a domain in Mixed mode and the Windows NT 4.0 Remote Access Service/Routing and Remote Access service server contacts a Windows NT 4.0 backup domain controller to determine user dial-in properties. This also will allow access to the local SAM database.
  • The domain is in Mixed or Native mode and Active Directory security has been loosened to grant the built-in user Everyone permissions to read any property on any user object. This is configured with the Active Directory Installation wizard (DCPROMO.EXE) by selecting Permission Compatible With Pre-Windows 2000 Server.

NOTE

Unless Active Directory security has been loosened or the Remote Access Service/Routing and Remote Access Service server is installed on a backup domain controller, dial-in connectivity success could be intermittent. Even if your domain runs in Mixed mode, it is impossible to configure the Remote Access Service/Routing and Remote Access Service server to contact a Windows NT 4.0 backup domain controller only for authentication. If a Windows 2000 domain controller authenticates the user, dial-in will fail.

The Permission Compatible With Pre-Windows 2000 Servers option places the Everyone group in the Pre-Windows 2000 Compatible Access Local group. You can strengthen permissions by deleting the Everyone group from this group's membership list after all remote access servers have been upgraded to Windows 2000. This Everyone group workaround should be used only after understanding its impact on Active Directory security. If it conflicts with your security requirements, it is recommended that you upgrade the Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server to Windows 2000 and make it a member of a Windows 2000 mixed or native domain. This will help prevent inconsistent dial-in access while the domain is in Mixed mode.

If you would like to loosen security to allow Windows NT 4.0 Remote Access Service/Routing and Remote Access Service servers to function after running the Active Directory Installation wizard, you can add the Everyone group to the Pre-Windows 2000 Compatible Access group by typing the command net localgroup "Pre-Windows 2000 Compatible Access" Everyone /add.

Lesson Summary

This lesson provided a basic overview of remote access features. These include router discovery, NAT, multicast routing, L2TP, IAS, and RAPs. Installing and configuring Routing and Remote Access was also introduced.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Project Management JumpStart
Interprocess Communications in Linux: The Nooks and Crannies
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
An Introduction to Design Patterns in C++ with Qt 4
Special Edition Using FileMaker 8
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy