IAS (Internet Authentication Service)
access server vulnerabilities 361
account lockout 360
accounting described 321
additional resources 373–374
architecture 317
auditing described 321
authentication described 321
authentication methods See authentication methods for IAS
authentication protocols 354–357
authorization described 321
client-specific remote access policies 352
common vs. custom remote access policies 349–351
concepts 316–321
conditions for remote access policies 350
configuring remote access policies 347–352
definitions 321
deployment overview 313–314
deployment process 315
described 321
designing IAS See designing IAS
digital signature 360
implementing deployments See implementing IAS
installing computer certificates 359, 583–584
integrating with certificate infrastructure 357–359
Internet firewalls 360
IPSec traffic security 361
Message-Authenticator attribute 360
Network Access Quarantine Control 348
optimizing IAS See optimizing IAS
permissions for remote access policies 350
profile properties for remote access policies 350
Quarantine Remote Access Policy 352
RADIUS client described 321
RADIUS protocol described 321
RADIUS protocol overview 316
RADIUS proxy described 321
RADIUS server described 321
RADIUS shared secrets 359, 361
remote access groups 346
remote access policies for switch access clients 352
remote access policies for users and groups 351
remote access policies for VPN clients 352
remote access policies for wireless access clients 352
remote access policy overview 345
remote access policy restrictions 351
remote client access authorization 346
securing RADIUS servers and proxies 359–361
security overview for remote access 353
server deployments for RADIUS authentication 522
signature attribute 360
specifications for common remote access policies 349
specifications for custom remote access policies 349
terms 321
user accounts 347
VPN tunnels 361
Windows Server 2003 features 318–320
IEEE 802.11 554
IEEE 802.1X 554
IETF (Internet Engineering Task Force) 316
IGMP (Internet Group Management Protocol) 40
IKE (Internet Key Exchange) 287, 294
illegal addresses 25
implementing Connection Manager
distributing certificates 449
distributing service profiles 451
example See Connection Manager implementation example
Internet enrollments 449
intranet enrollments 450
overview 448
security education for users 450
testing deployments 449
implementing DHCP
BOOTP client support 99–101
configuring clients 98–101
example See DHCP implementation example
exporting settings from Windows NT 4.0 or Windows 2000 97
importing settings to Windows Server 2003 98
installing on servers 96
migrating existing servers 96–98
Netsh tool 98
overview 95
remote access client support 99
testing deployments 101
implementing dial-up networking
configuring connections to clients 425
configuring connections to intranet 425–426
configuring encryption 426
configuring ports for remote access 425–426
configuring remote access servers 424–425
configuring TCP/IP on LAN adapter 425
overview 423
implementing DNS
conditional forwarding 171
configuring aging 171
configuring dynamic updates for servers 171
configuring replication scope 172
configuring scavenging 171
configuring zone transfers 172
deployment tools 173
Dnscmd.exe 173
Nslookup.exe 173
overview 168
preparing for deployments 169
setting up clients 173
setting up servers 169–170
setting up zones 170
verifying server operation 172
implementing IAS
compatibility with third-party access servers 371–372
configuring firewalls to support RADIUS traffic 369
configuring primary RADIUS proxy in perimeter network 368
configuring primary RADIUS server on domain controller 365
configuring RADIUS clients 371
configuring RADIUS server authentication and accounting 366
configuring secondary RADIUS proxy in perimeter network 368
configuring secondary RADIUS server on domain controller 366
configuring user accounts and groups for RADIUS servers 364
custom attributes for third-party access server compatibility 372
deploying IAS as RADIUS proxy 367–371
deploying IAS as RADIUS server 363–366
filters on Internet interface 369
overview 362
vendor-specific attributes for third-party access server compatibility 372
implementing IPSec
network deployments 308
overview 305
RSoP (Resultant Set of Policy) 307
testing in pilot projects 307–308
testing in test labs 306–307
implementing ISA Server
cache mode 218–219
firewall mode 218
forward cache mode 218
installing in a domain 224
integrated mode 220
overview 237
reverse cache mode 219
steps for 238–240
implementing remote site-to-site connections
Active Directory deployments 521
Active Directory user accounts and groups 523–524
authentication methods 543
authentication providers 543
auto-static updates 539
certificate deployments 522
demand-dial filters 546
deployment tasks 520
dial-out or dial-in hours 545
disconnect intervals 537
EAP-TLS computer and user certificates 527
IAS server deployments for RADIUS authentication 522
initiating connections 546
Internet access through calling router 540–541
intranet connections 525
IP packet filters 546
joining routers to domains 526
L2TP/IPSec computer certificates 526
multicast connectivity between sites 542
overview 518
performance for Internet traffic 541
persistent connections 537
ports 544
remote access policies 534–536
replication 547–549
routers in perimeter networks 526
Routing and Remote Access 527–533
routing protocols 540
security for Internet traffic 540
static routes 537–539
test deployments in test labs 518–519
testing connectivity 547
WAN adapters 524
implementing VPN
Configure Your Server Wizard 407
configuring account lockout 422
configuring encryption 421
configuring filters for servers behind firewalls 409
configuring filters for servers in front of firewalls 413
configuring name resolution 409
configuring Network Access Quarantine Control 416417
configuring packet filters 409–415
configuring routing 417–419
configuring TCP/IP 407–409
firewalls 409–415
installing certificates for connections 420–421
Internet configuration for TCP/IP 408
intranet interface configuration for TCP/IP 409
L2TP/IPSec connections for servers behind firewalls 411
L2TP/IPSec connections for servers in front of firewalls 415
L2TP/IPSec Internet interface of firewalls 412
L2TP/IPSec perimeter network interface of firewalls 412
overview 406
perimeter network interface configuration for TCP/IP 408
PPTP connections for servers behind firewalls 409
PPTP connections for servers in front of firewalls 414
PPTP Internet interface of firewalls 410
PPTP perimeter network interface of firewalls 411
remote access server configuration tasks 407
routing for clients 418–419
security 420–422
servers behind firewalls 409
implementing WINS
conversion files 209
evaluating deployments 210
migrating to Windows Server 2003 208
overview 207
testing deployments 210
implementing WLAN test environments
adding APs as RADIUS clients 587
certificate infrastructure 582–587
configuring Active Directory 580
configuring DNS and DHCP 582
configuring encryption for remote access policy 589
configuring Group Policy settings 591
configuring IAS RADIUS servers 587–589
configuring wireless adapter on wireless clients 589
configuring wireless APs 580
creating remote access policy for wireless clients 588
expanding test deployments 590–592
initial test deployments 579
installing computer certificates on IAS servers 583–584
installing computer certificates on wireless clients 584–586
installing single-tier CA (certification authority) 582
installing three-tier CA (certification authority) 592
installing user certificates on wireless clients 584–587
overview 578
setting up test deployments 579
testing deployments 589–590
increasing DHCP default lease duration 87
incremental zone transfer, DNS 151
industry tests for TCP/IP networks 66
information options, DHCP 92
installing
backup RADIUS proxies for IAS 331
backup RADIUS servers for IAS 330
computer certificates for EAP-TLS 527
computer certificates for IAS access clients 359
computer certificates for IAS servers 359, 583–584
computer certificates for L2TP/IPSec 526
computer certificates on wireless clients 584–586
DHCP on servers 96
ISA Server in a domain 224
PBA for Connection Manager 436
user certificates on wireless clients 584–587
user certificates for EAP-TLS 527
VPN certificates for connections 420–421
integrated mode, ISA Server 220
integrating
DHCP with DNS and WINS 27
DHCP with other services 81–84
DNS with Windows Server 2003 services 164–167
IAS with certificate infrastructure 357–359
remote site connections into Active Directory 510–512
remote site connections into networks 501–512
VPN servers into perimeter networks 485–486
Windows Server 2003 DNS into existing namespace 129–130
WINS with other services 205–207
internal DNS domains 125–126
internal DNS root 127–128
Internet
DNS status 121
L2TP/IPSec firewalls 412
PPTP firewalls 410
traffic for remote site connectivity 505–506
Internet Authentication Service See IAS (Internet Authentication Service)
Internet Engineering Task Force (IETF) 316
Internet Group Management Protocol (IGMP) 40
Internet Key Exchange (IKE) 287, 294
Internet Protocol security See IPSec (Internet Protocol security)
Internet Protocol Version 4 See IPv4 (Internet Protocol Version 4)
Internet Protocol Version 6 See IPv6 (Internet Protocol Version 6)
Internet Security and Acceleration Server See ISA Server
interoperability, ISA Server 222–224
intranet
Connection Manager enrollments 450
dial-up connections 425–426
remote site-to-site connections 525
VPN interface 409
IP address lease and renewal, DHCP 74
IP addressing schemes
address allocation methods 23
aggregation 20–21
CIDR (classless interdomain routing) 22–23
classless IP addressing 16–18
classless routing 18–20
design overview 14–15
private vs. public addresses 23–25
route summarization 20–21
structured address assignment model 16
supernetting 22–23
VLSM (variable length subnet mask) 21–22
wireless LANs 559–561
IP configuration strategy 26–28
IP multicasting
configuring client computers 42
configuring for remote site-to-site connectivity 542
configuring IGMP 40
configuring IP multicast scopes 41
DVMRP (Distance Vector Multicast Routing Protocol) 39
MADCAP (Multicast Address Dynamic Client Allocation Protocol) 37–38
MOSPF (Multicast Extensions to OSPF) 39
overview 35–37
PIM (Protocol-Independent Multicast) 39
PIM-DM (Protocol-Independent Multicast Dense Mode) 39
PIM-SM (Protocol-Independent Multicast Sparse Mode) 39
routers 38–39
IP packet filters See packet filtering
IPSec (Internet Protocol security)
additional resources 309
AH (Authentication Header) 250
assigning policies See assigning IPSec policies
authentication 250–251, 267
broadcast traffic failures 267
cluster node connectivity loss 267
compatibility 247
concepts 246–251
connecting remote sites 491–492
cryptography 250
decreased throughput 266
decrypting traffic for firewall inspections 263
default exemptions 249
default response 250
definitions 250–251
deployment overview 243–245
deployment process 245
designing policies See designing IPSec policies
determining needs 252–269
endpoint not supporting IPSec 263
end-to-end security 256–260
ESP (Encapsulating Security Payload) 250
example of corporate network deployment 268–269
example of end-to-end security 259
filter actions 250
filters 248, 251
gateway-to-gateway tunneling 262
GPO (Group Policy object) 251
Group Policy 250
ICMP failures 267
implementing deployments 305–309
multicast traffic failures 267
NAT-T incompatibility 266
NAT-T support 248
Netsh tool 249, 251
network deployments 308
networking inspection technologies 266
offload cards for remote site connectivity 515
packet filtering 255–256
peer-to-peer communication 257
PFS (perfect forward secrecy) 251
policy described 251
reduced computing performance 265
RSoP (Resultant Set of Policy) 249, 307
rules 251
securing application server 258
slower connections 265
solutions 246
TCP/IP network security 30–31
terms 250–251
testing deployments in pilot projects 307–308
testing deployments in test labs 306–307
tradeoffs 265–267
transport mode 251, 255
tunnel endpoint 251
tunnel mode 251, 261–264
Windows Server 2003 features 248–249
WINS security using tunnels 204
IPSec (Internet Protocol Security)
IAS traffic security 361
IPSec examples
corporate network deployment 268–269
end-to-end security 259
IPSec NAT Traversal (NAT-T) See NAT-T (IPSec NAT Traversal)
IPv4 (Internet Protocol Version 4)
coexisting with IPv6 42
compared to IPv6 55
configuring DNS for IPv6/IPv4 coexistence 62–63
enabling IPv4 applications for IPv6 using PortProxy 64
history of 44
node types 48
routing IPv6 traffic over IPv4 infrastructure 56–61
unicast addresses 16
IPv6 (Internet Protocol Version 6)
address types 49
addresses assigned to hosts and routers 54
addressing overview 48–49
anycast addresses 54
APIs that support Windows Server 2003 47
compared to IPv4 55
configuring DNS for IPv6/IPv4 coexistence 62–63
enabling IPv4 applications for IPv6 using PortProxy 64
feature upgrades from IPv4 44
features supported by Windows Server 2003 45
multicast addresses 53
multicast solicited node address 54
node types 48
overview 42–43
routing IPv6 traffic over IPv4 infrastructure 56–61
server applications supported by Windows Server 2003 46
stateful address configurations 49
stateless address configurations 49
tools supported by Windows Server 2003 47
unicast 6to4 addresses 52
unicast global addresses 50
unicast ISATAP addresses 52
unicast link-local addresses 51
unicast loopback addresses 51
unicast site-local addresses 51
unicast unspecified addresses 51
Windows Server 2003 features 44–48
ISA Server
adding computers 229
additional resources 241
array vs. stand-alone 230
availability overview 225
back-to-back perimeter network 234
cache mode 218–219
capacity planning 226–229
client types 220–221
configuring in an array 230–231
connecting remote sites 233
deployment process 215
DNS round-robin 231
Enterprise Edition vs. Standard Edition 230
extranets 236
firewall clients 220
firewall mode 218
firewall requirements 228
forward cache mode 218, 228
hardware requirements 227
implementation overview 237
implementation steps 238–240
installation modes 217
installing in a domain 224
integrated mode 220
interoperability 222–224
network services 224
overview 213–214
reverse cache mode 219, 229
roles overview 216
running other services 223
scalability 230
SecureNAT clients 220
securing network perimeters 233–235
security overview 232
three-homed perimeter network 235
Web Proxy clients 220
iterative DNS queries 119
Kerberos V5 IPSec authentication 285