Preparing for Server Configuration | Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

If you have existing Windows NT 4.0 or Windows 2000 site-to-site connections, you must decide whether to upgrade your routers to Windows Server 2003 and migrate to the Windows Server 2003 Routing and Remote Access service, or whether to continue to support your current configuration. Before you install the Routing and Remote Access service on your demand-dial routers, you must decide how many routers you need, and you must make sure that the computers meet Windows Server 2003 requirements.

For more information about creating hardware and software inventories, see "Planning for Deployment" in Planning, Testing, and Piloting Deployment Projects of this kit. The flowchart in Figure 10.8 shows the tasks required when preparing to configure the router server.

click to expand
Figure 10.8: Preparing for Server Configuration

Migrating Routers from Windows NT 4.0 or Windows 2000

If you have an existing site-to-site connection between remote offices using Windows NT 4.0-based or Windows 2000-based servers and plan to upgrade most of your network to Windows Server 2003, Windows Server 2003 can support your existing Routing and Remote Access or RRAS servers. Alternatively, you can take advantage of the new features in Windows Server 2003 by upgrading your demand-dial routers.

The following topics can help you decide whether to upgrade your demand-dial routers:

New features
Migrating router settings

New Features

In Windows NT Server 4.0, routing and remote access are separate services. In Windows 2000 Server and Windows Server 2003, these functions are combined in the single Routing and Remote Access service. Table 10.10 lists new features available in Windows Server 2003 and Windows Server 2000.

Table 10.10: New Features for Dial-up or VPN Site-to-Site Connections Since Windows NT Server 4.0 RRAS
Windows Release	New Features
Windows 2000 Server	L2TP/IPSec. An L2TP/IPSec VPN tunnel provides stronger security than a PPTP VPN tunnel. Remote access policies. This feature gives administrators more flexibility in setting remote access permissions and connection restraints. MS-CHAP v2. This type of password-based user authentication provides a stronger alternative to MS-CHAP. (MS-CHAP v2 is also available in Windows NT 4.0 SP4.) EAP. Support for EAP lets you use installable authentication methods, such as EAP-TLS certificate-based user authentication, which is stronger than password-based user authentication.
Windows Server 2003	Improved wizards and snap-in. The Routing and Remote Access and Demand-Dial Interface wizards and the Routing and Remote Access snap-in are easier to use. Intranet and Internet-connected interface improvements. By default, the Routing and Remote Access service now disables dynamic DNS on the intranet interface and disables dynamic DNS and NetBIOS over TCP/IP on the Internet-connected interface to ensure correct name resolution of the router and to ensure access to services running on the router. Preshared keys. Support for configuring preshared keys using the Routing and Remote Access snap-in provides an alternative to computer certificates in L2TP/IPSec authentication. NAT/Basic Firewall configuration. You can use Manage Your Server to configure the NAT/Basic Firewall component of Routing and Remote Access. NAT integration with static and dynamic packet filtering lets you configure NAT interfaces to work with Basic Firewall or with incoming or outgoing static packet filters. NAT-T. IPSec NAT traversal (NAT-T) lets you create L2TP/IPSec connections from a calling or answering router that is located behind one or more NATs. PPPoE. Support for PPPoE lets a small business use NAT/Basic Firewall and their broadband Internet connection to connect a branch office to their local ISP. Using PPPoE for an on-demand connection is faster than using a dial-up link to connect to the ISP.

Migrating Router Settings

When you upgrade from Windows NT 4.0 or Windows 2000 to Windows Server 2003, you retain all IP-based routing configuration, including demand-dial, RIP, OSPF, and DHCP Relay Agent settings. However, Windows Server 2003 does not support the NetWare routing protocol Internetwork Packet Exchange (IPX). If you upgrade from Windows NT 4.0 to Windows Server 2003, and IPX settings are detected, you are provided the option not to upgrade after all.

Planning Server Capacity

Table 10.11 provides capacity planning information that you can use to help determine how many demand-dial servers you need to deploy and how much data throughput your site-to-site connection can support.

Table 10.11: Capacity Planning
Factor	Capacity
Number of connections	For two-way connections, one answering router supports 10 simultaneous calling router connections before performance begins to degrade. For one-way connections, one answering router supports 100 simultaneous calling router connections before performance begins to degrade.
Data throughput	The amount of data throughput that a site-to-site connection can support depends, in part, on what resources the users are using on the network. Other factors that affect data throughput include: IPSec offload card. You can increase data throughput for L2TP/IPSec by installing an IPSec offload card. Using an IPSec offload card and a dual processor lets a server process more than 50 Mbps of fully encrypted data. To install an IPSec offload card, follow the manufacturer's instructions. Compression. Using Microsoft Point-to-Point Compression (MPPC) decreases data throughput. To increase data throughput, turn off MPPC. You can turn off MPPC by using one of the following methods: To clear compression on a specific demand-dial interface. In Routing and Remote Access, in the console tree, click Network Interfaces, right-click the demand-dial interface on which you want to clear compression, and then click Properties. On the demand-dial interface Properties page, click the Networking tab, click Settings, and then in the PPP Settings dialog box, clear the check box Enable software compression. To clear compression for all types of PPP connections. In Routing and Remote Access, in the console tree, right- click the demand-dial server icon, click Properties, click the PPP tab, and then clear the check box Software compression. This disables compression both for site-to-site connections and for remote access connections.

Planning Server Deployment

The following information can help you plan how to set up your server before you deploy the remote site connection:

Meeting server requirements
Disabling unused services
Planning physical and administrative security

Meeting Server Requirements

Table 10.12 lists the minimum hardware and software requirements for a demand-dial router.

Table 10.12: Hardware and Software Requirements for a Demand-Dial Router
Component	Requirement
Processor	Pentium 233 MHz processor (550 MHz recommended)
Memory	128 MB RAM (256 MB recommended)
Hard drive	4 GB hard drive
LAN adapter	A network adapter connected to the intranet. The adapter must have a driver that displays the Designed for Windows logo. The server must have multiple network adapters or a single network adapter configured with multiple IP addresses.
WAN adapter	For a dial-up site-to-site connection: An ISDN adapter, analog modem, or other physical device that is connected to the line that connects the two sites. For a VPN site-to-site connection: A network adapter that is connected to the Internet, either directly or through a perimeter network. Typically, this is a T-Carrier or Frame Relay adapter, or a DSL or cable modem.
Software	The Windows Server 2003 operating system. Windows Server 2003 includes the Routing and Remote Access service, which you must enable.

Before you deploy a dial-up or VPN router, install and configure the required hardware and the appropriate drivers, and test whether each one functions properly. To determine if the hardware in your organization is certified and compatible, see the Windows Catalog link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Disabling Unused Services

Disabling services that you do not use on your demand-dial server has two advantages: It returns resources to the server that other components can use, and it makes your backend network more secure by shutting off services that are potential entry points for attackers trying to break into your network.

The following is a list of services that you might be able to disable on a server that you plan to use as a demand-dial router:

Distributed File System (DFS)
Distributed Transaction Coordinator
Fax Services
File Replication service (FRS)
Indexing Service
Internet Connection Sharing (ICS)
Intersite Messaging
Kerberos Key Distribution Center
License Logging Service
Print Spooler
Task Scheduler
Telnet
Windows Installer

Important
Do not disable the remote registry service. If you disable it, the demand-dial router cannot operate correctly.

Planning Physical and Administrative Security

To prevent the intentional or unintentional modification of your router configuration, use the following guidelines to secure your routers:

Keep router computers physically secure from unauthorized users or intruders, for example, by placing them in a locked room.
Delegate administration rights and permissions for the Routing and Remote Access service to a limited number of individuals.
Assign administrator rights to an Active Directory group whose role is to administer remote site connections, and add only authorized users to that group. You can easily update changes to the group membership, whereas, if you do not use a group, you must administer each Administrator account separately on each Routing and Remote Access server.
On both the calling router and the answering router, rename the local Administrator account and use strong passwords for the account.