Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 RRAS 安裝設定與管理維護 林寶森

Published byJoel Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows Server 2003 RRAS 安裝設定與管理維護 林寶森"— Presentation transcript:

1 Windows Server 2003 RRAS 安裝設定與管理維護 林寶森 jeffl@ms11.hinet.net

2 Routing and Remote Access Routing –DHCP Relay Agent –IGMP Router and Proxy –NAT / Basic Firewall –Open Shortest Path First (OSPF) –RIP Version 2 for Internet Protocol Remote Access –Dial-up –VPN

3 How Dial-up Network Access Works Domain Controller Dial-up Client Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider 3 3 RA server authenticates and authorizes the client RA server authenticates and authorizes the client 2 2 RA server answers the call RA server answers the call 4 4 RA server transfers data RA server transfers data Dial-up client calls the RA server Dial-up client calls the RA server 1 1 Remote Access Server

4 Connecting to a Virtual Private Network Corporate Network Network Adapter Connected to the Internet VPN Server VPN Client Internet Tunnel Network Adapter Connected to the Local Network

5 How a VPN Connection Works Domain Controller VPN Client VPN Server A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link 3 3 VPN server authenticates and authorizes the client VPN server authenticates and authorizes the client 2 2 VPN server answers the call VPN server answers the call 4 4 VPN server transfers data VPN server transfers data VPN client calls the VPN server VPN client calls the VPN server 1 1 Transit Network

6 Encryption Protocols for a VPN Connection Remote User to Corp Net Remote Access Server Branch Office to Branch Office Remote Access Server Examples of Remote Access Server Using VPN CategoryDescription MPPE + PPTP Employs user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption IPSec + L2TP Employs user-level PPP authentication methods over a connection that is encrypted with IPSec Recommended authentication method for VPN network access is L2TP/IPSec with certificates

7 Selecting a Tunneling Protocol PPTP IP Header GRE Header PPP Header Encrypted PPP Payload (IP Datagram, IPX Datagram) PPP Frame Client Remote Access Server Remote Resource Server Secure Tunnel over Existing Network IP Header IPSec ESP Header PPP Frame UDP Header L2TP Header PPP Header PPP Payload (IP Datagram, IPX Datagram) IPSec ESP Trailer IPSec IPSec Auth Trailer L2TP/IPSec Encrypted by IPSec Signed Private Network

8 Configuring Inbound Connections Routing and Remote Access Server Status SERVERX (local) ActionView Configure and Enable Routing and Remote Access Start Routing and Remote Access Remove Service Stop Routing and Remote Access Save Configuration… Load Configuration... View Refresh Properties Help

9 Configuring a Remote Access Server Routing and Remote Access ActionView Routing and Remote Access Server Status SERVERX (local) Ports Remote Access Clients IP Routing Remote Access Policies NameDeviceCommentStatus WAN Miniport (PPTP)(VPN3-4)VPNInactive WAN Miniport (PPTP)(VPN3-3)VPNInactive WAN Miniport (PPTP)(VPN3-2)VPNInactive WAN Miniport (PPTP)(VPN3-1)VPNInactive WAN Miniport (PPTP)(VPN3-0)VPNInactive WAN Miniport (L2TP)(VPN2-4)VPNInactive WAN Miniport (L2TP)(VPN2-3)VPNInactive WAN Miniport (L2TP)(VPN2-2)VPNInactive WAN Miniport (L2TP)(VPN2-1)VPNInactive WAN Miniport (L2TP)(VPN2-0)VPNInactive Direct Parallel (LPT1)PARALLELInactive Modem (COM 3)MODEMInactive PPTP Ports L2TP Ports Cable and Modem Ports Ports

10 Configuring a RRAS Port Ports Properties Devices Routing and Remote Access (RRAS) uses the devices listed below. DeviceUsed ByTypeNum... WAN Minip Direct Para Ras None PPTP L2TP Parallel 551551 Configure Configure ports - WAN Miniport (PPTP) You can use this device for remote access requests or demand-dial connections. Remote access connections (inbound) Demand-dial routing connections (inbound/outbound) Phone number for this device: Ports You can set a maximum port limit for a device that supports multiple ports. Maximum ports: 5 OKCancel Ports, Grouped By Type Function of Port Phone Number (if applicable) Number of Virtual Ports

11 Configuring Server Properties GeneralSecurity IP PPPEvent Logging Enable IP routing Allow IP-based remote access and demand-dial connections IP address assignment This server can assign IP addresses by using: Dynamic Host Configuration Protocol (DHCP) Static address pool FromToNumberIP Add…Mask Add… Edit… Remove Use the following adapter to obtain DHCP, DNS, and WINS addresses for dial-up clients. Adapter: OKCancel Apply LONDON (local) Properties Corpnet

12 Bandwidth Allocation Protocol A B C A B C Remote Access Server Remote Access Server Multilink Without BAP Client C Cannot Connect Multilink with BAP Client C Can Connect Connection Switches on Demand Remote Access Server Remote Access Server

13 What Is a Remote Access Policy? A remote access policy is a named rule that consists of the following elements: Conditions. One or more attributes that are compared to the settings of the connection attempt Remote access permission. If all conditions of a remote access policy are met, remote access permission is either granted or denied Profile. A set of properties that are applied to a connection when it is authorized (either through the user account or policy permission settings) Conditions. One or more attributes that are compared to the settings of the connection attempt Remote access permission. If all conditions of a remote access policy are met, remote access permission is either granted or denied Profile. A set of properties that are applied to a connection when it is authorized (either through the user account or policy permission settings)

14 Following Policy Evaluation Logic Conditions Permissions Profile Conditions Permissions Profile Yes Deny No Use Remote Access Policy Use Remote Access Policy Allow Deny No Connection Allow Profile Evaluation Profile Evaluation RRAS matches the connection to the settings of the user account and the policy profile. Yes Connection RRAS matches the conditions of the remote access policy to the conditions of the connection. RRAS checks the user’s dial-in permission in Active Directory.

15 User Account Dial-in Properties Callback Options Apply Static Routes Apply Static Routes Remote Access Permission Remote Access Permission Verify Caller ID Assign a Static IP Address Dial-In Properties

16 Remote Access Policy Conditions IP Addresses Authentication Type Authentication Type NAS-Port Type Time of Day Attributes Caller IDs User Groups

17 What Is a Remote Access Policy Profile? Dial-in ConstraintsIP Properties IP Address Assignment IP Filters IP Address Assignment IP Filters Multilink Authentication Encryption Advanced Settings Remote Access User

18 Authenticating Remote Access Clients SelectWhen Providing Encrypted Authentication MS-CHAPFor Windows 95, Windows 98, or Windows NT 4.0 MS-CHAP V2For Windows 2000, Windows XP, Windows Server 2003 EAP-TLS By using a smart card and the remote access clients are equipped with smart card readers CHAPFor a mixture of operating systems (UNIX, Mac) SPAPFor Shiva LAN Rover remote access clients PAPWhen no other protocol is supported

19 Extensible Authentication Protocols Allows the Client and Server to Negotiate the Authentication Method That They Will Use Supports Authentication by Using –MD5-CHAP –Transport Layer Security –Additional third-party authentication methods Ensures Support of Future Authentication Methods Through an API

20 Remote Authentication Dial-In User Service Client RADIUS Server Authenticates requests and stores accounting information RADIUS Client Forwards requests to RADIUS Server Internet

21 What Is RADIUS? RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks Use RADIUS to manage network access centrally across many types of network access RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks Use RADIUS to manage network access centrally across many types of network access RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies

22 What Is IAS? IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial- up, and wireless connections You can configure IAS to support: Dial-up corporate access Extranet access for business partners Internet access Outsourced corporate access through service providers Dial-up corporate access Extranet access for business partners Internet access Outsourced corporate access through service providers RADIUS Server

23 IAS as an Authentication Server Central Office IAS Windows Server 2003 Domain Controller Windows Server 2003 Domain Controller Remote Office RRAS ISP RRAS Internet = RADIUS Client and Server Connection Centralized remote access policies Authentication provider Centralized remote access policies Authentication provider

24 How Centralized Authentication Works RADIUS Server RADIUS Client Remote Access Client Dials in to a local RADIUS client to gain network connectivity 1 1 Forwards requests to a RADIUS server 2 2 Authenticates requests and stores accounting information 3 3 Domain Controller Communicates to the RADIUS client to grant or deny access 4 4 Remote Access Server

25 Wireless Solution Considerations DHCP Server IAS Server Domain Controller Wireless Client (Station) Wireless Client (Station) Wireless Access Point Address and Name Server Allocation Authentication Ports

26 Configuring an IAS Server Add RADIUS Client Client Information Specify information regarding the client. Client address (IP or DNS): 192.168.1.200 Client-Vendor Microsoft Client must always send the signature attribute in the request Shared secret: Confirm shared secret: < BackFinishCancel Verify… Use an IP address, if possible Select Microsoft if using Routing and Remote Access

27 Configuring a RRAS to Use RADIUS PHOENIX (local) Properties General Security IPPPP Event Logging The authentication provider validate credentials for remote access clients and demand-dial routers. Authentication provider: RADIUS Authentication Authentication Methods… Configure… Windows Accounting Accounting provider: The accounting provider maintains a log of connection requests and sessions. OKCancelApply Change to RADIUS Authentication Add RADIUS Server Server name: Secret: Time-out (seconds): Port: Always use digital signatures Change… OKCancel Initial score: Radius Server 5 30 1812 Enter the Server Name

28 Routing and Remote Access Logging Type of loggingDescription Event logging Records remote access server errors, warnings, and other detailed information in the system event log Local authentication and account logging Tracks usage and authentication attempts on the local remote access server RADIUS-based authentication and account logging Tracks remote access usage and authentication attempts centrally on the RADIUS server

29 What Are Routing Interfaces? Two types of routing interfaces: LAN Demand-dial LAN Demand-dial A routing interface is an interface over which IP packets are forwarded

30 What is IP Routing? The Process of Sending Packets Through Routers to Other Networks A Routing Table Defines Paths to Other Networks 131.107.16.1 131.107.8.1 131.107.24.1 131.107.8.0 131.107.8.1 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 131.107.8.0 131.107.8.1 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 RouterRouter Routing Table 131.107.24.0 131.107.16.0 131.107.16.3 Default 131.107.16.1 131.107.16.0 131.107.16.3 Default 131.107.16.1 Routing Table 131.107.16.0 131.107.8.0 131.107.16.3

31 Build Routing Tables 131.107.24.0 131.107.16.1 131.107.16.0 131.107.16.2 131.107.8.0 131.107.8.1 131.107.24.0 131.107.16.1 131.107.16.0 131.107.16.2 131.107.8.0 131.107.8.1 Routing Table A 131.107.8.0 131.107.16.2 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 131.107.8.0 131.107.16.2 131.107.16.0 131.107.16.1 131.107.24.0 131.107.24.1 Routing Table B 131.107.8.z 131.107.16.z 131.107.24.z 131.107.8.1 131.107.16.2 131.107.16.1 131.107.24.1 1 1 2 2 3 3 Router A B Default Gateway 131.107.8.1 Default Gateway 131.107.8.1 Default Gateway 131.107.24.1 Default Gateway 131.107.24.1

32 What Are Routing Tables? A routing table is a series of entries called routes that contain information about the location of the network IDs in the internetwork Three types of routing table entries: Host route Network route Default route Host route Network route Default route

33 Dual ISP Solution Router-1 Router-2 0.0.0.0Router-1Metric 1 0.0.0.0Router-2Metric 2 0.0.0.0Router-1Metric 1 0.0.0.0Router-2Metric 2 0.0.0.0Router-1Metric 2 0.0.0.0Router-2Metric 1 0.0.0.0Router-1Metric 2 0.0.0.0Router-2Metric 1

34 Example of Routing Table 10.7.0.0/1610.7.1.253 10.0.0.0/810.7.1.1 Default Gateway10.7.1.254 10.7.0.0/1610.7.1.253 10.0.0.0/810.7.1.1 Default Gateway10.7.1.254

35 Configuring Static IP Routes Static Route Interface: Destination Network mask: Gateway: Metric: Use this route to initiate demand-dial connections OKCancel LondonRouter 192. 168. 1. 0 255. 255. 255. 0 1...

36 Examining the Role of Demand-Dial Routing PSTN, ISDN, or Internet PSTN, ISDN, or Internet Remote NetworkCorporate Intranet RRAS 2RRAS 1

37 Creating a Demand-Dial Interface Routing and Remote Access Server Status LONDON (local) Remote Access Polic Remote Access Logg Routing Interfaces IP Routing General Static Routes RIP Loopback Local Area Connection Internal Loopback Dedicated Internal Enabled Connected LAN and Demand Dial InterfacesTypeStatusConnection S… ActionView New IP Tunnel… New Demand dial interface… Refresh Help

38 Static vs. Dynamic IP Routing Static Routing – Routers do not share routing information. – Routing tables are built manually. Dynamic Routing – Routers share routing information automatically. – Routing tables are built dynamically. – Requires a routing protocol, such as RIP or OSPF.

39 What Are Routing Protocols? RIP A routing protocol is a set of messages that routers use to determine the appropriate path to forward data Designed for small to medium-size networks Uses a routing table Easier to configure and manage Does not scale well Designed for small to medium-size networks Uses a routing table Easier to configure and manage Does not scale well OSPF Designed for large to very large networks Uses a link-state database Complex to configure and manage Operates efficiently in large networks Designed for large to very large networks Uses a link-state database Complex to configure and manage Operates efficiently in large networks

40 Routing and Routed Protocols Routing Protocols –RIP, OSPF, EGP, BGP, HELO… –SAP (IPX/SPX), RTMP (AppleTalk) Routed Protocols –TCP/IP, IPX/SPX, AppleTalk

41 What Is Packet Filtering? Packet filtering specifies what type of traffic is allowed into and out of a router A packet filter is a TCP/IP configuration setting that is designed to allow or deny inbound or outbound packets Packet filtering specifies what type of traffic is allowed into and out of a router A packet filter is a TCP/IP configuration setting that is designed to allow or deny inbound or outbound packets Use packet filtering to: Prevent access by unauthorized users Prevent access to resources Improve performance by preventing unnecessary packets from traveling over a slow connection Prevent access by unauthorized users Prevent access to resources Improve performance by preventing unnecessary packets from traveling over a slow connection Outbound Filter Inbound Filter Router

42 How Packet Filters Are Applied Packet Router ComponentExample Source network Destination network Protocol How filters are applied: AND is used within a filter OR is used between filters AND is used within a filter OR is used between filters ComponentExample Source network Destination network Protocol Inbound Exclusion Filter 192.168.0.48 192.168.0.32 UDP Any 192.168.0.32 UDP Action: Drop

43 Configuring Network Address Translation IP Routing General Status IGM Remote New Interface… New Routing Protocol… Show TCP/IP Information… Show Multicast Forwarding Table… Show Multicast Statistics… View Refresh Export List… Properties Help Network Address Translation (NAT) Properties GeneralTranslationAddress AssignmentName Resolution The network address translator can automatically assign IP addresses to computers on the private network by using Dynamic Host Configuration Protocol (DHCP). Exclude… OKCancel Automatically assign IP addresses by using DHCP IP address: Mask: 192. 168. 0. 0 255. 255. 255. 0 Apply

44 What Is a DHCP Relay Agent? A DHCP relay agent is a computer or router configured to listen for DHCP/BOOTP broadcasts from DHCP clients and then relay those messages to DCHP servers on different subnets DHCP Server Client DHCP Relay Agent Client Routers Non-RFC 1542 Compliant Routers Non-RFC 1542 Compliant Unicast Broadcast Subnet ASubnet B Broadcast

45 DHCP Relay Agent Hop Count The hop count threshold is the number of routers that the packet can be transmitted through before being discarded DHCP Relay Agent 2 DHCP Server Hop Count = 2 DHCP Relay Agent 1

46 DHCP Relay Agent Boot Threshold DHCP Server 2 DHCP Server 3 DHCP Relay Agent Boot Threshold = 10 seconds Local DHCP Server The boot threshold is the length of time in seconds that the DHCP Relay Agent will wait for a local DHCP server to respond to client requests before forwarding the request

47 Including the IGMP Routing Protocol IGMP Router Mode Interface IGMP Proxy Mode Interface Private Network IGMP Router Mode Interface IGMP Proxy Mode Interface Private Network IGMP Registrations Multicast Traffic Internet Multicast Mbone Server Routing and Remote Access-based Router

Download ppt "Windows Server 2003 RRAS 安裝設定與管理維護 林寶森"

Similar presentations

Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.

Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
Module 6: NAT As a Solution for Internet Connectivity.

Module 6: NAT As a Solution for Internet Connectivity.
1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services.

1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services.
Configuring Routing and Remote Access (RRAS) and Wireless Networking Lesson 5.

Configuring Routing and Remote Access (RRAS) and Wireless Networking Lesson 5.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Similar presentations

Ads by Google