Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access."— Presentation transcript:

1 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access

2 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2 Objectives Describe the purpose and features of Windows Server 2003 remote access methods Configure a remote access server (RAS) Allow remote clients access to network resources Create and configure remote access policies Understand and describe the purpose of the RADIUS protocol Troubleshoot remote access

3 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3 Introducing Remote Access Methods Remote access allows remote and mobile users access to network resources on the internal network, including files, printers, databases, and e-mail, among others, from outside the internal network Windows Server 2003 has the ability to be a remote access server (RAS) There are two types of remote access: Dial-up VPN

4 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4 Dial-up Remote Access Remote access using dial-up connections over phone lines is the oldest type of remote access A dial-up connection allows two computers to transfer information using modems and a phone line The benefit of dial-up connections is availability The drawback of dial-up connections is speed Also, maintenance of a modem pool at the office for dial- up users can be expensive and time-consuming

5 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5 Enabling and Configuring a Dial- up Server Windows Server 2003 uses Routing and Remote Access Service (RRAS) to act as a dial-up server With Routing and Remote Access Setup Wizard, you can configure RRAS as a dial-up server, a VPN server, or a router For the server to act as a dial-up server, it must have a modem installed Modems are installed using Phone and Modem Options in Control Panel

6 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6 Activity 11-1: Installing a Modem The purpose of this activity is to install a modem on your server

7 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7 Activity 11-2: Enabling RRAS as a Dial-up Server The purpose of this activity is to configure RRAS on your server to act as a RAS

8 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8 Activity 11-3: Creating a Dial-up Connection The purpose of this activity is to configure your server with a dial-up connection

9 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9 VPN Remote Access A virtual private network (VPN) uses a public network (Internet) to transmit private information After they are connected to the Internet, client computers initiate a VPN connection with a VPN server Encryption keeps the private information from being read by unauthorized persons Maintaining a VPN server is much easier than maintaining a dial-up server

10 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10 VPN Remote Access (continued) Advantages of VPN connections: Higher speed than dial-up Reduced maintenance by eliminating a modem pool Drawback to VPN connections is the security risk of allowing Internet access to network resources

11 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11 Enabling and Configuring a VPN Server Windows Server 2003 uses RRAS as a VPN server When a RAS is configured to provide VPN connections, no special equipment is required All connectivity is through a regular network card Enable a VPN server with the Routing and Remote Access Server Setup Wizard

12 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12 Activity 11-4: Enabling RRAS as a VPN Server The purpose of this activity is to enable RRAS as a VPN server

13 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13 Activity 11-5: Modifying the Default Number of VPN Ports The purpose of this activity is to reduce the number of PPTP and L2TP VPN ports to 10 each

14 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14 PPTP PPTP is one of the oldest VPN protocols The most popular and most widely supported Supported by all versions of Windows starting with Windows 95 PPTP can function properly through NAT Authentication for PPTP is based on a user name and password, and does not authenticate the computers involved in the connection No assurance that the VPN server or VPN client are authorized

15 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15 L2TP L2TP is designed only for tunneling data, not encrypting it The L2TP implementation used by Microsoft for VPN connections uses IPSec for encryption With L2TP operation over NAT is possible L2TP authentication is like PPTP. However, the addition of IPSec adds computer-level authentication

16 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16 L2TP (continued)

17 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17 Configuring Remote Access Servers Default configuration options for a RAS are sufficient for day-to-day operations, but in some situations you may need to modify settings to allow particular types of clients to connect or to modify system performance

18 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18 Authentication Methods Windows Server 2003 can use many different authentication methods These authentication methods can be used for authenticating dial-up, PPTP, and L2TP connections: No authentication PAP SPAP CHAP MS-CHAP MSCHAPv2 EAP

19 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19 IP Address Management When dial-up and VPN clients connect to Windows Server 2003 configured as a RAS, they are assigned an IP address The IP address can be from a static pool configured on the RAS or leased from a DHCP server

20 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20 IP Address Management

21 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21 Activity 11-6: Configuring the DHCP Relay Agent The purpose of this activity is to configure the DHCP relay agent on a RAS

22 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22 Allowing Client Access Remote access permission allows users to act as dial- up or VPN clients When all domain controllers are Windows 2000 or later and the domain has been switched to at least Windows 2000 native mode, remote access policies can be used to control remote access permission Remote access permission for users is controlled by their user object in Active Directory By default, all users are denied access

23 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23 Activity 11-7: Allowing a User Remote Access Permission The purpose of this activity is to create a new user and allow him remote access permission

24 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24 Creating a VPN Client Connection Windows Server 2003 can be configured as a VPN client Can be useful when Windows Server 2003 is configured to act as a router VPN connections can be used to encrypt traffic sent between the two routers VPN client connections are created using the same New Connection Wizard that is used when configuring dial-up connections

25 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25 Activity 11-8: Creating a Client VPN Connection The purpose of this activity is to create a client VPN connection and then test it

26 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26 Configuring a VPN Client Connection Configuration of a VPN client connection may be done with the New Connection Wizard or with the Properties dialog box of the VPN connection. The following configuration options exist: IP address of VPN server Dialing and redialing options Security and encryption Network configuration Internet Connection Firewall and Internet Connection Sharing for this connection

27 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27 Remote Access Policies Remote access policies are configured on RAS to control how remote access connections are created To use remote access policies effectively, you must understand: Remote access policy components Remote access policy evaluation Default remote access policies

28 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28 Remote Access Policy Components Remote access policies are composed of conditions, remote access permissions, and a profile Conditions are criteria that must be met for a remote access policy to apply to a connection The remote access permission set in a remote access policy has only two options: Deny remote access permission Grant remote access permission

29 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29 Activity 11-9: Creating a Remote Access Policy The purpose of this activity is to create a new remote access policy on your server

30 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30 Remote Access Policy Evaluation To create remote access policies and understand what their results will be, you need to understand Contents of remote access policies How they are evaluated by RRAS The evaluation process varies depending on whether the domain is in mixed mode or native mode

31 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31 Remote Access Policy Evaluation

32 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32 Evaluating Conditions Remote access policies are assigned an order Evaluating conditions follows the same process for mixed-mode domains and native mode domains If no remote access policies exist, the connection attempt is rejected If remote access policies exist, their conditions are evaluated Then compare conditions set in the remote access policies with actual conditions of the attempted connection

33 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33 Evaluating Permissions After a condition match has been found, the permissions of the user attempting the connection are evaluated Check for the Ignore-User-Dialin-Properties attribute in the profile of the remote access policy This is true for mixed-mode and native mode domains

34 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34 Evaluating Profile Settings Even if remote access permission is granted, it does not guarantee that a remote access connection will be successful Some of the profile settings, such as allowed authentication methods and encryption levels, force a connection attempt to be disconnected Profile settings are applied in the same way for mixed-mode and native mode domains

35 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35 Activity 11-10: Testing Remote Policy Evaluation The purpose of this activity is to verify the process by which remote access permission is granted

36 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36 Default Remote Access Policies The default remote access policies are created to make managing remote access easier The first default remote access policy is Connections to Microsoft Routing and Remote Access server The second default remote access policy listed is named Connections to other access servers

37 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37 Radius Remote Authentication Dial-In User Service (RADIUS) is a protocol that centralizes the authentication process for large, distributed networks RADIUS can be used for VPN servers, switches, and wireless access points, etc. The RADIUS process has two mandatory server roles: RADIUS client RADIUS server

38 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38 Outsourcing Dial-up Requirements You can use IAS to outsource dial-up requirements and allow roaming users to continue logging on using their Active Directory user name and password You must coordinate configuration with a remote access provider, usually an ISP

39 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39 Configuring IAS as a RADIUS Server After IAS is installed, it must be configured using the Internet Authentication Service snap-in IAS servers do not respond to requests from RADIUS clients unless the RADIUS clients are listed in the configuration of IAS If a RADIUS proxy is used, it is listed here instead of the RADIUS client When a RADIUS client is added, you are asked for a friendly name, and an IP address or DNS name

40 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40 Activity 11-11: Configuring IAS as a RADIUS Server The purpose of this activity is to install IAS so your server can act as a RADIUS server

41 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41 Activity 11-12: Centralizing Remote Access Policies The purpose of this activity is to configure RRAS and IAS to centralize the management of remote access policies on a single server

42 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42 Configuring IAS as a RADIUS Proxy IAS has the ability to act as both a RADIUS proxy and a RADIUS server at the same time A mechanism is required to determine which RADIUS requests received are authenticated locally and which are forwarded to another RADIUS server Connection request policies are used to determine how a RADIUS request is handled

43 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43 Remote RADIUS Server Groups Remote RADIUS server groups are required for IAS to act as a RADIUS proxy RADIUS requests and logging information are forwarded to remote RADIUS server groups, not individual RADIUS servers You can create a remote RADIUS server group with a single RADIUS server in it Remote RADIUS server groups allow you to do load balancing and fault tolerance between RADIUS servers

44 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44 Activity 11-13: Creating a Remote RADIUS Server Group The purpose of this activity is to create a remote RADIUS server group that can be used when IAS is configured as a RADIUS proxy

45 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45 Activity 11-14: Creating a Connection Request Policy The purpose of this activity is to create a new connection request policy to configure your server as a RADIUS proxy

46 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46 Troubleshooting Remote Access Most of the problems with remote access are due to software configuration issues introduced by users and administrators Hardware errors may occur as well

47 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47 Software Configuration Issues Some configuration problems include: Incorrect phone number and IP addresses Incorrect authentication settings Incorrectly configured remote access policies Name resolution is not configured Clients receive incorrect IP options The RAS leases 10 IP addresses from DHCP at startup User accounts in Active Directory seem to be locked out at random

48 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48 Hardware Errors Some hardware troubleshooting issues: Is the hardware on the HCL list? If you cannot find the server, use Ping to see if server is reachable If you cannot dial in using a new modem, see if you can dial in to a different RAS If you installed a new network card, ensure that you reconnected the patch cable and there is a link light on the network card Is the type of hardware you are trying to use supported?

49 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49 Logging IAS can log authentication requests to a file or an SQL server You can control which events are logged, including accounting requests, authentications requests, and periodic status You can also choose the format of the log and how often a new log file is created

50 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50 Activity 11-15: Modem Logging The purpose of this activity is to enable modem logging

51 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 51 Troubleshooting Tools The following tools can be used to for troubleshooting: Ping can confirm that a host is reachable Ipconfig can confirm that the correct IP settings are being delivered to the remote access client Network Monitor can perform packet captures, which may give some further clues as to the cause of the error

52 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 52 Summary Windows Server 2003 can be a remote access server Two types of remote access: dial-up & VPN Windows Server 2003 uses Routing and Remote Access Service (RRAS) Dial-up connections are slow, but available anywhere VPN connections are usually faster, but Internet access is required

53 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 53 Summary (continued) L2TP does not perform encryption IPSec performs encryption Many authentication methods are supported by RRAS PPTP VPNs cannot encrypt data if PAP, SPAP, or CHAP is used Remote access policies are composed of conditions, remote access permissions, and a profile

54 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 54 Summary (continued) IAS allows Windows Server 2003 to act as a RADIUS server IAS can also be configured as a RADIUS proxy Most problems with remote access connections result from improper software configuration Common troubleshooting tools for remote access are ipconfig, ping, and Network Monitor

Download ppt "70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access."

Similar presentations

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.

1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Chapter 8 Administering TCP/IP.

Chapter 8 Administering TCP/IP.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.

Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.
Remote Networking Architectures

Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google