A Guide to Windows 2000 Server by xiaohuicaicai


									                            Chapter 12

      Chapter 12:
Remote Access and Virtual
   Private Networks
           Learning Objectives
                                             Chapter 12

   Explain how remote access and virtual
    private network (VPN) services work
   Explain how to implement remote
    access communications devices and
   Configure remote access services,
    security, dial-up connectivity, and client
    Early Remote Access Methods
                                         Chapter 12

   An early method for accessing a
    network, which is still used, is to
    connect to a workstation through remote
    access software such as Carbon Copy
     Accessing a Workstation
            Remotely                                             Chapter 12


                                  Telephone line

                          Workstation     Server


                                Workstation        Workstation

Figure 12-1 Remotely accessing a workstations on a network
       Microsoft Remote Access
                                            Chapter 12

   A modern way to access a network
    remotely is by using Microsoft Remote
    Access Services (RAS) in Windows
    2000 Server
                       Using RAS
                                                                                       Chapter 12

    Figure 12-2
Remotely accessing a
  network through                                                      Modem

   Microsoft RAS                                      Telephone line

                                                 Windows 2000 server
                        NetWare server                with RAS



                                                               Telephone line
                         Client                   Client
                       workstation              workstation

        Virtual Private Network
                                          Chapter 12

   Virtual private network: A private
    network that is like a tunnel through a
    larger network – such as the Internet, an
    enterprise network, or both – that is
    restricted only to designated member
               Planning Tip
                                          Chapter 12

   Use a VPN to save money on modems
    and telephone lines for remote access to
    a network
                          VPN Architecture
                                                                                                                                          Chapter 12

Figure 12-3
VPN network                                   VPN tunnels
 architecture                                                                                                           Telephone line

                                                                                                                            Internet                                                 Windows 2000 Server
                                             Windows 2000                with VPN/IIS
                                                servers                                                       line
                                                                                              re        lay
                  Subnet 177.28.44                                                               line

                                                          Subnet 177.28.19
                                                                                                                                  Telephone line
                                                                                  VPN Tunnels
                                                         Router        Router

                                       Subnet 177.28.7
                                                                                      Subnet 177.28.23

                                                               VPN tunnel

                                             Web server
    Operating Systems Than Can
          Connect to RAS              Chapter 12

   MS-DOS
   Windows 3.1 and 3.11
   Windows NT (all versions)
   Windows 95
   Windows 98
   Windows 2000 Server and Professional
          Connection Types
          Supported by RAS            Chapter 12

   Asynchronous modems
   Synchronous modems through an access
   Null modem connections
   Regular dial-up telephone lines
   Leased telecommunications lines, such
    as T-carrier
         Connection Types
    Supported by RAS (continued)      Chapter 12

   ISDN lines (and digital modems)
   X.25 lines
   DSL lines
   Frame relay lines
                                         Chapter 12

   T-carrier: A dedicated leased telephone
    line that can be used for data
    communications over multiple channels
    for speeds of up to 44.736 Mbps and
   Two common varieties of T-carrier are:
     T-1 at 1.544 Mbps
     T-3 at 44.736 Mbps
               Frame Relay
                                         Chapter 12

   Frame relay: A WAN communications
    technology that relies on packet
    switching and virtual connection
    techniques to transmit at from 56 Kbps
    to 45 Mbps
                                           Chapter 12

   Integrated Services Digital Network
    (ISDN): A telecommunications standard
    for delivering data services over digital
    telephone lines with a current practical
    limit of 1.536 Mbps and a theoretical
    limit of 622 Mbps
                                             Chapter 12

   An older packet-switching protocol for
    connecting remote networks at speeds
    up to 2.048 Mbps
                                        Chapter 12

   Digital subscriber line (DSL): A
    technology that uses advanced
    modulation technologies on regular
    telephone lines for high-speed
    networking at speeds of up to 60 Mbps
    between subscribers and a
    telecommunications company
       Transport and Remote
      Communication Protocols         Chapter 12

   RAS supports protocols such as:
     TCP/IP
     NWLink
     NetBEUI
     PPP
     PPTP
     L2TP
              Using Modems
                                             Chapter 12

   One of the most common ways to
    connect through RAS is by using
    modems either at the RAS server end,
    the client end, or both
   Cable TV modems are another
    possibility, but verify that the end-to-end
    connections can be made secure
           ISDN Connectivity
                                          Chapter 12

   Digital “modems” can be used to
    connect a RAS server to ISDN, but
    these are really terminal adapters (TAs)
    and not modems, because ISDN is
    digital and does not use
   A design advantage of ISDN is that you
    can aggregate multiple lines to appear
    as one super fast connection
              Access Server
                                            Chapter 12

   An effective way to connect different
    telecommunications and WAN media to RAS
    is through an access server
   For example, an access server can provide
    the following types of connectivity:
      Modems
      ISDN
      X.25
      T-carrier
           Access Server Architecture
                                                                                                                                   Chapter 12

                                                                                    Windows 2000 Server
                                                                                         with RAS

Figure 12-4
  Using an                                           Modular access server
                                                                                                T-1 line
access server                                                                 X.2
                                                                                    5 li

                             DN                                                                              Leased


                                                              Modem          Modem


       Remote Access Protocols
                                         Chapter 12

   Serial Line Internet Protocol (SLIP): An
    older remote communications protocol that
    is used by UNIX computers. The modern
    compressed SLIP (CSLIP) version uses
    header compression to reduce
    communications overhead.
   Point-to-Point Protocol (PPP): A widely
    used remote communication protocol that
    supports IPX/SPX, NetBEUI, and TCP/IP for
    point-to-point communication.
             SLIP and PPP Compared
                                                                           Chapter 12

Feature                                          SLIP   PPP
Network protocol support                         TCP/IP TCT/IP, IPX/SPX, and
Asynchronous communications support              Yes    Yes
Synchronous communications support               No     Yes
Simultaneous network configuration               No     Yes
negotiation and automatic connection with
multiple levels of the OSI model between the
communicating nodes
Support for connection authentication to guard   No     Yes
aginst eavesdroppers

                 Table 12-1 SLIP and PPP Compared
       Remote Access Protocols
            (continued)                  Chapter 12

   Point-to-Point Tunneling Protocol
    (PPTP): A remote communication
    protocol that enables connectivity to a
    network through the Internet and
    connectivity through intranets and VPNs
           Configuring RAS
                                       Chapter 12

   Use the Routing and Remote Access tool
    to install RAS
       Installing RAS
                                          Chapter 12

Figure 12-5 Configuring routing and RAS
Installing RAS (continued)
                                                  Chapter 12

Figure 12-6 Selecting the option to install RAS
                          Routing and Remote
                            Access Options                                                                     Chapter 12
Option                       Description

Internet connection server   Use this option so that networked computers in addition to the server can connect to the

                             Internet, which is especially useful in a small office environment in which all users need

                             Internet access, but there is only one dial-up, ISDN, or other outside line to an ISP

Remote access server         Use this option to set up remote access services to the network through the Windows

                             2000 server

Virtual private network      Use this option when you have an intranet (VPN) that you want users to be able to

(VPN) server                 access through a remote connection or the Internet

Network router               Use this option to have Windows 2000 Server function as a router on the network –

                             directing traffic to other networks or subnetworks

Manually configure the       Use this option when you want to customize the routing and remote access capabilities

Installing RAS (continued)
                                             Chapter 12

 Figure 12-7 IP address assignment options
 Viewing a RAS
Server’s Properties                 Chapter 12

Figure 12-8 RAS server properties
           DHCP Relay Agent
                                               Chapter 12

   If you configure RAS to use DHCP to
    assign IP addresses, then you must
    configure a DHCP Relay Agent:
     Double-click the RAS server in the tree of
      the Routing and Remote Access tool
     Click IP Routing in the tree
     Right-click DHCP Relay Agent and click
     Enter the IP address of the RAS server,
      click Add, and then click OK
         Security Set at the Client
                                           Chapter 12

   Set up security on the client’s account
    properties via the Dial-in tab, including
    whether to use a remote access policy for
    security and callback security
            Callback Options
                                             Chapter 12

   No Callback: access is allowed on the
    first dial-up attempt
   Set By Caller: the server calls back a
    number provided by the remote
   Always Callback to: the server calls
    back a number that has already been
    entered in the Dial-in tab
   Configuring Dial-in Security
                                                         Chapter 12

Figure 12-10 Configuring dial-in security for a user account
        Remote Access Policies
                                         Chapter 12

   Configure remote access policies and a
    profile to secure the RAS server and to
    manage access including:
     Dial-inconstraints
     IP address assignment rules
     Authentication
     Encryption
     Allowing Multilink connections
       Configuring Remote
         Access Policies                              Chapter 12

Figure 12-11 Granting remote access as a RAS policy
        Authentication Options
                                              Chapter 12

   There are several authentication options
    that can be set in a remote access
    policies profile:
     Extensible Authentication Protocol (EAP):
      An authentication protocol employed by
      network clients that use special security
      devices such as smart cards, token cards,
      and others that use certificate
       Authentication Options
            (continued)                     Chapter 12
 Challenge Handshake Authentication Protocol
 (CHAP): An encrypted handshake protocol
 designed for standard IP- or PPP-based exchange
 of passwords. It provides a reasonably secure,
 standard, cross-platform method for sender and
 receiver to negotiate a connection.

 CHAP  with Microsoft extensions (MS-CHAP): A
 Microsoft-enhanced version of CHAP that can
 negotiate encryption levels and that uses the
 highly secure RSA RC4 encryption algorithm to
 encrypt communications between client and host
      Authentication Options
           (continued)                        Chapter 12

 CHAP  with Microsoft extensions version 2 (MS-
 CHAP v2): An enhancement of MS-CHAP that
 provides better authentication and data encryption
 and that is especially well suited for VPNs

 Password  Authentication Protocol (PAP): A non-
 encrypted plain-text password authentication
 protocol. This represents the lowest level of
 security for exchanging passwords via PPP or
        Authentication Options
             (continued)                 Chapter 12
 Silva’sPassword Authentication Protocol
 (SPAP): A version of PAP that is used for
 authenticating remote access devices and
 network equipment manufactured by Silva (now
 Intel Network Systems, Inc.)
Configuring Authentication
                                            Chapter 12

  Figure 12-12 Configuring authentication
           Chapter Summary
                                         Chapter 12

   RAS and VPN servers enable clients to
    remotely access Windows 2000 Server,
    such as those who telecommute
   Remote access can be configured
    through many types of WAN
    connectivity, such as dial-up telephone
    lines, high-speed lines, Internet
    connections, and routers
           Chapter Summary
                                           Chapter 12

   RAS and VPN servers are compatible
    with remote access protocols such as
    PPP, PPTP, and L2TP
   Manage RAS and VPN servers using
    remote access policies and profiles

To top