1. Start by opening Routing and Remote Access by selecting Start | Programs |
Administrative Tools | Routing and Remote Access.
2. From the Routing and Remote Access management console, right-click the server name
and select Configure and Enable Routing and Remote Access. If this option is
grayed out, select Disable Routing and Remote Access to start with a fresh configuration.
3. On the first page of the Routing and Remote Access Server Setup Wizard, click Next.
4. Select Custom Configuration and click Next.
5. Select LAN Routing followed by Next, and then select Finish. A message box will dis-
play asking if you would like to enable the Routing and Remote Access Service. Select
OK to enable LAN routing.
6. Now that the Routing and Remote Access Service is enabled, we have to configure RIP
v2.
7. In the left pane, select IP Routing. Right-click General and select New Routing
Protocol.
8. On the next screen, select RIP Version 2 for Internet Protocol and click OK.
9. Now an entry for RIP will be displayed in the left pane beneath the IP Routing icon.
This means that RIP is enabled on the server but at this point, RIP will not advertise any
routes because we have to tell RIP which interfaces to use for route advertisement.
10. In the left pane, right-click RIP and select New Interface….
11. From the New Interface for RIP Version 2 for Internet Protocol dialog box, select the
interface that provides the common link between the routers as shown in Figure 25.2. In
this case, the common interface has been named WAN.
12. The default setting for RIP in a Windows Server 2003 environment is Rip version 2
broadcast for the Outgoing packet protocol: drop-down list and Rip version 1 and 2 for
the Incoming packet protocol: drop-down box. If we are using only RIP version 2
throughout our network, and the transport medium will be Ethernet, it is preferred to use
RIP version 2 multicast for the Outbound packet protocol: drop-down selection and to
ensure only RIP version 2 operation, select RIP version 2 only from the Incoming pro-
tocol packet: drop-down list.
13. Repeat this process for the other Windows Server 2003 router that will be advertising RIP
version 2 on your network.

In our example, we have configured another network at 172.16.100.0/24.This is the network
we wish to block using the packet filters.The direct approach would be to specifically block this
network. We intend to block all network traffic except for our current network addresses. We will
begin with the Routing and Remote Access management console to configure the packet filters
for inbound and outbound traffic.
1. Before we begin filtering, verify connectivity to the 172.16.100.0/24 network by pinging
the 172.16.100.3 interface from your server.
856 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 856
2. We intend to block all traffic except traffic to and from the 192.168.1.0, 192.168.2.0, and
192.168.3.0 networks.To accomplish this, we will apply inbound and outbound packet fil-
ters on our WAN interface. Select General under the IP Routing icon in the left pane
of the management console.
3. Right-click the WA N interface in the right pane of the management console and select
Properties.
4. Under the General tab of the WAN Properties dialog box, select the Inbound
Filters… button.
5. The inbound filters should allow traffic coming from the 192.168.2.0 and 192.168.3.0
networks only. We will add those networks as source networks for the inbound filter.
Select New from the Inbound Filters dialog box.Then, select the Source Network
check box and enter 192.168.2.0 for the IP address: and 255.255.255.0 for the Subnet
mask: as shown in Figure 25.3.
6. Click OK to add the first filter to the inbound filter list.
7. Repeat this process for the 192.168.3.0 network. Select New from the Inbound Filters
dialog box.Then, select the Source Network check box and enter 192.168.3.0 for the
IP address: and 255.255.255.0 for the Subnet mask:.
8. Change the Filter Action to Drop all packets except those that meet the criteria
below and click OK.
9. We will now configure Outbound Filters in the same fashion that we just configured
the Inbound Filters. Select the Outbound Filters… button.The outbound filters

should allow traffic going to the 192.168.2.0 and 192.168.3.0 networks only. We will add
those networks as destination networks for the outbound filter. Select New from the
Outbound Filters dialog box.Then, select the Destination Network check box and
enter 192.168.2.0 for the IP address: and 255.255.255.0 for the Subnet mask:.
Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 857
Figure 25.3 Adding an Inbound Filter
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 857
10. Repeat step number 9 for the 192.168.3.0 network. Select New from the Outbound
Filters dialog box.Then, select the Destination Network check box and enter
192.168.3.0 for the IP address: and 255.255.255.0 for the Subnet mask:.
11. Change the Filter Action to Drop all packets except those that meet the criteria
below and click OK.
12. From the WAN Properties dialog box, click OK to complete the configuration.
13. To verify your configuration, test connectivity to the 172.16.100.0/24 network by pinging
the 172.16.100.3 interface from your server.
Addressing VPN Design Considerations
Rather than using individual modem or ISDN ports for remote access, you can configure a VPN
(virtual private network) and enable any number of connections through the Internet. A VPN uses
an encrypted tunnel to create a secure virtual connection and transmit private data over the public
network.
Although using a VPN for remote access does not require any special hardware beyond an
Internet connection for clients and the RRAS server, there are still a number of choices you must
make when planning a VPN strategy.These include the VPN protocols you will support, the need
for machine certificates, IP filtering, and remote access policies.
Selecting VPN Protocols
A VPN connection is created through the use of a tunneling protocol, (sometimes called a VPN
protocol), supported by both the client and the server. Windows Server 2003 supports two tun-
neling protocols:
■
PPTP (point-to-point tunneling protocol) is an Internet standard for VPN connections

based on PPP (point-to-point protocol). PPTP uses the MPPE (Microsoft Point-to-Point
Encryption) system to encrypt data.
■
L2TP (layer 2 tunneling protocol) is a newer standard for a tunneling protocol, developed
in cooperation between Microsoft and Cisco. L2TP is used with IPSec (IP Security) to
provide encryption.
You can support one or both of these VPN protocols in your remote access strategy. Which
protocols you support depends on the needs of clients, the requirements for public-key security, and
whether you need the higher-security features of L2TP.These considerations are discussed in the
following sections.
Client Support
Of course, a major factor in deciding which tunneling protocols you should support is the protocols
supported by the client machines.The following is a summary of the VPN tunneling protocol sup-
port of Windows clients:
858 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 858
■
PPTP is supported by Windows 95, Windows 98, Windows ME, Windows NT 4.0 and
later, Windows 2000, Windows XP, and Windows Server 2003.
■
L2TP is supported by Windows 2000, Windows XP, and Windows Server 2003.
If you are supporting non-Windows clients, you should determine which VPN protocols they
support.The easiest way to support a wide variety of clients is to enable both VPN protocols at the
server level; clients that support L2TP will use it, and other clients will use PPTP.
Data Integrity and Sender Authentication
The IPSec encryption used with L2TP supports two features that are not available with PPTP and
MPPE encryption, along with the data confidentiality that is provided by both encryption protocols.
You should make sure your network supports L2TP if you require either of the following:
■
Data integrity L2TP over IPSec verifies the integrity of data by using hash algorithms

(checksums).
■
Sender authentication IPSec provides mutual authentication for the client computer
and VPN server.This authentication is based by PKI (public key infrastructure) certificates
and is in addition to the user authentication handled by protocols such as MS-CHAP v2
and EAP-TLS.
PKI Requirements
To support L2TP over IPSec for VPN connections, you need to install computer certificates at both
the VPN server and the clients. If you do not have an existing certificate server configured on the
network, this might require additional planning and configuration. PPTP does not require a PKI at
all and is the only choice if you do not wish to install certificates.
Installing Machine Certificates
To use IPSec with L2TP, you need to install computer certificates at each client for encryption.
Windows 2000 and Windows Server 2003 support auto-enrollment, a feature that automatically dis-
tributes certificates to computers the first time they connect to the network. If you are not using
auto-enrollment, you can manually request a certificate for the computer.You can do this using the
Certificates MMC snap-in or by connecting to the certificate server with a Web browser.
If you do not have a certification authority (CA) on the network, you can install Certificate
Services on a domain controller.
Configuring Firewall Filters
Because a VPN server is connected to the Internet, it is often used in conjunction with a software
or hardware firewall to prevent unauthorized traffic from the Internet from reaching the internal
network.You can arrange the firewall and VPN server in one of two ways:
■
The VPN server is directly connected to the Internet and the firewall separates it from the
internal network.
■
The firewall is connected to the Internet and the VPN server is behind the firewall.
Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 859
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 859

Figure 25.4 shows these two configurations.
The more common of the two arrangements is to connect the firewall to the Internet and keep
the VPN server behind the firewall. In this scenario, you set up packet filters to allow all VPN traffic
through the firewall. Since the VPN connection between the client and server handles authentica-
tion and security itself, this does not represent a security risk.
PPP Multilink and
Bandwidth Allocation Protocol (BAP)
The Point-to-Point Protocol (PPP) provides encapsulation, authentication, and encryption functions
for remote access connectivity. Most VPN and remote access technology today is built upon PPP or
extensions of this protocol. One of the many features of PPP is Multilink. PPP is generally used for
different types of dial-up connections. Sometimes, there is an advantage to providing a single virtual
link that encompasses multiple physical links, like the B-channels on an ISDN connection.
Since ISDN has traditionally been billed per usage, and analog long distance phone calls are also
typically billed per usage, maintaining the virtual link when the bandwidth requirements are low
could prove costly. Multilink itself does not include provisions to monitor the connection require-
ments. Enter Bandwidth Allocation Protocol (BAP). BAP adds features to PPP and Multilink to
monitor the connection requirements and to adjust accordingly. If our ISDN link does not need the
bandwidth provided through two B-channels, BAP will drop one of the two connections, based on
our configuration settings. If the bandwidth requirements increase and the single B-channel in use
cannot provide sufficient bandwidth, BAP will connect the second B-channel to double our band-
width capabilities.This same configuration could include two analog phone lines at each end of the
860 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access
Figure 25.4 Firewall Configurations
Internet
VPN Server
VPN Server Outside Firewall
Internet
VPN Server
Clients
Clients

VPN Server Inside Firewall
Firewall
Firewall
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 860
connection as opposed to the 2B+D ISDN configuration for Multilink. In order to take advantage
of the capabilities of BAP, the remote access client and server must support BAP and have it
enabled.
PPP Multilink Protocol
The PPP Multilink Protocol must be enabled on both the remote access client and the remote
access server. PPP Multilink is enabled on the remote access server via remote access policy, using
the Routing and Remote Access Service management console or the Internet Authentication
Service (IAS).The nature of multilink requires dialing to multiple devices or endpoints.To enable
Multilink on a remote access client, you must enable multiple device dialing on the client system
through the Network and Dial-up Connections folder. Again, if unlimited connectivity is not
available, the nature of Multilink presents cost prohibitive problems due to the lack of provisions to
link and unlink extra physical connections on an as-needed basis.
BAP Protocols
To facilitate dynamic allocation of links for Multilink, Microsoft provides dynamic BAP. Dynamic
BAP is a series of interrelated protocols. Dynamic BAP consists of the following protocols:
■
Bandwidth Allocation Protocol (BAP)
■
Bandwidth Allocation Control Protocol (BACP)
■
Extensions to the Link Control Protocol (LCP)
BAP provides additional links on an as-needed basis, in response to specific configuration set-
tings. BAP is the control mechanism used in dynamic BAP. BAP automatically will initiate a con-
nection with your second modem to increase your available bandwidth to 112kbps
(56kbps+56kbps) when needed. Once the bandwidth requirement drops below a predetermined
setting for a predetermined amount of time, the second modem will disconnect.

BACP works in conjunction with BAP, utilizing the same mechanism as PPP’s Link Control
Protocol to provide connection control in a dynamic BAP environment.The sole purpose of BACP
is to provide a negotiated, favored peer whose requests are implemented during a request to add or
drop a connection.
PPP provides connections for upper layer protocols through the Link Control Protocol.
Extensions to LCP are an integral part of dynamic BAP, just as they are with any other implementa-
tion or PPP.To transport TCP/IP traffic over an analog dial-up connection, Internet Protocol
Connection Protocol (IPCP), an extension of LCP, carries the IP traffic through the PPP connec-
tion. Likewise, to carry IPX/SPX traffic over a PPP connection, Internetwork Packet Exchange
Control Protocol (IPXCP) provides the connection between the PPP endpoints and the IPX/SPX
client.This encapsulation of upper layer data is commonly known as tunneling.
Multilink with BAP support is implemented through the Routing and Remote Access manage-
ment console and it is enabled by default. BAP is enabled via Routing and Remote Access in
Administrative Tools. Once you select the server, right click and select Properties. On the PPP
tab, select the Dynamic bandwidth control using BAP and BACP checkbox. Multilink is
enabled within the Routing and Remote Access applet and selecting Remote Access Policies. Select
Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 861
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 861
the remote access policy to modify, click Edit Profile and configure the specifics of the Multilink
policy on the Multilink tab.
Addressing Wireless
Remote Access Design Considerations
Wireless networks are fast becoming one of the most common network types. Although they are
not cost-effective or efficient as a replacement for wired networking, wireless networks are a great
choice for temporary networks, networking in areas where networking is normally difficult, or
offering wireless access to customers or employees with portable computers.
Windows Server 2003’s RRAS server can be used to manage wireless connections to the net-
work. If you will be allowing wireless access, you will need to do the following:
■
Configure remote access policies.

■
Determine whether to use IAS for authentication.
■
Configure the WAPs.
The 802.11 Wireless Standards
Today’s wireless networks generally use one of the standards developed by the IEEE under the
802.11 working group and based on the original 802.11 protocol, which supported speeds of 2
Mbps in the 2.4 GHz radio spectrum.The newer standards support higher speeds and are popularly
known as Wi-Fi.There are three current versions of 802.11 that define different wireless standards:
■
802.11b was the first standard to be widely accepted. It operates at 11 Mbps and has a
range of about 50 meters. It uses the 2.4 GHz spectrum.
■
802.11a appeared in products in 2001.This standard uses the 5 GHz spectrum, has a theo-
retical maximum speed of 54 Mbps, but does not handle distance and obstacles as well as
802.11b.
■
802.11g is the latest standard, ratified in 2003. It uses the 2.4GHz band and is backward
compatible with 802.11b equipment, but supports a theoretical throughput of 54 Mbps.
Using IAS for Wireless Connections
Many WAPs support RADIUS authentication. Because the security of normal wireless authentica-
tion with the 802.11 protocols is minimal, using RADIUS provides stronger authentication as well
as a centralized source for authentication and accounting for all wireless access. IAS can be used for
this purpose.
Because WAPs configured for RADIUS authentication rely on the presence of a RADIUS
server, you might need to configure a second IAS server and specify it as a backup server in the
WAP configuration.This ensures that wireless users can still connect if the primary IAS server is
unavailable.The steps to configure an IAS Server are included at the end of this chapter.
862 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 862

Configuring Remote Access
Policies for Wireless Connections
To enable wireless connections, you need a basic remote access policy to allow wireless users.This
policy can restrict access to a group, require certificate-based authentication, and/or mandate a high
level of encryption.You can use the following steps to create a policy for wireless access.
Create a Policy for Wireless Access
1. From the IAS or RRAS console, select Remote Access Policies in the left-hand
column.
2. Select Action | New Remote Access Policy from the menu.
3. A welcome message is displayed. Click Next to continue.
4. The Policy Configuration Method dialog box is displayed. Select Use the wizard to
set up a typical policy and enter Wireless access in the policy name field. Click Next
to continue.
5. The Access Method dialog box is displayed. Select Wireless and click Next.
6. The User or Group Access dialog box is displayed. Select Group and click Add. Enter
Domain Admins and click OK, and then click Next.
7. You are prompted to choose an EAP type to allow. Select Smart card or other certifi-
cate and click Next.
8. A completion message is displayed. Click Finish to exit the wizard.
Multiple Wireless Access Points
You can support multiple WAPs for wireless access using RRAS or IAS for authentication. Because
each access point covers only a limited area, it is common to have multiple WAPs. Keep the fol-
lowing considerations in mind when planning to deal with multiple WAPs:
■
IAS authentication will enable all WAPs to use a central server for authentication.
■
Each WAP will need to be added to the IAS server’s list of clients and configured to use
RADIUS authentication.
■
There are several variations of the 802.11 protocols and not all devices are compatible. Be

sure all WAPs and clients support the same protocols.
Placing CA on VLAN for New Wireless Clients
Wireless clients typically use certificate-based authentication, either using the EAP-TLS protocol
with a user certificate or using a certificate stored in a smart card. Each client also needs a computer
certificate installed in order to use EAP-TLS authentication.You need to configure a certificate
server to issue certificates to wireless clients.
Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 863
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 863
For new clients that might not have a certificate already, one strategy is to create a virtual LAN
(VLAN) and place a certification authority (CA) on the VLAN to issue certificates.You can use a
remote access policy to restrict new wireless clients to this VLAN so they will be unable to access
other network resources and to limit their connection time. After a client successfully connects to
the VLAN and is issued a certificate, it can reconnect using the standard wireless access policy and
gain full access.
Configuring WAPs as RADIUS Clients
For WAPs to use the IAS server for authentication, you must configure both ends:
■
In the IAS MMC snap-in, add each WAP as a RADIUS client.
■
In the WAP’s configuration, enable RADIUS authentication and specify the IAS server (or
both servers, if you have a backup server configured.)
How you configure the WAP varies depending on the hardware in use. Consult the documen-
tation provided by the manufacturer to find out how to do this.
Planning Remote Access Security
Windows Server 2003 includes a number of security features for remote access, including some new
features that were not available in Windows 2000. When you plan a strategy for remote access secu-
rity, you need to take several things into account:
■
The functional levels of your domains
■

The methods you will use for data encryption and authentication
■
Whether you will use advanced security features such as callback security and smart cards
These items are discussed in the following sections.
Domain Functional Level
Domains hosted on Windows Server 2003 computers can have one of several different domain
functional levels. The functional level of your domain affects which remote access security features
you can use. Depending on your needs, you might need to raise the functional level of the domain
to take advantage of new security features.
Selecting Authentication Methods
When a user attempts to connect to a remote access server, one or more protocols are used for
authentication, verifying the user’s identity. After the user is authenticated, the RRAS server can
determine what resources the user is authorized to access.
When you configure a remote access server you can select which authentication methods will
be allowed.You should choose authentication methods based on their relative levels of security.
Additionally, the methods you choose will depend on the client operating systems and the authenti-
cation methods they support.
864 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 864
Disallowing Password-Based
Connections (PAP, SPAP, CHAP, MS-CHAP v1)
A number of the available authentication methods use simple user names and passwords for authen-
tication.The simplest of these is PAP (Password Authentication Protocol). In PAP, the client trans-
mits the user’s password as unencrypted text.To ensure a secure network, you should disable PAP
and SPAP, a variation of the same protocol that is used by Shiva clients.
CHAP (Challenge Handshake Authentication Protocol) improves security by creating an
encrypted challenge and enabling the client to create a response using the password.This avoids
sending the password over the network. However, CHAP stores passwords using reversible encryp-
tion, and is therefore also considered insecure. MS-CHAP v1, Microsoft’s adaptation of CHAP,
improves security but is superceded by the more secure version 2.

To ensure secure remote access, you should disable the less-secure authentication methods.You
can use the following steps to disable password-based authentication.
Disable Password-Based Authentication Methods
1. From the Start menu, select Programs | Administrative Tools | Routing and
Remote Access.
2. Highlight the RRAS server name in the left-hand column.
3. Select Action | Properties from the menu.
4. The Properties dialog box is displayed. Click the Security tab.
5. The Security properties are displayed. Click the Authentication Methods button.
6. The Authentication Methods dialog box is displayed. Uncheck the box next to Microsoft
encrypted authentication (MS-CHAP).
7. Uncheck the box for Encrypted authentication (CHAP).
8. Uncheck the boxes next to Shiva Password Authentication Protocol (SPAP) and
Unencrypted password (PAP).
9. Click OK to exit the Authentication Methods dialog box, and then click OK to exit the
Properties dialog box and save the changes.
Using RADIUS/IAS vs. Windows Authentication
Windows Server 2003 supports RADIUS, an Internet standard for a centralized server to handle a
network’s authentication and accounting needs. Internet Access Server (IAS) is Microsoft’s imple-
mentation of a RADIUS server, and is included with Windows Server 2003 but is not installed by
default.You can install it through the Add/Remove Programs applet in Control Panel as a
Windows component. We’ll walk through the steps for setting up an IAS Server at the end of this
chapter. When you configure an RRAS server, you can choose one of two authentication methods:
Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 865
301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 865