www.syngress.com
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4 285
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C, D
2. C
3. C
4. B
5. D
6. C
7. A
8. C
9. A, B, D
10. C
11. C
12. B
13. A, C
14. B
15. C
255_70_293_ch04.qxd 9/9/03 5:17 PM Page 285
255_70_293_ch04.qxd 9/9/03 5:17 PM Page 286
287
Planning, Implementing,
and Maintaining an
Internet Connectivity
Strategy
Exam Objectives in this chapter:
2 Planning, Implementing, and Maintaining a Network
Infrastructure
2.3 Plan an Internet connectivity strategy

2.5 Troubleshoot connectivity to the Internet.
2.5.1 Diagnose and resolve issues related to Network Address
Translation (NAT).
Chapter 5
MCSE 70-293
 Summary of Exam Objectives
 Exam Objectives Fast Track
 Exam Objectives Frequently Asked Questions
 Self Test
 Self Test Quick Answer Key
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 287
Introduction
Internet connectivity is no longer a luxury for most businesses; it is a necessity. Employees
use the Internet to exchange e-mail with clients, suppliers, and co-workers in other physical
locations; to conduct research via the Web; and to remotely access the local area network
(LAN) from home or when on the road. Creating an effective policy for implementing and
managing the organization’s Internet connections is an important part of the Windows
Server 2003 network administrator’s job.
This chapter is about how to develop the best strategy for connecting your company’s
Windows Server 2003 network to the Internet.We’ll discuss connecting the LAN to the
Internet using routed connections or translated connections (via Internet Connection
Sharing or the Routing and Remote Access Service’s Network Address Translation compo-
nent).You’ll learn how to use both Internet-based virtual private networks (VPNs) and
router-to-router VPNs to provide connectivity to the company’s LAN from remote loca-
tions or to connect two branch offices.We’ll discuss the intricacies of demand-dial/on-
demand connections and persistent connections, and explain the difference between
one-way and two-way initiation.We’ll also show you how to use Remote Access Policies to
control VPN connections, and we’ll discuss VPN protocols supported by Windows Server
2003 and how to make VPN connections using either the Point-to-Point Tunneling
Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP).You’ll learn about VPN secu-

rity and the authentication and encryption protocols that make your virtual network pri-
vate.
Next, we’ll take a look at the Internet Authentication Service (IAS) and how it can
provide centralized user authentication and authorization, centralized auditing and
accounting, and extensibility and scalability.You’ll learn about IAS integration with
Windows Server 2003 Remote Access and Routing Service (RRAS), and how to control
authentication via Remote Access Policies.We’ll show you how to use the IAS Microsoft
Management Console (MMC) snap-in and how to implement monitoring of IAS, and
we’ll discuss the use of the IAS Software Development Kit (SDK).Then we’ll delve a little
deeper into the IAS authentication methods and discuss Remote Authentication Dial-In
User Service (RADIUS) access server support, wireless access points (WAPs), and authenti-
cating switches.
In the next section, we’ll walk you through the process of using the Connection
Manager Administration Kit (CMAK) to create service profiles, custom actions, and custom
help files, as well as VPN support, to make it easier for nontechnical users to connect
remotely without needing to do complex configuration.We’ll talk about security issues
pertaining to Connection Manager, and show you how to prevent editing of service profile
files, how to prevent users from saving their passwords, and how to distribute service pro-
files securely.
www.syngress.com
288 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 288
www.syngress.com
Connecting the LAN to the Internet
You can connect a Windows Server 2003 network to the Internet in two basic ways:
■ Using a router to directly route traffic to and from the Internet
■ Using a translation service to convert traffic from an internal network to Internet
traffic
The following sections discuss the advantages and disadvantages of these methods.
Routed Connections

The traditional method of connecting a network to the Internet is to use a router to route
traffic between the external network and your local network.The advantages of this
approach are that it is easy to configure, requiring only simple hardware setup, and that it
allows full Internet access for all machines on the local network segment. It also allows all
machines on the network to provide services to the Internet.
Routed connections have two chief disadvantages. First, every machine on the local
network is reachable from anywhere on the Internet.This is rarely necessary and creates a
large number of potential security problems. Second, a separate Internet IP address is
required for each machine that can access the Internet. Since IP addresses are scarce and are
issued only to networks that can prove a need for them, this is not the most efficient
approach.
Advantages of Routed Connections
Although translated connections are becoming increasingly popular, routed connections do
have a number of advantages:
■ Since each client is connected to the Internet through the router, clients can con-
nect even if the local network servers are not working.
■ Some Internet clients, such as multimedia applications and games, do not work
correctly over a translated connection.
■ Each machine has a dedicated Internet IP address and can be used for services
such as File Transfer Protocol (FTP) and Domain Name System (DNS) that
require a unique IP address per host.
Hardware and Software Routers
A routed connection uses a router, a device that transmits data between the internal network
and the Internet.There are two types of routers:
■ A hardware router is a dedicated device. Hardware routers provide a simple “out-
of-the-box” solution for Internet connections.
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 289
EXAM
70-293
OBJECTIVE

2
2.3
2.5
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 289
■ A software router runs as a service on one of the computers on the network.The
Routing and Remote Access Service (RRAS) in Windows Server 2003 allows a
computer to act as a router.
In order to use a computer as a software router, it must have two network connections:
one to the internal network (LAN) and one to the external network (the Internet).
Microsoft sometimes refers to a computer with two network connections as a multihomed
computer.
IP Addressing for Routed Connections
When you are using a routed connection to the Internet, each machine on the internal
network will need a valid Internet IP address. IP addresses are managed by a central
authority, the American Registry for Internet Numbers (ARIN).You will typically obtain
IP addresses from an Internet Service Provider (ISP), which has obtained a block of
addresses from ARIN for use by its clients.
Once you have been issued one or more IP addresses, you can assign them to the com-
puters in the network.There are two basic ways to accomplish this:
■ By manually configuring an IP address in each computer’s network connection
properties
■ By using the Dynamic Host Configuration Protocol (DHCP) to assign addresses
Using DHCP, you can define the IP addresses you have been issued in the DHCP
server, and clients are automatically assigned, or leased, an address when they are booted. If a
client disconnects from the network, its lease is terminated after a timeout period and avail-
able to other computers.
T
EST DAY TIP
Any Windows Server 2003 (or Windows 2000 Server) computer can act as a DHCP
server. To configure DHCP, select Start | Administrative Tools | Configure Your

Server Wizard and enable the DHCP Server role.
Translated Connections
The second strategy is to use a service that translates between internal IP addresses and
external addresses used on the Internet. By using this technique, you can enable Internet
access for many computers using a single Internet IP address. Along with conserving address
space, address translation ensures that your computers are not accessible directly from the
Internet, effectively preventing many types of network attacks.
www.syngress.com
290 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 290
Network Address Translation (NAT) is an Internet standard defined in RFC 1631 for
systems that translate between internal and external network addresses.Windows networks
support two types of NAT service:
■ Network address translation (NAT) is a full-featured NAT implementation sup-
ported by Windows 2000 Server and Windows Server 2003.
■ Internet Connection Sharing (ICS) is a simplified NAT implementation for small
networks, and is supported by Windows 98 Second Edition,Windows Me,
Windows XP, and Windows 2000 Professional.
When you configure the NAT or ICS service, the computer that acts as the NAT
server must have at least two network connections: a connection to the Internet (typically a
modem or broadband connection) and a connection to the LAN containing the computers
that will share the Internet connection.
Network Address Translation (NAT)
NAT is Microsoft’s full-featured address translation feature.When you access the Internet
on a network that uses a NAT server, outgoing packets are sent to the NAT server, which
changes their originating address and forwards them to the Internet.The returned packets
are delivered to the NAT server.The server then translates the packets to internal IP
addressing and sends them to the machine that made the original request.
The Windows Server 2003 NAT server actually supports three separate services:
■ NAT, the address translation service

■ DHCP for assigning IP addresses to clients that are sharing the Internet connec-
tion
■ DNS for name resolution
Depending on your network configuration, you might not need the NAT server to
handle address assignment or name resolution.You can choose whether to use these com-
ponents when you configure the NAT server. If you have dedicated DHCP or DNS servers
on the network, you can continue to use them with NAT. (The DNS service forwards
requests to an Internet DNS server and returns the results to the appropriate client within
the private network.)
Installing the NAT Service
NAT is part of the RRAS component of Windows Server 2003. RRAS is installed with
Windows Server 2003 but is not enabled by default.You can enable this service using the
Manage Your Server application that is launched when you install the operating system or
by using the Routing and Remote Access MMC snap-in.Windows Server 2003 includes a
wizard that can enable RRAS and set up a NAT server. Exercise 5.01 shows how to con-
figure NAT using the wizard.
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 291
EXAM
70-293
OBJECTIVE
2.5
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 291
TEST DAY TIP
Remember that you need at least two network interfaces on the NAT server: one
connected to the private network, usually a LAN adapter, and one connected to
the Internet. You can configure a demand-dial Internet connection (if you’re using
a modem or ISDN dial-up instead of an “always-on” connection to the Internet)
during the NAT server setup process.
You can also configure NAT manually using the Routing and Remote Access MMC

snap-in.This is the only way to configure a NAT server on a machine that already has
RRAS enabled. RRAS can perform NAT along with its other functions, which include
acting as a network router or accepting dial-up network connections.
EXERCISE 5.01
INSTALLING NAT USING THE WIZARD
You can install NAT on a Windows Server 2003 server that does not yet have
RRAS enabled using the Routing and Remote Access Server Setup Wizard. This
exercise guides you through the process of setting up a basic NAT server using
the Wizard.
1. Select Start | Administrative Tools | Routing and Remote Access to
start the RRAS MMC snap-in.
2. Click the RRAS server name (usually the current machine) in the left
column to highlight it.
3. From the menu, select Action | Configure and Enable Routing and
Remote Access.
4. The Wizard displays a Welcome window. Click Next to continue.
5. The Configuration window appears. Select the Network address
translation (NAT) option, as shown in Figure 5.1, and click Next.
www.syngress.com
292 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 292
6. The NAT Internet Connection window is displayed. Here, you can
choose how the NAT server will connect to the Internet. Choose either
Use this public interface to connect to the Internet or Create a new
demand-dial interface to the Internet.
7. You can optionally choose to enable basic security for the Internet
interface by checking the Enable security on the selected interface
by setting up Basic Firewall option. This option is enabled by default.
8. Click Next to continue.
9. The Ready to Apply Selections window is displayed. Click Next to

start the RRAS service.
If you chose to create a new demand-dial interface in Step 6, the Demand-
Dial Interface Wizard will guide you through this process. This Wizard is
described in Exercise 5.04, later in this chapter. Otherwise, you are returned to
the Routing and Remote Access MMC snap-in, and you can now manage the
NAT service as described in the next section.
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 293
Figure 5.1 Select NAT from the RRAS Wizard
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 293
Managing NAT
After you have enabled RRAS and set up a NAT server, you can manage the server from
the Routing and Remote Access MMC snap-in. Select the server and select Action |
Properties to display the Properties dialog box. Select the IP tab within this dialog to
display the IP properties, shown in Figure 5.2.This page allows you to manage the address
assignment feature of NAT.The NAT server can assign IP addresses in one of two ways:
■ Select Dynamic Host Configuration Protocol (DHCP) to use an existing
DHCP server to handle addressing.
■ Select Static address pool to explicitly list the IP addresses this server can assign
to clients. Once you have selected this option, you can use the Add, Edit, and
Remove options to create a list of one or more IP address ranges for the address
pool.
The IP properties tab also include an option to manage the name resolution feature of
NAT. Select the Enable broadcast name resolution option if you do not have a DNS
or Windows Internet Name Service (WINS) server on the network to handle name resolu-
tion. If this option is selected, the RRAS server uses network broadcasts to resolve names.
This eliminates the need for a dedicated name server on single-subnet Windows-based net-
works.
www.syngress.com
294 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy

Figure 5.2 The IP Properties for an RRAS Server
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 294
TEST DAY TIP
If you are not using broadcast name resolution, the NAT server needs to know the
IP address of a DNS or WINS server to complete resolution requests. These server
addresses are not part of the RRAS configuration. You must specify them using the
Properties dialog box for the network interface.
Configuring a NAT Connection
You can also manage the settings for a NAT interface from the Routing and Remote
Access console.To access these settings, select the NAT/Basic Firewall entry under IP
routing in the left column, and then select Action | Properties from the menu.The
Properties dialog box is divided into four tabbed sections:
■ NAT / Basic Firewall On this tab, shown in Figure 5.3, you can enable or dis-
able NAT for the connection.You can also enable a basic firewall, which prevents
unauthorized traffic from the Internet from reaching the internal network.You
can also use the Inbound Filters and Outbound Filters buttons to define IP
filters to further secure the connection.
■ Address Pool Allows you to define the Internet addresses that will be used by
the NAT server. Don’t confuse this with the pool of private addresses the server
can assign to clients. At least one Internet address must be included here.You can
also use the Reservations button to define an external address that always
reaches the same internal client machine.This is useful if you need to run a Web
server or other service and make it accessible over the Internet.
■ Services and Ports Allows you to enable various services, such as FTP and
Simple Mail Transfer Protocol (SMTP), that will be accessible to Internet users,
and define the internal machines these packets will be routed to.
■ ICMP Allows you to enable various types of diagnostic packets.These may
be needed if you wish the NAT server to respond to PING or Traceroute
diagnostics.
www.syngress.com

Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 295
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 295
How NAT Works
NAT transparently handles translation, so clients do not need to be aware that NAT is in
use. Instead, they are configured with the NAT server’s address as their default gateway.
When a client sends an outgoing packet, it is sent to the NAT server.The NAT server
receives the packet and performs the following tasks:
■ The packet’s destination address and port are stored in an entry in the NAT table,
along with the internal address from which the packet originated.
■ The packet’s source address is changed to the NAT server’s address, and a random
port number is assigned.
■ The packet is sent over the Internet.
■ When the remote server responds, the response is sent to the NAT server at the
port number previously assigned.The NAT server consults the NAT table to
determine which client requested the response, edits the packet to use the client’s
internal IP address as its destination, and sends it to the internal network.
www.syngress.com
296 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.3 NAT Properties
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 296
Some Internet protocols, such as FTP, store addressing information within the packet
itself, which would not normally work with NAT.The NAT server uses a NAT editor to
modify the addresses for these protocols.Windows Server 2003 includes editors for several
protocols. Keep in mind that some protocols may not be supported across the NAT server.
Internet Connection Sharing (ICS)
Internet Connection Sharing (ICS) is a simple implementation of a NAT server and is
included with all versions of Windows 2000,Windows XP, and Windows Server 2003, as
well as Windows 98 Second Edition and Windows Me. It is much easier to configure and
use than the full NAT service.Although ICS supports the basic translation features of NAT,
it has a couple of limitations:

■ ICS supports only a single Internet IP address and a single LAN connection.The
full NAT service can connect any number of public IP addresses to multiple
LANs.
■ ICS cannot be used on networks that have a DHCP or DNS server implemented.
T
EST DAY
TIP
You should use ICS only when you are not using the NAT feature on the server, or
when you are using an operating system for the NAT host, such as Windows XP,
that supports ICS but not the full NAT service.
Activating the ICS Service
ICS is included and installed automatically with all versions of Windows Server 2003 and
Windows 98 Second Edition and later.This feature is disabled by default, but enabling it is
a simple process.
To enable ICS, open the Properties dialog box for the network adapter that connects
to the Internet and select the Advanced tab.The Advanced properties are displayed, as
shown in Figure 5.4.To enable ICS, simply check the Allow other network users to
connect through this computer’s Internet connection option.You can also optionally
check the Establish a dial-up connection whenever a computer on the network
attempts to access the Internet option for a dial-up Internet connection.
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 297
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 297
TEST
DAY
TIP
The ICS options are included only in the Advanced tab of the Properties dialog
box for Internet connections. LAN connections, such as the default Local Area
Connection, do not include this option, since they connect only to the local net-
work. You will, however, find the Connection Sharing option in the Properties

dialog box for VPN connections.
Configuring Services
ICS is primarily a way for computers on your network to access Internet services, but it
also allows you to configure services that are provided by a machine on your network and
available via the Internet.When you use this option, incoming requests from the Internet
are received by the ICS server and forwarded to whichever local machine is providing the
service.
When ICS is enabled, you can click the Settings button in the Advanced tab of the
Properties dialog box to configure the services available on your network and specify
which client machines provide them. No services are enabled by default.The Services
www.syngress.com
298 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.4 The Advanced Internet Provider Properties
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 298
dialog box, shown in Figure 5.5, lists a number of common services and allows you to con-
figure them or add addtional services.
Whether you use one of the predefined services, such as an FTP server or a Telnet
server, or configure a custom service, you need to specify which computer on the local net-
work will provide the service. Exercise 5.02 demonstrates the process of adding a new ser-
vice.
EXERCISE
5.02
ADDING A CUSTOM SERVICE
You need to add an entry for any service on your network that should be
accessible from outside the network. For example, the Network News Transfer
Protocol (NNTP) service is not included as one of the default options, so you
can add an entry for it. Follow these steps to add a custom service:
1. From the Network Connections window, right-click the Internet con-
nection you are sharing and click Properties.
2. Select the Advanced tab.

www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 299
Figure 5.5 The Network Services That Internet Users Can Access
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 299
3. Ensure that the Allow other network users to connect through this
computer’s Internet connection is enabled and click Settings.
4. The Services dialog box is displayed. Click Add.
5. The Service Settings dialog is displayed. In the Description of service
text box, enter Net News Transfer Protocol, as shown in Figure 5.6.
6. In the Name or IP address text box, enter the machine name or IP
address for the local machine providing the service.
7. In the External port number for this service text box, enter 119.
8. In the Internal port number for this service text box, also enter 119.
9. Click OK.
10. You are returned to the Services dialog box, and the new service is
now listed. Click OK to return to the Properties dialog box.
Implementing Virtual
Private Networks (VPNs)
Traditionally, when you are setting up a private network that spans multiple locations, you
use one or more private wide area network (WAN) links to connect the locations (for
example,T1 lines).While this provides secure high-speed communication between the loca-
www.syngress.com
300 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.6 Service Settings
EXAM
70-293
OBJECTIVE
2
2.3
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 300

tions, it is also relatively expensive. A VPN eliminates the need for dedicated WAN links by
taking advantage of readily available connections to the public Internet.
A VPN is defined as a private network that uses virtual links through a public network
rather than dedicated WAN links.These virtual connections use a technology called tun-
neling to encrypt private data and encapsulate it in packets to be transmitted over the public
network.
Windows Server 2003 includes VPN functionality as part of RRAS.You can configure
a Windows Server 2003 machine to act as a VPN server, which manages the VPN connec-
tions between clients or networks.
TEST DAY TIP
One advantage of using a VPN connection, rather than a dedicated leased line, is
that the VPN connection is flexible. For example, if you move a location, all that is
required to reconnect to the VPN is an Internet connection of any type.
Internet-based VPNs
One common use for a VPN server is to allow clients to remotely access the network. For
example, you might have employees who work from home or who need network access
from their laptops while on the road.Traditionally, this would require a pool of modems and
a dial-up RRAS server, or a dedicated WAN link.With a VPN, since remote clients often
have Internet connectivity, you can configure a VPN server to accept connections from these
clients over the Internet.This provides them with a secure connection to the network
without the need for modems or phone lines, and it often saves money, since a client can use
a low-cost ISP with a local phone number rather than making a long-distance call.
NOTE
Microsoft refers to a VPN connection used for remote access as an Internet-based
VPN. This is also known as a client-server VPN connection. The other type is a
router-to-router connection. Although both types use the Internet for connectivity,
Internet-based VPN refers to client-server connections.
How Internet-based VPNs Work
Figure 5.7 shows how a typical Internet-based VPN works.The remote client connects to
the public Internet and uses VPN client software to initiate a connection with the VPN

server. Communications for the VPN are encrypted and encapsulated into packets sent over
the Internet.
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 301
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 301
Configuring Internet-based VPNs
RRAS supports the protocols needed for a VPN.You can configure these individually or
use the RRAS Setup Wizard to configure a VPN server. Exercise 5.03 guides you through
the process of configuring a VPN server using the Wizard.
EXERCISE 5.03
C
ONFIGURING A VPN SERVER USING THE WIZARD
If you have not yet configured RRAS on a server, you can use the Routing and
Remote Access Server Setup Wizard to configure the server with the basic
options for a VPN server.
NOTE
If you have previously configured the server to use RRAS, in order to perform this
exercise you will need to first disable it. To do so, right-click the RRAS server name
in the left console panel of the Routing and Remote Access MMC and select
Disable Routing and Remote Access.
Follow these steps to configure the VPN server:
1. Select Start | Programs | Administrative Tools | Routing and
Remote Access to start the Routing and Remote Access MMC snap-in.
2. Click the RRAS server name (usually the current machine) in the left
column to highlight it.
3. From the menu, select Action | Configure and Enable Routing and
Remote Access.
4. The Routing and Remote Access Server Setup Wizard displays a
Welcome window. Click Next to continue.
www.syngress.com

302 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.7 Communications in an Internet-based VPN
Client
Server
Internet
Encrypted Tunnel
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 302
5. The Configuration window appears (see Figure 5.1, earlier in the
chapter). Select Virtual Private Network (VPN) access and NAT from
the list and click Next.
6. The Wizard displays a final confirmation window, as shown in Figure
5.8. Click Finish to enable the RRAS and VPN features.
7. A dialog box asks whether you wish to start the RRAS service at this
time. Click Yes.
Windows Server 2003 next starts the RRAS service and can accept VPN con-
nections. You are returned to the Routing and Remote Access MMC snap-in,
where you can customize the settings for the VPN server.
Router-to-Router VPNs
While an Internet-based VPN provides easy remote access for individual clients, you can
also configure a larger-scale VPN to connect two geographically separated LANs.A router-
to-router VPN requires an Internet connection for each LAN, and it encapsulates traffic on
the Internet to create a virtual WAN between the locations.
A router-to-router VPN can either use demand-dial connections, creating the VPN only
when it is required for traffic between the networks, or persistent connections for an always-on
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 303
Figure 5.8 Completing the Routing and
Remote Access Server Setup Wizard
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 303
VPN. In either case, it can save money, since Internet connectivity is usually available at a

lower cost than a dedicated WAN link between geographically separated sites.The longer
the distance, the more money you are likely to save.
On Demand/Demand-Dial Connections
A demand-dial connection is often the most practical choice for small remote sites that only
occasionally require VPN connectivity. RRAS supports one or more demand-dial connec-
tions.You can configure a connection using the Network Interfaces node in the RRAS
MMC snap-in. Exercise 5.04 demonstrates how to add a new demand-dial interface.
EXERCISE 5.04
C
ONFIGURING A D
EMAND-DIAL INTERFACE
You can add a new demand-dial interface on any RRAS computer that has
RRAS configured. If you have not yet configured and enabled RRAS, see the
instructions earlier in this chapter. Follow these steps to create a new demand-
dial interface:
1. From the Routing and Remote Access MMC snap-in, right-click the
Network Interfaces item in the left column and select New Demand-
dial Interface.
2. The Demand-Dial Interface Wizard displays an introductory message.
Click Next to continue.
3. You are prompted for a name for the new interface, as shown in Figure
5.9. Enter the name and click Next.
www.syngress.com
304 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.9 Enter a Name for the Demand-Dial Interface
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 304
4. The Connection Type window appears. Select Connect using virtual
private networking (VPN) and click Next.
5. The VPN Type window is displayed. You can choose one of the VPN pro-
tocols (described in the “VPN Protocols” section later in this chapter).

Select Automatic selection and click Next.
6. You are prompted for the host name or IP address of the remote
router. Enter an address or name and click Next.
7. The Protocols and Security window is displayed, as shown in Figure
5.10. Enable the Route IP packets on this interface option and click
Next.
8. The Static Routes for Remote Networks window is displayed. Click
Add to add a static route. Specify a destination address and subnet
mask, and then click OK.
9. Click Next to continue.
10. The Dial Out Credentials window is displayed. Enter a username,
domain name, and password to connect to the remote network, and
then click Next.
11. The Wizard displays a completion message. Click Finish to complete the
configuration of the demand-dial interface.
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 305
Figure 5.10 Choose Protocols and Security Options
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 305
After you have completed this process, the new interface you created is
listed in the Network Interfaces section of the Routing and Remote Access
MMC snap-in. You can select this entry and open its Properties dialog box to
change the configuration.
One-Way versus Two-Way Initiation
You can configure a demand-dial VPN with either one-way or two-way initiation:
■ In one-way initiation, one VPN server is configured to accept demand-dial con-
nections, and the other initiates the connection.
■ In two-way initiation, both VPN servers are configured to accept connections.
Whenever a client of one server requires access to the VPN, it initiates a connec-
tion to the other server.

Persistent Connections
Instead of using a demand-dial connection, a VPN server can use a persistent (always-on)
connection to the Internet, such as an existing Digital Subscriber Line (DSL) connection. If
the computer you are using as the VPN server is configured to use this type of Internet
connection, it can be made available to VPN clients.To create a new persistent connection,
select Start | Control Panel | Network Connections | New Connection Wizard.
Remote-Access Policies
You can secure a demand-dial connection in the same way that you secure a connection for
a remote user.The calling router requires a user account on the VPN server.You can con-
figure this user account’s properties with the Allow Access option in the Dial-in proper-
ties section to explicitly allow access, or if access is controlled through a Remote Access
Policy, the policy should grant the appropriate user remote access permissions. If you are
using RADIUS authentication (explained in the “Using Internet Authentication Service
(IAS)” section later in this chapter), the policy is configured on the RADIUS server rather
than on the RRAS server.
Each remote-access policy is associated with a dial-in profile, which allows you to con-
figure how the connection can be used.You can use the policy and profile settings to con-
figure the authentication methods allowed, the hours in which dialing out is allowed, and
other settings.These options are explained in detail in Chapter 7.
VPN Protocols
A VPN is created using a tunneling protocol.This is a standard communication protocol that
creates a tunnel through the public network and transmits private data in encrypted form.
www.syngress.com
306 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 306
This is accomplished using encapsulation, a process that encrypts each VPN packet, combines
it with a header to form a standard IP datagram, and sends it over the public network.
Windows Server 2003 supports two standard tunneling protocols: the Point-to-Point
Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
PPTP

PPTP is the oldest and most common VPN protocol. PPTP is based on the Point-to-Point
Protocol (PPP), which is typically used for dial-up connections. PPTP encapsulates PPP
frames into IP packets, encrypts the data, and transmits them over the Internet.
PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supports
the same authentication methods as PPP, such as the Password Authentication Protocol
(PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).When a
higher-level authentication method is used, PPTP supports Microsoft Point-to-Point
Encryption (MPPE), a strong method of encrypting VPN traffic before allowing it to tra-
verse the public network.
L2TP
L2TP is a more recent tunneling protocol that offers additional features over PPTP. L2TP is
a generic tunneling protocol that can encapsulate packets of many types for transmission
over a network. Unlike PPTP, L2TP does not include encryption.Windows 2003 VPNs use
the IP Security protocol (IPSec) to encrypt data sent over an L2TP tunnel.This provides
end-to-end encryption and greater security than the MPPE encryption used with PPTP.
Refer to Chapter 7 for more details on tunneling protocols.
VPN Security
A VPN combines encapsulation with encryption to create a connection between two sys-
tems. Depending on the VPN tunneling protocol you use, one of two encryption protocols
is used to encrypt the data before it passes through the public network: MPPE or IPSec.
MPPE
MPPE is used with VPNs created by PPTP. MPPE provides encryption for the tunnel only;
it does not provide end-to-end encryption from the client to the VPN server. MPPE
requires that the client and server support either the MS-CHAP or Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS) authentication method.
These methods are described in detail in the “Authentication Methods” section later in this
chapter.
IPSec
IPSec is an Internet standard for encrypted IP traffic. Since the L2TP tunneling protocol
does not include encryption by itself, IPSec is used to encrypt the data before it is encapsu-

www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 307
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 307
lated across the tunnel. Unlike MPPE, IPSec does provide end-to-end encryption.You can
use IPSec over an established PPTP link to add end-to-end encryption.
TEST D
AY TIP
IPSec also supports tunnel mode, a built-in ability to create a VPN tunnel without
the use of L2TP. This mode works only with router-to-router VPNs. It is an
advanced feature and is only necessary to support certain hardware that does not
support the standard PPTP or L2TP tunneling protocols.
Using Internet Authentication Service (IAS)
While basic RRAS security is sufficient for small networks, a larger enterprise often needs
a dedicated infrastructure for authentication. RADIUS is a standard for dedicated authenti-
cation servers. A RADIUS server provides centralized authentication and access control, and
it can also provide detailed accounting for the use of its services. RADIUS services can be
scaled to handle any enterprise’s authentication needs and extended with multiple authenti-
cation servers.
Windows Server 2003 includes Microsoft Internet Authentication Service (IAS), an
implementation of a RADIUS server. IAS supports authentication for Windows-based
clients, as well as for third-party clients that adhere to the RADIUS standard. IAS stores its
authentication information in Active Directory (AD), and you can manage it with Remote
Access Policies.
N
OTE
For more detailed information about configuring IAS for specific uses, such as
wireless authentication, see Chapter 7.
Advantages of IAS
While IAS requires the use of an additional server component, it provides a number of
advantages over the standard methods of RRAS authentication.These advantages include

centralized authentication for users, auditing and accounting features, scalability, and seam-
less integration with the existing features of RRAS.
Centralized User Authentication and Authorization
In the RADIUS standard, remote users do not connect directly to the RADIUS server.
Instead, they connect to a network access server (typically an RRAS server), which acts as a
RADIUS client, connecting to the IAS server and authenticating the user.This provides for
www.syngress.com
308 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
EXAM
70-293
OBJECTIVE
2
2.3
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 308
centralized authentication. Any number of RRAS servers can connect to the same IAS
server for authentication.
Centralized Auditing and Accounting
Along with authentication, IAS supports auditing features—tracking when the system is
used, when errors occur, and so on—and can keep a centralized record of usage of the
remote access or VPN servers.This record is stored in a log file, which you can import into
a database or analyze to determine traffic patterns or potential problems.
RRAS Integration
IAS supports the same Remote Access Policy settings as RRAS.You can use these settings
on a simple RRAS server in a small network, and later add an IAS server, move the policies
to the IAS server, and configure one or more RRAS servers to authenticate using IAS.
When using IAS for authentication, RRAS servers no longer have their own Remote
Access Policies, since the IAS server manages a centralized policy.
Control via Remote-Access Policies
As with basic RRAS security, you can define remote-access policies to configure remote-
access security with IAS.You can define a single set of remote-access policies on the IAS

server, and they will be used by every RRAS server that uses IAS for authentication.This
centralized authentication allows you to quickly define policies for the entire enterprise
without the need to manage individual policies for each RRAS server.
Extensibility and Scalability
IAS provides an extensible architecture for authentication.While it provides only a small
advantage over traditional Windows authentication methods when used on a small network,
IAS excels in large enterprises because it provides centralized authentication.You can scale
from a single IAS server to multiple IAS servers interacting with multiple RRAS servers in
a global network.When you add a new RRAS server, you don’t need to configure its secu-
rity separately; simply configure it to use the existing IAS server for authentication.
IAS Management
To support IAS, you will need one or more IAS servers.You can install IAS on a domain
controller or member server.The server can be used for other components, such as RRAS,
but if the IAS server will be heavily used, you may wish to dedicate a server for this pur-
pose.You can use a single server or configure a second server to act as a backup. RRAS
servers that authenticate using IAS can contact the backup server if they are unable to reach
the primary server.
The IAS component is included with all editions of Windows Server 2003 except the
Web Edition.You can install IAS on a Windows Server 2003 computer using the
www.syngress.com
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 309
255_70_293_ch05.qxd 9/9/03 5:20 PM Page 309