Contents
Overview 1
Introducing Routing and Remote Access 2
Designing a Functional Remote Access
Solution 10
Securing a Remote Access Solution 26
Enhancing a Remote Access Design for
Availability 33
Optimizing a Remote Access Design for
Performance 40
Lab A: Designing a Remote Access
Solution 44
Review 51
Module 9: Remote User
Connectivity
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media,
Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries/regions.
Project Lead: Don Thompson (Volt Technical)
Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc.
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Jack Creasey, Doug Steen (Independent Contractor)
Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Kristen Heller (Wasser)
Copy Editor: Kaarin Dolliver (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Test Leads: Sid Benevente, Keith Cotton
Test Developer: Greg Stemp (S&T OnSite)
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 9: Remote User Connectivity iii
Instructor Notes
This module provides students with the information and decision-making
experiences needed to design a remote access solution by using Routing and
Remote Access. Students will make remote access technology decisions for a
Microsoft
®
Windows
®
2000 networking infrastructure based on the needs of the
organization.
At the end of this module, students will be able to:
Recognize Routing and Remote Access as a solution for remote access.
Identify the design decisions that influence a functional remote access
solution.
Select appropriate strategies to secure remote access connections.
Select appropriate strategies to enhance remote access availability.
Select appropriate strategies to improve remote access performance.
Upon completion of the design lab, students will be able to design a remote
access solution by using Routing and Remote Access in a Windows 2000
environment.
Course Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the following materials:
Microsoft PowerPoint
®
file 1562B_09.ppt
Preparation Tasks
To prepare for this module:
Review the contents of this module.
Read any relevant information in the Windows 2000 Help files, the
Windows 2000 Resource Kit, or in documents provided on the Instructor
CD.
Read the relevant RFCs in the Windows 2000 Help files.
Review discussion material and be prepared to lead class discussions on the
topics.
Complete the lab and be prepared to elaborate beyond the solutions found
there.
Read the review questions and be prepared to elaborate beyond the answers
provided in the text.
Presentation:
90 Minutes
Lab:
30 Minutes
iv Module 9: Remote User Connectivity
Module Strategy
Use the following strategy to present this module:
Introducing Routing and Remote Access
Routing and Remote Access supports dial-up connections for remote users
connecting to a private network. Providing a Routing and Remote Access
solution can reduce the dependence on service infrastructures and the
performance variability of the Internet.
In this section:
• Emphasize that identifying the number of dial-up clients, connection
technologies, client authentication and security requirements, and client
connection protocols is the first step in designing a Routing and Remote
Access solution.
• Introduce virtual private network (VPN) and explain how it enhances the
security of a Routing and Remote Access solution.
• Explain dial-up access and server interoperability as the main features of
Routing and Remote Access.
• Explain the benefits of integrating Routing and Remote Access with
DHCP, WINS, DNS, Remote Authentication Dial-In User Service
(RADIUS), and the Active Directory
™
directory service.
Designing a Functional Remote Access Solution
To design a remote access solution based on Routing and Remote Access,
you must consider the network access requirements, the protocols required,
and server placement issues.
In this section:
• Explain that, to integrate remote access solutions into a local area
network (LAN) environment, security policies for dial-up clients,
concurrent sessions and multilinks, the aggregate throughput for clients,
and client configuration must be identified.
• Emphasize that selecting dial-up solutions, enabling supported protocols,
providing client-to-server connections, and providing demand-dial
router-to-router connections are the necessary tasks for integrating
remote access solutions into a routed environment.
• Emphasize that selecting dial-up or VPN-based servers, and providing
remote access client and router-to-router connections are the necessary
tasks for integrating VPN into a routed environment.
• Point out that Point-to-Point Tunneling Protocol (PPTP) and Layer Two
Tunneling Protocol (L2TP) are the two tunneling protocols supported by
Routing and Remote Access in Windows 2000 that provide
authentication and data encryption for creating VPN connections.
• Point out that the placement of VPN servers must be determined to
integrate VPN servers with the Internet.
• Describe the issues pertaining to the placement of remote access servers
on a network.
Module 9: Remote User Connectivity v
• Ensure that students understand the scenario description and directions
for the Discussion. Direct them to read through the scenario and answer
the questions. Be prepared to clarify if necessary. Lead a class
discussion on the students’ responses.
Securing a Remote Access Solution
The security of a network is compromised if remote users are provided
access to intranet-based resources. An effective security configuration
confirms the identity of the clients attempting to access the resources on the
network, protects resources from unauthorized users, and provides an
efficient way to set up and maintain security on the network.
In this section:
• Explain that Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP), Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAP v2), Extensible Authentication Protocol-Transport
Level Security (EAP-TLS), CHAP, Shiva Password Authentication
Protocol (SPAP), and Password Authentication Protocol (PAP) are the
authentication protocols supported by Routing and Remote Access.
• Explain that Microsoft Point-to-Point Encryption (MPPE) and
L2TP/Internet Protocol Security (IPSec) are the appropriate encryption
methods supported by Routing and Remote Access.
• Explain access restricted by user, access restricted by a policy in a
Windows 2000 native-mode domain, and access restricted by a policy in
a Windows 2000 mixed-mode domain as the methods of ensuring
security with remote access policies.
• Describe how to secure the network resources by limiting access to the
remote access or VPN server.
• Describe how integration of Routing and Remote Access with RADIUS
can be used for authentication and accounting.
Enhancing a Remote Access Design for Availability
The availability of a remote access implementation design is measured by
the percentage of time users are able to obtain remote access to intranet-
based resources.
In this section:
• Point out that any design that requires high availability must include
more than one Routing and Remote Access or VPN server. Explain that
adding redundant remote access servers can create highly available
remote access services.
• Explain how RADIUS centralizes the administration of remote access
policies by configuring all remote access and VPN Servers to share a
common policy.
• Make sure that students understand the scenario description and
directions for the Discussion. Direct them to read through the scenario
and answer the questions. Be prepared to clarify if necessary. Lead a
class discussion on the students’ responses.
vi Module 9: Remote User Connectivity
Optimizing a Remote Access Design for Performance
In a remote access or VPN solution, you must improve the performance of
individual servers, or share the load of servers by including additional
servers in the network design as the number of remote access clients
increases.
In this section:
• Explain that factors such as changes in client application usage, wide
area network (WAN) usage, and number of clients can affect the
performance of a remote access server. Emphasize that a possible
solution for performance degradation is to use multiple remote access
servers and distribute the client load across the servers.
• Explain that improving server performance, dedicating a server to
remote access and VPN servers, upgrading existing remote access and
VPN servers, and improving WAN and LAN connection performance
are the various methods of improving the performance of an individual
remote access server.
Lab Strategy
Use the following strategy to present this lab.
Lab A: Designing a Routing and Remote Access Solution
In the design lab, students will design a remote access solution based on
specific requirements outlined in the given scenario.
Students will review the scenario and the design requirements and read any
supporting materials. They will use this information, and the knowledge gained
from the module, to develop a detailed design by using Routing and Remote
Access as a solution.
To conduct the lab:
Read through the lab carefully, paying close attention to the instructions and
to the details of the scenario.
Consider dividing the class into teams of two or more students.
Present the lab and make sure students understand the instructions and the
purpose of the lab.
Direct students to use the planning worksheet to record their solutions.
Remind students to consider any functionality, security, availability, and
performance criteria provided in the scenario and how they will incorporate
strategies to meet these criteria in their design.
Allow some time to discuss the solutions after the lab is completed. A
solution is provided in your materials to assist you in reviewing the lab
results. Encourage students to critique each other’s solutions and to discuss
any ideas for improving their designs.
Module 9: Remote User Connectivity 1
Overview
Introducing Routing and Remote Access
Designing a Functional Remote Access Solution
Securing a Remote Access Solution
Enhancing a Remote Access Design for Availability
Optimizing a Remote Access Design for Performance
An organization might allow dial-up clients and remote office locations to
access its private network resources. The remote access features of Routing and
Remote Access in Microsoft
®
Windows
®
2000 provide secure, dial-up access to
a network for remote access clients. The remote access clients connect remotely
by using various protocols and connection types.
At the end of this module, you will be able to:
Recognize Routing and Remote Access as a solution for remote access.
Identify the design decisions that influence a functional remote access
solution.
Select appropriate strategies to secure remote access connections.
Select appropriate strategies to enhance remote access availability.
Select appropriate strategies to improve remote access performance.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will
develop a strategy for
designing a remote access
solution.
2 Module 9: Remote User Connectivity
Introducing Routing and Remote Access
Design Decisions for a Remote Access Solution
VPN with Remote Access Solutions
Routing and Remote Access Features
Integration Benefits
Routing and Remote Access enables remote access clients to access corporate
networks as if they were directly connected to the corporate network. The
remote access clients connect to the network by using dial-up communication
links.
To design a remote access solution, you need to:
Identify the decisions influencing a remote access solution.
Describe the architectural elements of a virtual private network (VPN) in a
remote access networking strategy.
Identify the features offered by Routing and Remote Access so that you can
apply them successfully in the network design.
Identify the benefits of integrating Routing and Remote Access with other
Windows 2000 services.
Slide Objective
To introduce Routing and
Remote Access as a
solution for remote access.
Lead-in
To design a remote access
solution, you must identify
the client requirements and
how Routing and Remote
Access meets these
requirements.
Module 9: Remote User Connectivity 3
Design Decisions for a Remote Access Solution
Number of Dial-Up Clients?
Local or Network-Wide Resources?
Connection Technologies?
Client Authentication, Security, and Encryption?
Client Connection Protocols?
Remote
Access
Client
Adapter or
Modem
Public
Network
Adapter or
Modem
Remote
Access
Server
Intranet
Provider Network
PSTN
X.25
ISDN
Routing and Remote Access supports dial-up connections for remote users
connecting to a private network. Users can access resources on the remote
access server or on attached networks, provided they meet the network security
requirements defined for the network design.
Providing a Routing and Remote Access solution can reduce the dependence on
service infrastructures (such as Internet service providers (ISPs)), and the
performance variability of the Internet.
In designing a Routing and Remote Access solution, you need to consider the:
Maximum number of simultaneous user connections required.
Types of resources that the clients would require to access (local, remote, or
both).
Connection technologies and throughput requirements. For example,
connections that use modems over Public Switched Telephone Network
(PSTN), Integrated Services Digital Network (ISDN), or X.25.
Client authentication, security, and encryption requirements.
Client connection protocols.
Slide Objective
To identify the decisions that
influence the design of a
remote access solution.
Lead-in
To develop a remote access
solution, you must identify
the number of dial-up users,
and assess the
requirements of these users.
Discuss the bulleted points
with students. Tell them that
these are the questions they
need to answer before
designing a remote access
solution. Explain the
relevance of these decisions
with reference to the
graphic.
4 Module 9: Remote User Connectivity
VPN with Remote Access Solutions
VPN Connection Types
Account-based Authentication and Encryption
Compatibility with Other Operating Systems
VPN Connection Types
Account-based Authentication and Encryption
Compatibility with Other Operating Systems
VPN Server
VPN Server
Compulsory Tunnel
Voluntary Tunnel
PSTN
ISDN
VPN Server
VPN Server
Internet
Compulsory Tunnel with RADIUS
VPN Server
VPN Server
RADIUS Server
RADIUS Server
Dial-Up
VPN
Client
Dial-Up
VPN
Client
POP/Network
Access Server
(NAS)
POP/NAS
Point of Presence (POP)
Many organizations are transitioning from a centralized in-house dial-up remote
access infrastructure to an Internet-based infrastructure for clients accessing a
corporate intranet. Organizations requiring support for dial-up clients can
reduce costs by outsourcing the remote access dial-up points to an ISP. In
addition, VPN maintains a high level of security for client connections to the
private network.
A VPN supports secure point-to-point communications over a private or public
IP-based network. VPN connections are Transmission Control Protocol (TCP)-
based and require no intermediate router support.
VPN Connection Types
VPN supports Internet Protocol (IP) layer tunneling that creates a secure
connection between a VPN-based remote access client and a remote access
server on the private network. The computers participating in a VPN connection
authenticate one another and encrypt the data flowing through the VPN.
It is possible to create a tunnel and send the data through the tunnel
without encryption. However, it will not be a VPN connection because the
private data is sent across a shared or public network in an unencrypted form.
VPN connections can be designed as compulsory or voluntary tunnels.
Compulsory tunnels are pre-configured device-initiated connections for which:
The remote access server initiates tunnel connections.
The remote access server supports the tunnel protocol.
Client authentication is per user based and optionally uses Remote
Authentication Dial-In User Service (RADIUS).
Client support for tunneling is not required.
Slide Objective
To describe the architectural
elements of VPN in a
remote access networking
strategy.
Lead-in
VPN provides a secure
communications link across
a network and can secure
data from end-to-end or
from the network access
server to the private
network.
Use this slide to point out
the three types of
connections. Explain how
authentication, encryption,
and compatibility are
managed in each
connection type.
Note
Module 9: Remote User Connectivity 5
Voluntary tunnels are ad-hoc connections for which:
The dial-up user initiates tunnel connections.
Client support for tunneling protocols is required.
No intermediate remote access server support for tunneling is required.
Account-based Authentication and Encryption
VPN enhances data security for a connection by:
Authenticating remote users prior to data exchange.
Encrypting authentication credentials.
Encrypting exchanged data.
Both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling
Protocol (L2TP) support encrypted and plain text authentication. When using
L2TP and Internet Protocol Security (IPSec) transport mode, VPN
authentication is based on an exchange of certificates that prevents
unauthorized access to resources and data. Authentication certificates also
provide a means of sharing data encryption keys.
Compatibility with Other Operating Systems
The VPN technology is supported by a number of vendors and operating
systems, and is supported on a number of remote access servers.
Although only Windows 2000 supports a VPN configured for L2TP, any
Windows 32-bit operating system supports a VPN configured for PPTP.
6 Module 9: Remote User Connectivity
Routing and Remote Access Features
Non-Microsoft
Communications Server
Dial-Up
Client
NetBEUI
NetBEUI
NetBEUI
TCP/IP
TCP/IP
TCP/IP
NWLink
NWLink
NWLink
PPP
PPP
NetBEUI
NetBEUI
NetBEUI
NWLink
NWLink
NWLink
TCP/IP
TCP/IP
TCP/IP
SLIP
SLIP
PPP
PPP
Provides Dial-Up Access
Supports various transport protocols
Supports various WAN technologies
Supports standard security protocols
Provides Server Interoperability
Internet
Remote
Access
Server
A Routing and Remote Access-based server supports dial-up connectivity to a
network. In addition to providing access to directories and files, a remote access
server also handles authentication and encryption for remote access clients.
Provides Dial-Up Access
Routing and Remote Access provides dial-up access for remote user
connections by using Point-to-Point Protocol (PPP) or the Microsoft RAS
protocol.
Supports various transport protocols
Over the communication channel, PPP allows negotiation of the following
protocols:
Transmission Control Protocol/Internet Protocol (TCP/IP).
NetWare IPX/SPX/NetBIOS Compatible Transport Protocol (NWLink).
NetBIOS Enhanced User Interface (NetBEUI).
AppleTalk protocol.
The Microsoft RAS protocol is a proprietary protocol supporting dial-up clients
by using the NetBEUI local area network (LAN) protocol. The Microsoft RAS
protocol is supported in all previous versions of Microsoft remote access and is
used on Microsoft Windows NT
®
version 3.1, Windows for Workgroups, MS-
DOS
®
, and LAN Manager clients. The remote access server acts as a network
basic input/output system (NetBIOS) gateway for these remote clients.
Slide Objective
To describe the features of
Routing and Remote
Access.
Lead-in
The remote access server
provides client access to an
organization’s resources
when using dial-up
connections.
Module 9: Remote User Connectivity 7
The NetBIOS gateway provides client access to resources over:
NetBEUI.
NetBIOS over TCP/IP (NetBT) protocol.
NetBIOS over Internetwork Packet Exchange (IPX) protocol.
Routing and Remote Access does not support Serial Line Internet
Protocol (SLIP) clients, whereas the Microsoft remote access client software
does supports SLIP connections.
Supports various WAN technologies
Dial-up remote access clients can connect to wide area networks (WANs) by
using the following methods:
Standard telephone lines with a modem (PSTN)
ISDN
X.25 direct connection or X.25 packet assembler/disassembler (PAD)
Supports standard security protocols
Routing and Remote Access supports secured authentication and data
encryption. The remote access server automatically negotiates authentication
and encryption levels with PPP-based remote access clients.
For authentication, Routing and Remote Access supports:
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
Microsoft Challenge Handshake Authentication Protocol, version 2
(MS-CHAP v2).
Challenge Handshake Authentication Protocol (CHAP).
Extensible Authentication Protocol-Transport Level Security (EAP-TLS).
Shiva Password Authentication Protocol (SPAP).
Password Authentication Protocol (PAP).
Provides Server Interoperability
Remote access clients can access any PPP-based remote access servers. These
servers include:
Shiva LAN Rover.
NetWare Connect.
UNIX-based SLIP or PPP.
Other PPP-based communications servers.
Note
8 Module 9: Remote User Connectivity
Integration Benefits
Name Resolution
Remote Access Policies
Authentication and Accounting
Remote
Access
Server
Active
Directory
DNS
Server
WINS
Server
DHCP
Server
IP
Address
Name Resolution
RADIUS
Server
Routing and Remote Access integrates with other Windows 2000 networking
services to extend these services to remote access clients and reduce network
management.
DHCP Integration
Integration with DHCP allows dynamic allocation of IP address and
configuration information to remote access clients. This reduces configuration
errors by eliminating manual client configuration.
Routing and Remote Access leases blocks of 10 IP addresses from DHCP for
remote access clients. When clients disconnect, the IP address is returned to the
pool.
If the remote access server is configured to use the DHCP Relay Agent, all
DHCP configuration information is provided to the remote access clients
through the DHCP Relay Agent. If the DHCP Relay Agent is not configured on
the server, clients only receive the IP address and subnet mask provided by the
remote access server.
The TCP/IP options in DHCP can include specific configuration
information for remote access clients by using the predefined user class
RRAS.Microsoft to define the required client options.
DNS Integration
DNS integration allows clients with dynamically allocated IP addresses and
configuration information to update their name records in a Windows 2000–
based DNS server. This integration allows dial-up client DNS names to be
resolved in the same manner as clients directly connected to the network.
Slide Objective
To identify the benefits of
integrating Routing and
Remote Access with other
Windows 2000 services.
Lead-in
Routing and Remote Access
integrates with other
Windows 2000 services,
such as DHCP, DNS, and
WINS.
Note
Module 9: Remote User Connectivity 9
WINS Integration
WINS integration allows dial-up clients with dynamically allocated IP
addresses and configuration information to update their NetBIOS names in
WINS. This integration allows the NetBIOS resource names that are registered
by the dial-up client to be resolved in the same manner as clients directly
connected to the network.
RADIUS Integration
RADIUS integration centralizes the management of multiple remote access
servers. This integration allows:
Centralized administration of remote access policies.
Logging of client authentication success or failure from multiple remote
access servers.
Distributed authentication for clients in a heterogeneous network.
Active Directory Integration
Integration of Routing and Remote Access with a Windows 2000 native-mode
domain allows the remote access policies to be administered through the Active
Directory
™
directory service. This integration provides:
Unified administration by using the Active Directory management consoles.
Mapping of Windows 2000 users and groups to remote access policies,
which control dial-up connection permissions.
On a Windows 2000 remote access server, which is a member of a
Windows 2000 mixed mode, or Microsoft Windows NT version 4.0 domain, a
remote access policy cannot be specified for a user account.
Note
10 Module 9: Remote User Connectivity
Designing a Functional Remote Access Solution
Integrating Remote Access Solutions into a LAN
Environment
Integrating Remote Access Solutions into a Routed
Environment
Integrating VPN into a Routed Environment
Selecting a Tunneling Protocol
Integrating VPN Servers with the Internet
Placing Remote Access Servers Within a Private
Network
Discussion: Evaluating Routing and Remote Access
Functional Requirements
The components of a Windows 2000–based dial-up solution include Routing
and Remote Access-based servers, dial-up clients, LAN and remote access
protocols, WAN options, and security options. Routing and Remote Access in
Windows 2000 provides the server-side components to support a dial-up
solution.
To design a remote access solution based on Routing and Remote Access, you
must consider the network access requirements, the protocols required, and the
server placement issues
.
Slide Objective
To introduce the decisions
required to evaluate and
design a functional solution
for remote access.
Lead-in
You can set the foundation
for your remote access
solution by establishing the
essential requirements for
Routing and Remote
Access.
Module 9: Remote User Connectivity 11
Integrating Remote Access Solutions into a LAN Environment
Remote Access Server
Dial-Up
Clients
NetBEUI
NetBEUI
NetBEUI
TCP/IP
TCP/IP
TCP/IP
NWLink
NWLink
NWLink
PPP
PPP
LAN
Security Policies for Dial-Up Clients
Concurrent Sessions and Multilink
Aggregate Throughput for Clients
Client Configuration
Security Policies for Dial-Up Clients
Concurrent Sessions and Multilink
Aggregate Throughput for Clients
Client Configuration
Policies,
Groups
and
Users
A remote access solution for a nonrouted LAN can provide a centralized dial-up
facility for remote access clients. Clients connecting to the remote access server
can be authenticated, provided with TCP/IP configuration information, and
allowed access to resources on the network by using the permitted protocols.
While designing a remote access solution for a nonrouted LAN, you need to
identify solutions for the following:
The security model for administering remote access permissions and
connection settings in the remote access server.
You can control access by individual user names, or Windows 2000 native-
mode or mixed-mode domain policies.
The number of concurrent sessions required to service the dial-up clients.
This allows definition of the number of inbound ports required. If PPP
(Point-to-Point Protocol) Multilink Protocol and Bandwidth Allocation
Protocol (BAP) are enabled, it may be necessary to provide more than one
connection point per client.
The aggregate throughput requirements for the clients.
The peak aggregate bandwidth required by the clients must be equal to or
less than the bandwidth available to the LAN interface in the remote access
server.
The TCP/IP configuration for the dial-up clients.
The allocation of IP addresses and a subnet mask can be configured by the
remote access server through pre-allocation to the client (allowing a fixed IP
address), from a fixed pool of addresses, from DHCP, and from the
Automatic Private IP Addressing (APIPA) addresses (169.254.0.1 through
169.254.255.254).
Slide Objective
To describe how to integrate
a remote access server in a
nonrouted LAN network.
Lead-in
A remote access dial-up
solution for a LAN enables
dial-up clients to access
LAN resources.
12 Module 9: Remote User Connectivity
The TCP/IP configuration for the dial-up clients with fixed IP addresses.
The remote access server can configure the allocation of IP addresses and a
subnet mask through pre-allocation to the client, thereby allowing a fixed IP
address.
Remote access policies must be defined to permit users to request a
fixed IP address, and you must configure the dial-up properties of the user
account with a static IP address.
The TCP/IP configuration for the dial-up clients with dynamic IP addresses.
The allocation of IP addresses and a subnet mask can be configured by the
remote access server from a fixed pool of addresses, from DHCP, and from
APIPA addresses.
If a DHCP Relay Agent is configured on the remote access server, the
client can request TCP/IP options that are defined in the DHCP scope for
the subnet. If the DHCP Relay Agent is not configured, the clients only
receive the IP address and subnet mask provided by the DHCP server.
Note
Note
Module 9: Remote User Connectivity 13
Integrating Remote Access Solutions into a Routed Environment
Selecting Dial-Up Solutions
Enabling Supported Protocols
Providing Client-to-Server Connections
Providing Demand-Dial Router-to-Router Connections
Before integrating a remote access solution into a routed environment, you must
consider the access connection speed and connection type of the dial-up users.
You can constrain the functionality of any dial-up remote access design by the
access connection speed and connection type.
Bandwidth limitations of LANs and WAN links, and the dial-up connection
speed, can place practical constraints on the remote access implementation
design.
Selecting Dial-Up Solutions
Remote access servers can provide access to intranet-based resources by using
dial-up connections. Dial-up connections are used when the remote access
clients dial directly into modems attached to the organization’s remote access
servers.
Consider implementing Routing and Remote Access dial-up solutions if the:
Use of the Internet as a mechanism for accessing intranet-based resources is
considered an unacceptable risk.
Variability of the data throughput rate for an Internet connection is
insufficient to support client needs.
Logical connections consist of multiple physical connections, or the
connections are increased in response to client bandwidth requirements.
Security aspects of the network design require additional security features
such as caller Identification (ID) verification or callback support.
Cost of providing phone lines, modems, and multiport communication
adapters is not prohibitive.
Slide Objective
To describe how to integrate
a remote access solution in
an IP-routed network.
Lead-in
Before integrating a remote
access solution into a routed
environment, you must
consider the access
connection speed and
connection type of the dial-
up users.
14 Module 9: Remote User Connectivity
Enabling Supported Protocols
Remote access servers support connectivity to remote access clients by using
multiple protocols. Certain protocols may be required to access particular
intranet-based resources or applications.
The following table lists the Routing and Remote Access–based protocols and
their features.
Choose To provide
TCP/IP Access to Web-based applications, File Transfer Protocol (FTP)
servers, or other applications that are based on the TCP/IP protocol.
NWLink Access to NetWare-based file and print servers by using Internetwork
Packet Exchange/Sequenced Packet Exchange (IPX/SPX).
AppleTalk Access to Apple Macintosh remote access clients by using the
AppleTalk Remote Access Protocol.
NetBEUI Access to file and print resources in a small, nonrouted LAN by using
NetBIOS naming conventions.
Providing Client-to-Server Connections
Dial-up remote access solutions provide access to intranet-based resources for
remote access clients. A dial-up remote access design must specify the:
Number of telephone lines, modems, adapters, or asynchronous ports
required to support the maximum number of simultaneous client
connections.
User accounts that will be granted remote access.
Remote access policy restrictions that apply to a user or a group of users.
Providing Demand-Dial Router-to-Router Connections
To support connectivity between remote locations, a multiple remote access
design must specify the:
Telephone lines, modems, and asynchronous ports required for connecting
the remote locations.
Routing capabilities found in the Routing and Remote Access–based
servers.
Demand-dial interfaces found in Routing and Remote Access–based servers
used to automate the initiation of the connection between the locations.
User accounts used by the Routing and Remote Access–based servers to
authenticate each other.
Remote access policy restrictions.
Module 9: Remote User Connectivity 15
Integrating VPN into a Routed Environment
Selecting Dial-Up or VPN-based Servers
Providing Remote Access Client Connections
A VPN implementation can support hundreds of VPN remote access clients.
However, the local network and WAN links can place practical constraints on
the VPN design. Before selecting a VPN protocol and connection type, evaluate
your organizational needs and environmental constraints. The VPN protocols
provided by Windows 2000 support a variety of operating systems, security
needs, and network designs.
Selecting Dial-Up or VPN-based Servers
Routing and Remote Access–based servers provide access to intranet-based
resources by using VPN or dial-up connections. VPN connections are used
when remote access clients dial into an ISP and then establish a virtual
connection to the remote access servers of an organization. Dial-up connections
are used when the remote access clients dial directly in to modems attached to
the remote access servers of the organization.
Consider implementing VPN remote access servers if:
Using the Internet to access intranet-based resources is an acceptable risk.
The organization’s connection to the Internet supports the aggregate
throughput required for the maximum number of concurrent remote access
clients.
The variability of Internet bandwidth does not adversely impact client
response times.
Slide Objective
To describe the guidelines
for integrating VPN into a
routed environment.
Lead-in
Before implementing a VPN
service, you need to
evaluate your networking
environment to properly
integrate VPN into a routed
network.
16 Module 9: Remote User Connectivity
Providing Remote Access Client Connections
Implementation designs that incorporate VPN servers provide access to
intranet-based resources by using remote access clients. A VPN server design
must specify:
The number of PPTP or L2TP ports necessary to support the maximum
number of simultaneous clients.
The user accounts that are granted remote access.
Remote access policy restrictions.
Module 9: Remote User Connectivity 17
Selecting a Tunneling Protocol
PPTP
IP
Header
IP
Header
GRE
Header
GRE
Header
PPP
Header
PPP
Header
Encrypted PPP Payload
(IP Datagram, IPX Datagram)
Encrypted PPP Payload
Encrypted PPP Payload
(IP
(IP
Datagram
Datagram
, IPX
, IPX
Datagram
Datagram
)
)
PPP Frame
Client
Remote
Access
Server
Remote
Resource Server
Secure Tunnel
over Existing
Network
IP
Header
IP
Header
IPSec
ESP
Header
IPSec
ESP
Header
PPP Frame
UDP
Header
UDP
UDP
Header
Header
L2TP
Header
L2TP
L2TP
Header
Header
PPP
Header
PPP
PPP
Header
Header
PPP Payload
(IP Datagram,
IPX Datagram)
PPP Payload
PPP Payload
(IP
(IP
Datagram
Datagram
,
,
IPX
IPX
Datagram
Datagram
)
)
IPSec
ESP
Trailer
IPSec
IPSec
ESP
ESP
Trailer
Trailer
IPSec
Auth
Trailer
IPSec
Auth
Trailer
L2TP/IPSec
Encrypted by IPSec
Signed
Private
Network
Dial-up clients may require secure connections to a remote location, or to
resources on a private network. Routing and Remote Access in Windows 2000
supports two tunneling protocols that provide authentication and data
encryption for creating VPN connections:
PPTP
L2TP
PPTP
PPTP is a de facto industry standard tunneling protocol that was first supported
in Windows NT 4.0. PPTP is an extension of PPP and improves upon the
authentication, compression, and encryption mechanisms of PPP. Microsoft
Point-to-Point Encryption (MPPE) is used to encrypt PPP frames.
A PPTP frame consists of a PPP frame carrying the encrypted payload with a
Generic Routing Encapsulation (GRE) header. The encrypted payload can be an
IP datagram, an IPX datagram or a NetBEUI frame.
By default, Routing and Remote Access is configured for five PPTP ports. If
your design requires more ports, then you must plan for the creation of these
ports.
L2TP
L2TP-based virtual private networking connections are a combination of L2TP
and IPSec. L2TP is a draft, RFC-based tunneling protocol that is currently not
an approved industry standard. L2TP uses the authentication and compression
methods of PPP, but relies on IPSec transport mode for encryption services.
Slide Objective
To describe the tunneling
protocols used to secure
data and authenticate
connections.
Lead-in
Tunneling protocols provide
connection authentication,
data security, compression,
and encryption.
Explain how PPTP and
L2TP frames are secured
over a tunnel.
18 Module 9: Remote User Connectivity
In an L2TP-based virtual private networking connection, the sender and
receiver must support both L2TP and IPSec. The routers between the peer
endpoints are required to support only IP.
L2TP encapsulates the original payload inside a PPP frame and performs
compression whenever possible. This compressed frame is then encrypted by
IPSec and transported inside a User Datagram Protocol (UDP) packet.
By default, Routing and Remote Access is configured for five L2TP ports. If
your design requires more ports, then you must plan for the creation of these
ports.
IPSec can be used in tunnel mode without L2TP. IPSec tunnel mode is
not supported for clients in remote access VPN scenarios. In this mode, IPSec is
used for interoperability with other routers, gateways, or end systems.
Select compulsory VPN tunnels if the client cannot support tunnel protocols
directly. If clients can support the VPN protocols, select voluntary end-to-end
VPN tunnels to provide the highest level of data protection.
Note
Module 9: Remote User Connectivity 19
Integrating VPN Servers with the Internet
Firewall or NAT Device
Firewall or NAT Device
VPN Server
VPN Server
Internet
Routing and Remote Access-based
Router
Routing and Remote Access-based
Router
Internet
VPN Server
VPN Server
Integrating VPN Servers and Firewalls
Integrating VPN Servers and NAT Devices
Integrating VPN Servers and Firewalls
Integrating VPN Servers and NAT Devices
The placement of a VPN server can significantly affect network security for a
network that contains a firewall or a network address translation (NAT) device.
A correctly placed VPN server must be accessible without compromising
network security.
Integrating VPN Servers and Firewalls
Firewalls filter IP traffic based on the IP address and port number of the packet.
Proper placement of the VPN server relative to the firewall will achieve the
functionality, availability, and performance goals of the design without
compromising the security aspects of the design.
Outside the firewall
Place the VPN server outside the firewall if:
Exposing the Routing and Remote Access–based VPN server directly to the
Internet does not compromise the security aspects of the design.
The security risks associated with allowing access to the entire VPN IP
address range through the firewall are unacceptable.
All sensitive data is placed behind the firewall, and all remote access
through the firewall is limited to the VPN server.
Slide Objective
To describe the placement
of VPN servers when
supporting Internet access.
Lead-in
A VPN server can be
positioned in one of several
ways to operate with the
Internet.