Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features. Microsoft Windows 2000 builds on RRAS in Windows NT 4.0 and adds a number of new features. RRAS is fully integrated with Windows 2000 Server. RRAS is extensible with application programming interfaces (APIs) that third-party developers can use to create custom networking solutions and that vendors can use to participate in internetworking. The combined features of Windows 2000 RRAS allow a Windows 2000 Server computer to function as a multiprotocol router, a demand-dial router, and a remote access server.

Combining Routing and Remote Access Service Routing services and remote access services have been combined because of Point-to-Point Protocol (PPP), which is the protocol suite that is commonly used to negotiate point-to-point connections. Demand-dial routing connections also use PPP to provide the same kinds of services as remote access connections. The PPP infrastructure of Windows 2000 Server supports several types of access.

Installation and Configuration

Disabling Routing and Remote Access Service You can use the Routing and Remote Access snap-in to disable RRAS. You can refresh the RRAS configuration by first disabling the service and then enabling it.

Authentication and Authorization

Unicast IP Support Windows 2000 provides extensive support for unicast IP routing. In unicasting, two computers establish a two-way, point-to-point connection. Routing and Remote Access Service includes a number of features to support unicast IP routing.

Multicast IP Support Windows 2000 supports the sending, receiving, and forwarding of IP multicast traffic. Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic. Routing and Remote Access Service includes a number of features to support multicast IP routing.

IPX Support The Windows 2000 Server router is a fully functional IPX router. Routing and Remote Access Service includes a number of features to support IPX routing.

AppleTalk Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk packets and supporting the use of RTMP. Most large AppleTalk networks are AppleTalk internets that are connected by routers. A Windows 2000–based server can provide routing and seed routing support.

Demand-Dial Routing Windows 2000 provides support for demand-dial routing. IP and IPX can be forwarded over demand-dial interfaces over persistent or on-demand wide area network (WAN) links.

Remote Access RRAS enables a computer to be a remote access server. RRAS accepts remote access connections from remote access clients that use traditional dial-up technologies.

VPN Server RRAS enables a computer to be a virtual private network (VPN) server. RRAS supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec).

RADIUS Client-Server Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is a client-server protocol that enables RADIUS clients to submit authentication and accounting requests. The RADIUS server has access to user account information and can check remote access authentication credentials. RADIUS supports remote access user authentication and authorization and allows accounting data to be maintained in a central location.

SNMP MIB Support RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II. Routing and Remote Access Service includes support for additional MIB enhancements beyond Internet MIB II. MIB support is also provided for Windows 2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS services.

API Support for Third-Party Components RRAS has fully published API sets for unicast and multicast routing protocol and administration utility support. Developers can write additional routing protocols and interfaces directly into RRAS architecture.

Overview of Remote Access Remote access clients are either connected to only the remote access server’s resources, or they are connected to the RAS server’s resources and beyond. A Windows 2000 remote access server provides two remote access connection methods.

Dial-Up Remote Access Connections

Remote Access Client A number of remote access clients can connect to Windows 2000 remote access server. Almost any third-party PPP remote access clients can connect to a Windows 2000 remote access server. The Microsoft remote access client can dial into a Serial Line Interface Protocol (SLIP) server.

Remote Access Service Server The remote access server accepts dial-up connections. The remote access server forwards packets between remote access clients and the network to which the remote access server is attached.

Dial-Up Equipment and WAN Infrastructure Public Switched Telephone Network (PSTN) Digital links and V.90 Integrated Services Digital Network (ISDN) X.25 ATM over ADSL

Public Switched Telephone Network (PSTN)

Digital Links and V.90

Integrated Services Digital Network (ISDN)

X.25

Asynchronous Transfer Mode (ATM) over Asymmetric Digital Subscriber Line (ADSL)

Remote Access Protocols Remote access protocols control the establishment of connections and the transmission of data over WAN links. Windows 2000 remote access supports three types of remote access protocols: PPP, SLIP, and AsyBEUI.

LAN Protocols LAN protocols are the protocols used by remote access clients to access resources on the network connected to the RAS server. Windows 2000 remote access supports TCP/IP, IPX, AppleTalk, and NetBEUI.

Secure User Authentication Secure user authentication is obtained through the encrypted exchange of user credentials. Secure authentication is possible through the use of PPP and one of the supported authentication protocols.

Mutual Authentication Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of user credentials. It is possible for a RAS server not to request authentication from the remote access client.

Data Encryption Data encryption encrypts the data sent between the remote access client and the RAS server. Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client. Data encryption is possible over dial-up remote access links when using PPP along with EAP-TLS or MS ‑ CHAP. Microsoft Windows 2000, Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support Microsoft Point-to-Point Encryption (MPPE).

Callback The RAS server calls the remote access client after the user credentials have been verified. Callback can be configured on the server to call the remote access client back at a number specified by the user of the remote access client. Callback can be configured to always call back the remote access client at a specific number.

Caller ID Caller ID can be used to verify that the incoming call is coming from a specified phone number. Caller ID requires that the caller’s telephone line, phone system, RAS server’s telephone line, and the Windows 2000 driver for the dial-up equipment support caller ID.

Remote Access Account Lockout The remote access account lockout feature is used to specify how many times a remote access authentication can fail against a valid user account before access is denied. The feature does not distinguish malicious attempts from authentic users. An administrator must decide on two remote access account lockout variables.

Managing Users Set up a master account database in the Active Directory store or on a RADIUS server. A master account database allows the RAS server to send the authentication credentials to a central authenticating device.

Managing Addresses For PPP connections, IP, IPX, and AppleTalk, addressing information must be allocated to remote access clients during the establishment of the connection. The RAS server must be configured to allocate IP addresses, IPX network and node addresses, or AppleTalk network and node addresses.

Overview of Access Management Remote access connections are accepted based on the dial-in properties of a user account and the remote access policies. Different remote access conditions can be applied to different remote access clients or to the same remote access client based on the parameters of the connection attempt. Multiple remote access policies can be used to meet various conditions. RRAS and IAS use remote access policies to determine whether to accept or reject connection attempts.

Access by User Account

Access by Policy

Accepting a Connection Attempt When a user attempts a connection, the connection attempt is accepted or rejected based on a specific logic.

Managing Account Lockout Changing settings in the registry on the authenticating computer configures the account lockout feature. If the RAS server is configured for Windows authentication, modify the registry on the RAS server computer. If the RAS server is configured for RADIUS authentication and IAS is being used, modify the registry on the IAS server.

Managing Authentication Windows authentication RADIUS authentication Windows and RADIUS accounting

Overview of Virtual Private Networks (VPNs) VPNs allow remote users to connect securely to a remote corporate server by using the routing infrastructure provided by a public internetwork, such as the Internet. VPN is a point-to-point connection between the user’s computer and a corporate server. VPN allows a corporation to connect with its branch offices or with other companies over a public internetwork. The secure connection across the internetwork appears to the user as a virtual network interface.

Connecting Networks over the Internet Dedicated lines Dial-up lines

Connecting Computers over an Intranet VPNs allow a department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server. The VPN server is not acting as a router between the corporate internetwork and the department LAN.

Overview of Tunneling Tunneling is a method of using an internetwork infrastructure to transfer a payload. Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header, which provides routing information. The process of encapsulation and transmission of packets is known as tunneling. The logical path through which the encapsulated packets travel the transit internetwork is called a tunnel.

Tunnel Maintenance and Data Transfer Tunnel maintenance protocol Tunnel data transfer protocol

Tunnel Types Voluntary tunnels Compulsory tunnels

PPTP

L2TP

PPTP vs. L2TP PPTP requires that the transit internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity. When header compression is enabled, L2TP operates with 4 bytes of overhead, compared to 6 bytes for PPTP. L2TP provides tunnel authentication, while PPTP does not. PPTP uses PPP encryption and L2TP does not.

IPSec Overview of IPSec ESP tunnel mode vs. ESP transport mode IPSec ESP tunnel mode packet structure

IP-IP IP-IP is a simple OSI layer 3 tunneling technique. A virtual network is created by encapsulating an IP packet with an additional IP header. The primary use of IP-IP is for tunneling multicast traffic over sections of a network that does not support multicast routing. The IP payload includes everything above IP.

Managing Users A master account database is usually set up on a domain controller or on a RADIUS server. The same user account is used for both dial-in remote access and VPN remote access.

Managing Addresses and Name Servers The VPN server must have IP addresses available in order to assign them to the VPN server’s virtual interface and to VPN clients. By default, the IP addresses assigned to VPN clients are obtained through DHCP.

Managing Access Configure the properties on the Dial-In tab of the users’ properties and modify remote access policy as necessary.

Managing Authentication The VPN server can be configured to use either Windows or RADIUS authentication. If Windows is selected, the user credentials are authenticated by using Windows authentication and remote access policy. If RADIUS is selected, user credentials and parameters are sent as a series of RADIUS request messages to the RADIUS server.

Troubleshooting Connection attempt is rejected when it should be accepted. Connection attempt is accepted when it should be rejected. Unable to reach locations beyond the VPN server. Unable to establish a tunnel.

Routing and Remote Access Snap-In

Net Shell Command-Line Utility The Net Shell utility includes a number of options. Commands can be abbreviated to the shortest unambiguous string. Commands can be either global or context specific. Global commands can be issued in any context and are used for general netsh functions. Netsh has two command modes. You can run a script either by using the -f option or by typing the exec global command while in the Net Shell command window. To create a script of the current configuration, type the global dump command. The Net Shell command includes context-specific commands.

Authentication and Accounting Logging RRAS supports the logging of authentication and accounting information for PPP-based connection attempts when Windows authentication or accounting is enabled. The authentication and accounting information is stored in a configurable log file or files. You can configure the type of activity to log and log file settings.

Event Logging The Windows 2000 Router performs extensive error logging in the system event log. Four levels of logging are available. Take specific steps if an OSPF router is unable to establish an adjacency on an interface. The level of event logging can be set from various places with the Routing and Remote Access snap-in. Logging consumes system resources and should be used sparingly.

Tracing RRAS has an extensive tracing capability that you can use to troubleshoot complex network problems. Tracing records internal component variables, function calls, and interactions. You can enable tracing for each routing protocol by setting the appropriate registry values. Tracing consumes system resources and should be used sparingly. To enable file tracing for each component, you must set specific values within the registry.