Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services.

Similar presentations


Presentation on theme: "1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services."— Presentation transcript:

1 1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services

2 2 Using Remote Access Using Microsoft Windows 2000 remote access technology, remote clients can connect to corporate networks or to the Internet. As an administrator, you should understand Dial-in remote access connections Remote access protocols and security How to manage remote access The Remote Access Service (RAS) The RAS is part of the Windows 2000 Routing and Remote Access feature.

3 3 Overview of Remote Access In Windows 2000 RAS, remote access clients connect to either The RAS server and its resources only (called point-to-point remote access connectivity), or The RAS server and the resources of its network (called point-to-LAN remote access connectivity) A Windows 2000 RAS server provides two remote access connection methods: Dial-in remote access Virtual private network (VPN) remote access

4 4 Dial-In Remote Access Connections A dial-in remote access connection consists of A remote access client A remote access server A wide area networking (WAN) infrastructure The connection between the remote access server and the remote access client is facilitated by Dial-in equipment installed at the client and server sites The telecommunications infrastructure

5 5 Elements of a Dial-In Remote Access Connection

6 6 WAN Connections The most common type of WAN connection used by RAS is the Public Switched Telephone Network (PSTN). Dial-in equipment consists of two analog modems, one for the remote access client and one for the remote access server. The maximum bit rate supported by PSTN is 33.6 Kbps. 5-Kbps modems require a digital connection at the server. Integrated Services Digital Network (ISDN) and leased telephone lines provide all-digital WAN services that Run at higher speeds Require permanent connections between the client and server sites, and special equipment

7 7 Dial-In Equipment and WAN Infrastructure for PSTN Connections

8 8 Remote Access Protocols RAS connections almost always use the Point-to-Point Protocol (PPP) for WAN communications because PPP provides Security Support for multiple protocols at the network layer Once the WAN connection is established between the RAS client and server, the client can use PPP to access server resources. The server functions as a router, enabling the RAS client to access resources on the server’s network as though the client were directly connected to the local area network (LAN), except at a slower speed.

9 9 Remote Access Security Windows 2000 remote access offers a wide range of security features, including Secure user authentication Mutual authentication Data encryption Callback Caller ID Remote access account lockout

10 10 Secure User Authentication Is obtained through the encrypted exchange of user credentials Uses PPP with one of the following authentication protocols: Extensible Authentication Protocol (EAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2 Challenge Handshake Authentication Protocol (CHAP) Shiva Password Authentication Protocol (SPAP) If an RAS server requires a secure authentication method and the client cannot support the method, the connection is denied.

11 11 Mutual Authentication Involves authenticating both ends of the connection through the exchange of encrypted user credentials Uses PPP with EAP-Transport Level Security (EAP-TLS) or MS-CHAP version 2 Involves the following process: 1. The remote access client authenticates itself to the RAS server. 2. The RAS server authenticates itself to the remote access client.

12 12 Data Encryption Data encryption encodes the data while it is on the WAN link between the RAS client and server, but not at either end. If end-to-end encryption is needed, you can use Internet Protocol Security (IPsec) to create an encrypted end-to-end connection after establishing the RAS connection. On dial-in remote access links, data encryption requires PPP with EAP-TLS or MS-CHAP. If an RAS server is configured to require data encryption and the client does not support it, the connection attempt is rejected.

13 13 Callback Callback uses the following process: 1. The remote client dials in to the RAS server, authenticates itself, and then terminates the connection. 2. The server then calls the client back and reestablishes the connection. You can configure the server to call the client back at either A preset number, or A number specified by the client during the initial call

14 14 Caller ID RAS can use caller ID to verify that a call from a client is coming from a specified phone number. You configure caller ID as part of the dial-in properties of the user account. If the caller ID number of the incoming connection for that user account does not match the preconfigured caller ID, the connection is denied.

15 15 Remote Access Account Lockout Specifies the number of failed remote access authentication attempts a user is permitted before the server denies remote access Important for VPN connections over the Internet Prevents malicious Internet users from hacking into the system by repeatedly sending credentials

16 16 Configuring Routing and Remote Access Routing and Remote Access is responsible for all remote access functionality in Microsoft Windows 2000 Server. Although Routing and Remote Access is installed by default with the operating system, you must configure and enable the service. To configure Routing and Remote Access as a remote access server, click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.

17 17 The IP Address Assignment Page in the Routing And Remote Access Server Setup Wizard

18 18 The Managing Multiple Remote Access Servers Page in the Routing And Remote Access Server Setup Wizard

19 19 Managing Remote Access Consider factors such as Where to store user account data How to assign addresses to remote access clients Who should be permitted to create remote access connections Remote access management includes Managing users Managing addresses Managing access

20 20 Managing Users for RAS Instead of maintaining separate user accounts on separate servers, most administrators set up a master user account database in the Active Directory service or on a Remote Authentication Dial-In User Service (RADIUS) server. This enables the RAS server to send the authentication credentials to a central authenticating device.

21 21 Managing Addresses for RAS clients For PPP connections, addressing information must be allocated to remote access clients during the establishment of the connection. You can configure an RAS server to allocate Internet Protocol (IP) addresses Internet Packet Exchange (IPX) network and node addresses AppleTalk network and node addresses

22 22 Managing Access to RAS A Windows 2000 RAS server accepts connections based on the dial-in properties of each user account and the server’s remote access policies. A remote access policy is a set of conditions and parameters that define the connection and any constraints imposed on it. You can create multiple remote access policies to apply different conditions and parameters to different users, groups, or types of connection attempts.

23 23 Managing Access to RAS (Cont.) To use a centralized set of remote access policies on multiple Windows 2000 RAS or VPN servers, you can Configure one Internet Authentication Service (IAS) server Configure each RAS or VPN server to be a RADIUS client of the IAS server To administer remote access policies: For Windows 2000 RAS servers, use the Routing And Remote Access snap-in For Windows 2000 IAS servers, use the Internet Authentication Service snap-in

24 24 Access by User Account Each Windows 2000 user account has a set of dial-in properties that a RAS server uses when processing a user’s connection attempt.

25 25 The Dial-in Tab of an Active Directory User’s Properties Dialog Box

26 26 Access by Policy To manage remote access by policy: 1. Select the Control Access Through Remote Access Policy option in the Dial-In tab of the user’s Properties dialog box. 2. Create remote access policies to meet your needs, either through Routing and Remote Access or a RADIUS authentication provider. To create a remote access policy on a Windows 2000 RAS server, use the Routing And Remote Access console.

27 27 The Remote Access Policies Node in the Routing And Remote Access Console

28 28 The Conditions Page in the Add Remote Access Policy Wizard

29 29 The Permissions Page in the Add Remote Access Policy Wizard

30 30 Policy-Based Access A typical use of policy-based access is to allow access through group membership. For example, you create a group named DialUpUsers, whose members are users who are to be allowed dial-in remote access. Then you create a remote access policy that grants dial-in remote access to members of the DialUpUsers group.

31 31 The Logic of Remote Access Policies and User Account Settings

32 32 Lesson Summary Windows 2000 remote access provides two types of remote access: dial-in and VPN. A dial-in remote access connection consists of a remote access client, a remote access server, and a WAN infrastructure. RAS connections almost always use PPP for WAN communications. Although Routing and Remote Access is installed by default with Windows 2000 Server, you must use the Routing And Remote Access console to configure and enable the service.

33 33 Using Virtual Private Networks A VPN is a connection between two computers across an internetwork or the Internet. In most cases a VPN is functionally similar to a WAN, except that the Internet functions as the network medium.

34 34 Virtual Private Networking

35 35 Implementing a VPN Remote users use VPNs to connect securely to a remote corporate server over the Internet. From the user’s perspective, the VPN is a point- to-point connection between the user’s computer and a corporate server. Because a VPN uses the Internet, not a long- distance telephone line, phone charges are kept to a minimum. To secure private communications over the Internet, VPNs use a security mechanism called tunneling.

36 36 Tunneling Basics Tunneling is a method of using an internetwork infrastructure to transfer a payload, such as packets. The packet is encrypted and encapsulated with an extra header generated by the tunneling protocol. The extra header provides routing information. The encapsulated packet is routed between the endpoints over the transit internetwork. At the destination, the packet is de- encapsulated and forwarded to its final destination.

37 37 A VPN Tunnel

38 38 Tunnel Maintenance and Data Transfer Tunnel maintenance is the process of creating and managing the tunnel through the transit internetwork. Data transfer is the transmission of encapsulated data through the tunnel. Before data transfer can occur, a VPN client and server must create a tunnel. The client and server must use the same tunneling protocol. Some tunneling protocols require tunnel maintenance.

39 39 Tunneling Protocols The most popular tunneling protocols used to create VPNs are Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IPsec IP-in-IP (IP-IP)

40 40 Point-to-Point Tunneling Protocol (PPTP) PPTP encapsulates PPP frames into IP datagrams for transmission over an IP internetwork such as the Internet. PPTP is also used in private LAN-to-LAN networking. PPTP payloads can be encrypted and compressed. PPTP tunnels must be authenticated. Windows 2000 PPTP encryption requires EAP-TLS or MS-CHAP. If end-to-end security is needed, IPsec is the preferred tunneling protocol.

41 41 A PPTP Packet

42 42 Layer 2 Tunneling Protocol (L2TP) L2TP combines the best features of PPTP and Layer 2 Forwarding (L2F). L2TP encapsulates PPP frames for transmission over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks. When used with IP, L2TP can function as a tunneling protocol over the Internet, or it can be used in private LAN-to-LAN networking. L2TP supports encryption and compression. Windows 2000 uses IPsec to encrypt data in L2TP packets.

43 43 An L2TP Packet

44 44 PPTP vs. L2TP Both PPTP and L2TP use PPP for point-to- point WAN connections, but there are differences between PPTP and L2TP. PPTP requires IP; L2TP can use IP, frame relay, X.25, or ATM networks. L2TP provides header compression capability; PPTP does not. L2TP provides tunnel authentication; PPTP does not. PPTP uses PPP encryption; L2TP requires IPsec for encryption.

45 45 Internet Protocol Security (IPsec) IPsec, a Layer 3 tunneling protocol, supports the secure transfer of data across an IP internetwork. With IPsec in Tunnel mode, a complete IP datagram is encapsulated and encrypted with ESP. The result is encapsulated, using a plaintext IP header, and transmitted over the transit internetwork. On receipt, the tunnel server discards the plaintext IP header, authenticates and decrypts the ESP and IP packet, and then processes the IP packet normally.

46 46 IP-in-IP (IP-IP) An Open Systems Interconnection (OSI) Layer 3 tunneling technique Creates a virtual network by encapsulating an IP packet with an additional IP header Primarily used for tunneling multicast traffic over sections of a network that do not support multicast routing Packet structure consists of the outer IP header, the tunnel header, the inner IP header, and the IP payload

47 47 Integrating a VPN in a Routed Environment VPNs enable a LAN to be physically connected to the corporate internetwork, but separated and protected by a VPN server. In this situation, the VPN server does not act as a router. Users with appropriate credentials can establish a VPN with the VPN server and access the protected resources. To all other internetwork users, the department’s LAN is hidden from view.

48 48 Integrating VPN Servers with the Internet

49 49 Branch Office VPN Connections over the Internet

50 50 Managing Virtual Private Networking VPN security issues must be managed carefully, particularly with Internet VPN connections. To manage users, most administrators set up a master account database on a domain controller or a RADIUS server. Enables the VPN server to send authentication credentials to the central authenticating device Requires only one user account per user for both dial-in and VPN-based remote access

51 51 Managing Addresses and Name Servers for VPN Clients The VPN server must have IP addresses available to assign to the server’s interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. By default, VPN clients of Windows 2000–based VPN servers obtain their IP addresses through Dynamic Host Configuration Protocol (DHCP). The VPN server must be configured with the IP addresses of Domain Name System (DNS) and Windows Internet Name Service (WINS) servers on the network.

52 52 Managing Access for VPN Clients If you manage remote access on a user basis, select the Allow Access option in the Dial-In tab of the user’s Properties dialog box to enable the user to establish VPN connections. If you manage remote access on a group basis: Select the Control Access Through Remote Access Policy option on all user accounts. Create a group of users who can create VPN connections. Create an appropriate remote access policy. Assign the group to the remote access policy.

53 53 Lesson Summary A VPN mimics the properties of a dedicated private network, enabling data to be transferred between two computers across an internetwork, such as the Internet. VPNs use tunneling to transfer data. Primary protocols used by Windows 2000 for VPN access are PPTP L2TP IPsec IP-IP Branch offices can use dedicated lines or dial-up lines to establish VPN connections over the Internet.

54 54 Using NAT and ICS Network address translation (NAT) enables private IP addresses to be translated into public IP addresses for traffic to and from the Internet. Internet Connection Sharing (ICS) is a Windows 2000 Server feature that uses NAT to share a single Internet connection among all of the computers on a small office or home office (SOHO) network. NAT and ICS are designed to connect SOHO networks to the Internet.

55 55 Network Address Translation Windows 2000 NAT enables computers on a small network to share a single Internet connection with one public IP address. The computer that NAT is installed on can act as a network address translator, a simplified DHCP server, a DNS proxy, and a WINS proxy. NAT helps conserve the public IP address space and prevents unauthorized Internet users from intruding on a private network.

56 56 Understanding NAT ComponentFunction TranslationThe NAT computer acts as a network address translator, translating IP addresses and TCP/UDP port numbers of packets forwarded between the private network and the Internet. AddressingThe NAT computer becomes a simplified DHCP server for the network. Name resolution The NAT computer becomes the DNS server for the network.

57 57 Routed and Translated Internet Connections Connection TypeDescription RoutedRequires a range of registered IP addresses and a router for computers to access and become part of the Internet. Translated (or NAT) Uses a router and a range of private IP addresses, which are hidden from Internet users. This type of connection provides more security.

58 58 How NAT Works NAT enables networks to use private IP addresses and still participate on the Internet. On a translated network, the router (called the NAT computer) has a registered IP address and also runs the NAT service. The NAT computer is the intermediary between clients on a private network and servers on the Internet. Only the NAT computer is visible to Internet users; clients are hidden and protected from unauthorized access.

59 59 Using NAT to Transparently Connect an Intranet to the Internet

60 60 Static and Dynamic Address Mapping NAT can use either static or dynamic address mapping. With static mapping, traffic is always mapped a certain way. For example, mapping the private IP address of a Web server to a specific public IP address Dynamic mappings are created when users on the private network initiate traffic with Internet locations. The NAT service adds these mappings to its mapping table so it can forward replies from the Internet server to the client.

61 61 Proper Translation of Header Fields A NAT server, by default, translates IP addresses and TCP/UDP ports. The translation requires modification of various fields in the IP, TCP, and UDP headers. When applications and protocols carry IP or port addressing information in places other than their headers, the NAT server might require a NAT editor to properly translate the IP address.

62 62 NAT Editors When the NAT server must translate the payload beyond the IP, TCP, and UDP headers, a NAT editor is required. A NAT editor is an installable component that can properly modify otherwise nontranslatable payloads so they can be forwarded across a NAT. Windows 2000 includes built-in NAT editors for File Transfer Protocol (FTP) Internet Control Message Protocol (ICMP) PPTP NetBIOS over TCP/IP

63 63 Implementing NAT To implement NAT on a Windows 2000 server, you add NAT as a routing protocol in the Routing And Remote Access snap-in. The process is simplified by the Routing And Remote Access Server Setup Wizard. To access the Routing And Remote Access snap-in, click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.

64 64 The Internet Connection Page in the Routing And Remote Access Server Setup Wizard

65 65 The Interface Name Page in the Demand Dial Interface Wizard

66 66 The Select A Device Page in the Demand Dial Interface Wizard

67 67 The Protocols And Security Page in the Demand Dial Interface Wizard

68 68 The Dial Out Credentials Page in the Demand Dial Interface Wizard

69 69 Internet Connection Sharing (ICS) ICS is a simplified implementation of NAT. ICS is not as customizable as NAT, but it Is easy to set up Provides all required features to connect a small network to the Internet by using a dial-up connection ICS uses the following parameters: Single public IP address Fixed address range for hosts DNS proxy for name resolution Automatic IP addressing

70 70 Internet Connection Sharing (Cont.) When you enable ICS, you provide NAT, IP addressing, and name resolution services for all computers on your network. Before enabling ICS, consider the following: You should not use ICS on a network with other Windows 2000 Server domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP. When you enable ICS, the network interface adapter connected to the private network is assigned a new IP address, and existing TCP/IP connections are lost.

71 71 Internet Connection Sharing (Cont.) Before enabling ICS, consider the following: (Cont.) Clients must be configured to use TCP/IP and to obtain their TCP/IP settings from a DHCP server. If the ICS computer uses a modem or ISDN to connect to the Internet, select the Enable On- Demand Dialing check box in the Sharing tab of the connection’s Properties dialog box. Enable ICS for a connection by using Network And Dial-Up Connections.

72 72 Enabling ICS in the Sharing Tab in a Dial-In Connection’s Properties Dialog Box

73 73 Internet Connection Sharing and NAT In Windows 2000 Server, you can use either ICS or NAT to configure a translated connection to the Internet. ICS FeaturesNAT Features Single check box configurationManual configuration Single public IP addressMultiple public IP addresses Fixed address range for internal hosts Configurable address range for internal hosts Single internal interfaceMultiple internal interfaces

74 74 Lesson Summary NAT enables computers with private IP addresses to access the Internet, just as though they had registered IP addresses. A NAT server modifies the headers of client request packets destined for the Internet. Internet servers receive these packets and respond to the NAT server, which relays the response to the client. Windows 2000 Server includes a NAT routing protocol as part of the Routing and Remote Access feature. ICS is a Windows 2000 feature that provides the same basic functions as NAT but with a simplified configuration process and limited options.

75 75 Using Terminal Services Terminal Services is a Windows 2000 Server feature that provides thin-client access to Windows 2000 and the latest Windows-based applications for client computers. You can use Terminal Services to Access your desktop and installed applications from any supported remote client computer Increase flexibility in application deployment Control computer management costs Remotely administer network resources

76 76 Overview of Terminal Services Terminal Services is a client/server application that consists of A service that runs on a computer running Windows 2000 Server A client that runs on a computer or terminal Terminal Services enables all operating system functions, client application execution, data processing, and data storage on the server. Terminal Services clients run a terminal emulation program that transmits keystrokes and mouse movements to the server, and clients receive display information in return. Users can access Terminal Services over any Transmission Control Protocol/Internet Protocol (TCP/IP) connection.

77 77 Remote Administration Mode Using Terminal Services in Remote Administration mode enables you to Use any TCP/IP connection to remotely administer any Windows 2000 Server computer on the network Perform tasks remotely as though you were sitting at the console This mode installs only the remote access components of Terminal Services, not the application-sharing components. Client licensing is not required in Remote Administration mode.

78 78 Application Server Mode You can use Terminal Services in Application Server mode to deploy and manage all applications used by Terminal Services clients from a central location. Clients can then run the applications by using any available TCP/IP connection. Client licensing is required when deploying Terminal Services in Application Server mode.

79 79 Installing Terminal Services By default, Terminal Services and Terminal Services Licensing are not installed during the installation of Windows 2000 Server. You can install them by specifying them during the operating system installation, or afterward by using the Add/Remove Programs tool in Control Panel.

80 80 The Windows Components Page in the Windows Components Wizard

81 81 The Terminal Services Setup Permissions Selection Page in the Windows Components Wizard

82 82 The Terminal Services Setup Cautions Page in the Windows Components Wizard

83 83 Terminal Services Manager Terminal Services Manager is a Microsoft Management Console (MMC) console that is installed during the installation of Terminal Services. Use this console to Manage all of the Windows 2000 Terminal Services installations on your network View current users, servers, and processes Send messages to specific users Use the Remote Control feature Terminate processes

84 84 The Terminal Services Manager Console

85 85 Terminal Services Configuration Terminal Services Configuration is an MMC console you can use to manage your Remote Desktop Protocol (RDP) configuration. Modifications made with this tool are global unless you choose to inherit information from the same options located in the user configuration. Of the many configurable options, the three most commonly used are Logon settings Time-outs Remote control options

86 86 Terminal Services Client Creator The Terminal Services Client Creator is a utility that creates floppy disk sets for installing the Terminal Services Client software on other Microsoft Windows computers. Making the client files available on an internal network is recommended. The default location for these files is C:\Winnt\System32\Clients.

87 87 Using Terminal Services Client Creator

88 88 Terminal Services Licensing Terminal Services has its own method for licensing clients that log on to Terminal Services servers. This licensing is separate from the licensing for Windows 2000 Server clients. Terminal Services licensing includes four components: Microsoft Clearinghouse Terminal Services Licensing server Terminal Services server Client licenses

89 89 Microsoft Clearinghouse Microsoft Clearinghouse is the database Microsoft maintains to Activate license servers Issue client license key packs to license servers that request them You can access the Microsoft Clearinghouse through the Licensing Wizard in the Terminal Services Licensing snap-in.

90 90 Terminal Services Licensing Server The Terminal Services Licensing server is separate from Terminal Services. It stores all of the Terminal Services client licenses that have been installed and tracks the licenses issued to client computers. A Terminal Services server must be able to connect to an activated Terminal Services Licensing server before clients can be issued licenses.

91 91 Terminal Services Server A Terminal Services server is the computer running Windows 2000 Server that Terminal Services is enabled on and running on. When clients log on to a Terminal Services server, the server validates the client license. If the client does not have a license, the Terminal Services server requests one from the Terminal Services Licensing server.

92 92 Client Licenses Each client computer or terminal that connects to a Terminal Services server must have a valid client license. The client license is stored locally and is presented to the Terminal Services server each time the client connects to the server.

93 93 Deploying a Terminal Services Licensing Server The deployment process includes installing the server, activating the server, and installing the licenses. The license server must be activated through the Microsoft Clearinghouse and loaded with client access licenses. Terminal Services Licensing is installed separately from Terminal Services. It is often preferable to run Terminal Services Licensing on a different server than Terminal Services.

94 94 Deploying a Terminal Services Licensing Server (Cont.) There are two types of license servers: Domain license server Enterprise license server Use the Add/Remove Programs tool in Control Panel to install Terminal Services Licensing.

95 95 The Terminal Services Licensing Setup Page in the Windows Components Wizard

96 96 Activating a License Server You must enable a Windows 2000 Terminal Services Licensing server within 90 days of enabling Terminal Services in Application Server mode. Use the Licensing Wizard in the Terminal Services Licensing console to activate the license server.

97 97 Installing Licenses You must purchase Windows 2000 Terminal Services client access licenses or Internet connector licenses. Install the licenses by using the Licensing Wizard in the Terminal Services Licensing console. After you install the licenses, the Terminal Services Licensing server can begin deploying them.

98 98 Deploying Terminal Services Clients Client computers or terminals connect to a Terminal Services server by using Terminal Services client software. Ensure that client computers or terminals are physically capable of hosting the client software and connecting over the network. There are two ways to deploy Terminal Services client software: Create a file share to do the installation over the network. Create client installation disks, using the Terminal Services Client Creator.

99 99 Lesson Summary Terminal Services enables all operating system functions, client application execution, data processing, and data storage on the server. Terminal Services clients run a terminal emulation program that transmits keystrokes and mouse movements to the server, and clients receive display information in return. Terminal Services can be enabled in Remote Administration mode or Application Server mode. Terminal Services clients require an access license, which is maintained by a Terminal Services Licensing server.


Download ppt "1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services."

Similar presentations


Ads by Google