Lecture

Networking II Lesson Plan Week 13 Addendum

Remote Access



Remote Access Overview


  1. Remote access allows mobile users access to network resources. As everyone is probably familiar with remote Internet access via modems, you can probably safely move onto the next quickly.


Dial-up Remote Access


  1. This section discusses the topic of dial-up remote access. Modems are the oldest form of remote access. They offer the advantages of availability at the cost of speed.

  2. This section also briefly discusses the v.90 and v.92 modem standards.  Students may not know that these standards allow for slower upload speeds than download speeds. This might pose as an interesting discussion topic.





Teaching Tip

Have students research the v.90, v.92, and other modem standards. In particular, research why there are different upload and download speed capabilities in each standard. For any student that may one day buy a modem, knowledge of these standards can be useful when trying to determine what to purchase.



VPN Remote Access


  1. The basic purpose of a VPN is to transmit private information over a public network. Encryption is used to try to protect the information as it traverses the insecure public network.

  2. Students should understand that the advantages of VPN over traditional dial-up consist of increased speed potential and easier administration.

  3. Not surprisingly, the main drawback to VPN connections is security.


Enabling and Configuring a Dial-up Server


  1. Use RRAS to configure your Windows Server 2003 machine as a dial-up server, VPN server, or router. This service comes standard with Windows Server 2003 but must be manually installed.

  2. The rest of this activity outlines the steps necessary to install a modem. You can probably safely skip this material as it is trivial and most students have probably already performed such an installation before. Regardless, the next activity will make sure all students have installed a modem manually.


Activity 10-1: Installing a Modem


  1. In this activity, the student will be required to install a modem.


Enabling RRAS for Dial-up Connections


  1. The configuration of RRAS is performed through the Routing and Remote Access snap-in.

  2. A red or green arrow pointing to your server indicates whether or not the service is started.

  3. For first time configuration, a wizard is provided. The next activity will demonstrate this.


Activity 10-2: Enabling RRAS as a Dial-up Server


  1. In this activity, students will be configuring RRAS to act as a remote access server.


Dial-up Protocols


  1. There are two types of protocols important for dial-up access: remote access protocols and LAN protocols.

  2. LAN protocols supported by RRAS include TCP/IP, IPX/SPX, and AppleTalk. Remote access protocols supported include PPP and SLIP. In order to access the LAN through a dial-up session, one must ensure that the required LAN protocols are installed on a computer accessing resources through dial-up.

  3. Ensure that students understand that the remote access protocols are only used for dial-up connections. Between the two, PPP is the newer and most widely used protocol. It is popular because of its ability to automatically configure IP information, its wide availability, and its ability to use multiple LAN protocols.

  4. The remainder of this section discusses multilink connections. The idea behind a multilink connection is that a remote access client can utilize multiple modems in order to increase data transfer speeds. BAP and BACP allow for the dynamic handling of the multiple dial-up connections. Specifically, BAP and BACP allow the addition and removal of dial-up connections as necessary.


Activity 10-3: Creating a Dial-up Connection


  1. In this activity, students will be configuring their server with a dial-up connection.


Enabling and Configuring A VPN Server


  1. This section begins by noting that dial-up and VPN connections are very similar. It then proceeds to note one key difference. This difference is the lack of special hardware required for VPN connections. A regular network card is sufficient. No modems are necessary.

  2. RRAS is used to make Windows Server 2003 act as a VPN server.

  3. The rest of this section outlines the steps necessary to configure a VPN server. The next activity is aimed at giving students practice with this process.


Activity 10-4: Enabling RRAS as a VPN Server


  1. In this activity, students will be enabling RRAS to act as a VPN server.


VPN Protocols


  1. There are two protocols Windows Server 2003 supports for VPN connections: PPTP and L2TP. It is important to note that, by default, Windows Server 2003 configures 128 ports for each of the protocols. If this is excessive for your network, you should reduce this number. Reducing the number of ports to zero effectively disables the protocol.

  2. PPTP is the oldest and most widely used VPN protocol. It does not authenticate the computers involved in the connection. This represents a security risk. However, PPTP can function properly through NAT. This is very important to large businesses.

  3. L2TP adds the benefit of computer authentication. L2TP adds increased security at the cost of limited NAT support and complex network configuration. Also, students should understand that L2TP alone is not enough to provide a VPN connection.


Activity 10-5: Modifying the Default Number of VPN Ports


  1. In this activity, students will be decreasing the number of PPTP and L2TP ports on their VPN server to only ten each.


.Configuring Remote Access Servers


  1. As with many configurations, the default remote access server settings are often times sufficient for the average network requirements.

  2. The rest of this section discusses the different configuration options for remote access. The configurations all fit into the categories of: general configuration, security settings, PPP settings, and logging.


Authentication Methods


  1. There are a number of authentication methods available for authenticating dial-up, PPTP, and L2TP connections. As there are many similar methods presented here, it will be important to ensure that students understand the advantages and disadvantages of each type.

  2. The authentication methods allowed by Windows Server 2003 include: no authentication, PAP, SPAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP.

  3. PAP transmits passwords in plain-text while SPAP uses reversible encryption.

  4. CHAP requires passwords stored in Active Directory to be encrypted with reversible encryption. MS-CHAP stores the passwords using non-reversible encryption.

  5. MS-CHAPv2 is an upgrade to MS-CHAP.

  6. Finally, EAP is more of an authentication system than an authentication method.

  7. Students should be encouraged to read about each authentication system very carefully so that they know exactly how each operates if required to choose one for their network.


IP Address Management


  1. An IP address that is assigned to a client can come from a pool of addresses assigned to the remote access server or from a DHCP server itself.

  2. The WINS and DNS settings for the client are merely taken from a configured interface on the server machine.

  3. It should be noted that in order for DHCP to be used to dynamically hand out IP addresses to remote access clients, a DHCP proxy service must exist on the server machine.


Allowing Client Access


  1. Upon initial configuration, no one is given permission for remote access.

  2. Remote access for users is controlled by their user object. This will be located either in the local user account database or the Active Directory database on the domain controller depending on whether or not Active Directory is utilized over the network.

  3. The rest of this section outlines the steps to configuring remote access permissions. Use this section as a reference when performing the next activity.


Activity 10-6: Allowing a User Remote Access Permission


  1. In this activity, students will create a new user for the network and provide for this user remote access permissions.


Creating a VPN Client Connection


  1. Just because Windows Server 2003 can act as a VPN server, this does not mean it cannot also act as a VPN client.

  2. A VPN connection is created using the New Connections wizard. The following activity will demonstrate the process of creating a new VPN connection.


Activity 10-7: Creating a Client VPN Connection


  1. In this activity, students will create and test a new VPN connection on their Windows Server 2003 machine.


Configuring a VPN Client Connection


  1. Most all configurations required for a VPN client connection is done through the supporting wizard. However, the purpose of this section is to illustrate that all of the configurations specified in the wizard can also be modified manually.


Remote Access Policies


  1. Remote access policies are essential in controlling and allowing remote access.  Application of these policies will of course depend on whether or not the domain is in mixed or native mode.

  2. An important concept that students should learn here is that remote access policies are stored locally on each remote access server. This allows for customized access for each machine.

  3. The text states three key concepts in understanding remote access policies. These are: remote access policy components, remote access policy evaluation, and default remote access policies. Each will be discussed in future sections.


Remote Access Policy Components


  1. Students need to understand that these components are themselves comprised of conditions, remote access permissions, and a profile. Only the conditions and profile are used in a mixed mode domain.

  2. Conditions refer to conditions that must be met in order for a remote access policy to apply to a connection. There are a number of conditions that can be specified. Reference table 10-1.

  3. If the conditions are met, the remote access permission is checked.

  4. The profile consists of settings to be applied to the remote access connection if both the conditions are met and security permissions are granted.

  5. There are a number of settings that a profile can consist of. Reference this section of the text for specific details. However, the general categories of settings include: dial-in constraints, IP settings, multilink settings, advanced settings, encryption settings, and authentication settings. Students should gain a little experience with these settings by performing the next activity.


Activity 10-8: Creating a Remote Access Policy


  1. In this activity, the students will be instructed to create a remote access policy according to the provided instructions.


Remote Access Policy Evaluation


  1. This section tries to assist students in setting up remote access policies by explaining how such policies are evaluated by the system.

  2. In condition evaluation, determining whether or not policies exist is the first step. This is followed by comparing conditions in the remote access policies with the parameters of the actual connection being attempted. The first match that is found is used. This is a very important point to make to students.

  3. The permissions are evaluated differently depending on whether or not the ignore-user-dialin-properties attribute is set to true or false. Reference the provided flow chart when teaching the evaluation of permissions.

  4. Profiles are applied after the successful evaluations of the previous two steps. Just because a remote connection makes it this far, it does not mean that a successful connection will be created!


Activity 10-9: Testing Remote Policy Evaluation


  1. In this activity, students will be verifying the process by which remote access permission is granted.


Default Remote Access Policies


  1. Default remote access policies are provided to make managing remote access easier.

  2. The default policy named “Connections to Microsoft Routing and Remote Access Server” has a condition where the attribute MS-RAS-Vender must contain the characters “311” and does not allow encrypted communication.

  3. Another, named “Connections to other access servers”, has a condition where the Day-And-Time-Restrictions attribute matches Sunday to Monday, 24 hours per day and does not allow unencrypted communication.

  4. Finally, the policy named “Control Access Through Remote Access Policy” ensures that user objects with remote access permission set to “Allow” gain access.


Troubleshooting Remote Access


  1. Troubleshooting remote access can be a difficult task as providing such a service is very complicated. Students should be reminded that most problems of the problems encountered are software problems.

  2. Log files, error messages, Network Monitor, and ipconfig are the administrator’s best tools to troubleshooting remote access.


Software Configuration Errors


  1. This section lists some common software configuration problems. They include: incorrect phone numbers and IP addresses, incorrect authentication settings, incorrectly configured remote access policies, incorrectly configured name resolution settings, clients receiving incorrect IP options, and remote access servers leasing multiple IP addresses at startup. The last is actually not an error. Refer to the text for more detailed information concerning each problem type.


Hardware Errors


  1. This section lists the following hardware considerations: new remote access hardware should be on the hardware compatibility lists, the ping utility should be used to see if an IP address is reachable, you should try dialing to different remote servers if yours is not working, and of course you should make sure that the network cable is plugged in.


Logging


  1. Everyone should be familiar with logging by now. Just ensure students know that RRAS can be logged to many places including the event log, the system log, the “ppp” log, and the “Modemlog_modemname” log.


Activity 10-10: Modem Logging


  1. In this activity, students will be enabling modem logging.


Troubleshooting Tools


  1. This section introduces a number of tools that can be used to troubleshoot RRAS. These include: ping, ipconfig, and Network Monitor. Students should be familiar with each of these tools by now.


Additional Activities


  1. As a network administrator, you are stuck with the task of choosing an authentication system for RRAS. Your requirements are that Active Directory passwords are stored with nonreversible encryption, MPPE can be used, and passwords can be changed during authentication if needed. LAN manager support for older Windows clients is also required.


  1. You have just configured remote access such that clients are configured IP addresses from a DHCP server. However, it is not working. You are sure that the DHCP server is fully operational, the RRAS services are fully operational, and the remote access client is fully operational. What important “middle man” was left out and probably preventing you from getting IP addresses?


Solutions to Additional Activities


  1. It should be relatively clear that either MS-CHAP or MS-CHAPv2 is probably a good choice as they both fulfill most of your requirements for security over the network. However, MS-CHAPv2 does not support LAN manager on the older Windows clients because of their weak encryption algorithms. Therefore, MS-CHAP is probably the best choice. This authentication method is enabled by default and so little change has to be made to any configuration settings.


  1. The “middle man” required is a DHCP proxy to relay the DHCP requests from the remote client to the DHCP server. A DHCP server can be installed and configured on the remote access server itself.