Implementing Remote Access and Virtual Private Networks - dummies

Implementing Remote Access and Virtual Private Networks

With the widespread use of laptop computers and telecommuting, the need for remote access and virtual private networks (VPNs) has exploded in the past several years. Remote Access Service (RAS) in Windows NT gained the reputation of being difficult to configure and troubleshoot. Windows 2000 simplifies the management of remote access, but you still have many different options.

You can expect several questions about remote access and VPNs on the exam. From a member server perspective, many member servers in Windows 2000 networks function as remote access servers to manage dial-in clients, so you need to study this subject well.

Understanding remote access

Routing and Remote Access Service (RRAS) enables remote network clients to establish a remote connection with a RRAS server. After the connection is established, the remote client functions just like a locally connected network client. The user can browse the network, use permitted resources, connect to other servers — anything a locally connected client can do — provided that the RRAS client has appropriate permissions. In recent years, RRAS has grown in importance as increasing numbers of users work from laptops in different locations.

Windows NT offers remote access, and an NT add-on component enables the routing features. Windows 2000 combines these technologies as Routing and Remote Access.

The exam objectives do not focus on the configuration of routing interfaces on a Windows 2000 server. Instead, they focus on the remote access configuration. Consequently, this information focuses primarily on the remote access portion of Routing and Remote Access, even though the term RRAS refers to both routing and remote access.

Enabling remote access

The Setup program installs RRAS by default on Windows 2000 servers when you perform an initial installation. However, Setup does not enable RRAS. In order to set up and implement RRAS, you have to enable it by using the Routing and Remote Access Server Setup wizard.

You need to know this wizard’s options for the exam. To practice setting up RRAS using the Routing and Remote Access Server Setup wizard, follow these steps:

  1. Click Start → Programs → Administrative Tools → Routing and Remote Access.

  2. In the console, select your server and then choose Action → Configure and Enable Routing and Remote Access.

  3. Click Next on the wizard’s welcome screen.

  4. In the wizard’s Common Configurations dialog box, select the type of remote access server you want to install and then click Next.

  5. Verify the required protocols in the list provided.

    Typically, you need TCP/IP, but you may need others depending on your network clients. Click Next.

  6. In the IP Address Assignment dialog box, specify how you want IP addresses assigned to remote clients — either automatically or from a specified range — and then click Next.

    If you choose to have IP addresses assigned automatically, remote clients get an IP address through DHCP. If you want to have the addresses assigned from a specified range, enter an IP address range to assign to remote clients.

  7. Indicate whether you want to enable RADIUS and then click Next.

    Remote Authentication Dial-In User Service (RADIUS) provides a central authentication database for multiple remote access servers and collects accounting information about remote connections. You can set up this remote access server to use an existing RADIUS server if you so choose.

  8. Click Finish.

    Windows 2000 starts the Routing and Remote Access Service.

Configuring server properties

After you enable RRAS, you can further configure the server by accessing its Properties dialog box. In the Routing and Remote Access console, select your server and then choose Action → Properties.

You need to know the configuration options on the Properties tabs covered in the following sections. Depending on your network configuration, you may have other tabs, such as AppleTalk for Macintosh clients, but the following sections explore only those tabs that you need to know for the exam.

Configuring the General tab

The General tab in the server’s Properties dialog box gives you two options. First, you can choose to enable your server as a router. If you select this option, you can choose to allow only local LAN routing, or you can choose to allow LAN and demand-dial routing. Next, you can choose to enable your server as a remote access server. These options simply enable you to use your server as both a routing server and a remote access server, or either one, as desired.

Configuring the Security tab

On the Security tab in the server’s Properties dialog box, you can select the security and accounting provider. You can select either Windows authentication and accounting or RADIUS authentication and accounting. If you choose to implement RADIUS, click Configure to connect to a RADIUS server.

For Windows authentication, click Authentication Methods and then select the type of Windows authentication you want to use for remote access. You have the following options, and you need to know them for the exam:

  • Extensible authentication protocol (EAP): Allows the use of third-party authentication software and is also used for smart-card logon.

  • MS-CHAP V2: Generates encryption keys during RRAS authentication negotiation.

  • MS-CHAP: An earlier version of CHAP that provides secure logon.

  • Shiva Password Authentication Protocol (SPAP): Used by Shiva clients connecting to a Windows 2000 RRAS Server. SPAP is more secure than clear text, but less secure than CHAP.

  • Unencrypted password (PAP): No encryption required.

  • Unauthenticated access: No authentication used.

Configuring the IP tab

On the IP tab in the server’s Properties dialog box, you can enable IP routing and allow IP-based remote access and demand-dial connections. You can choose to implement DHCP IP leases for remote clients or you can enter a static IP address pool. These are the same options you configure with the RRAS Setup wizard, but you can use this tab to make changes as necessary.

Configuring the PPP tab

The PPP tab in the server’s Properties dialog box gives you three main check boxes for Point to Point Protocol features you can enable.

Configuring the Event Logging tab

The Event Logging tab in the server’s Properties dialog box provides an effective way to monitor your remote access server through the use of log files.

The Event Logging tab has several radio buttons so you can choose to log the kind of information desired, such as errors, warnings, and PPP logging. If you are experiencing problems with your remote access server, these different logging options can help you pinpoint the problem.