1
|
|
2
|
- Explain how remote access and virtual private network (VPN) services
work
- Explain how to implement remote access communications devices and
protocols
- Configure remote access services, security, dial-up connectivity, and
client access
|
3
|
- Configure VPN services, security, dial-up connectivity, and client
access
- Troubleshoot remote access, VPN services, and client connectivity
|
4
|
- An early method for accessing a network, which is still used, is to
connect to a workstation through remote access software such as Carbon
Copy
|
5
|
|
6
|
- A modern way to access a network remotely is by using Microsoft Remote
Access Services (RAS) in Windows 2000 Server
|
7
|
|
8
|
- Virtual private network: A private network that is like a tunnel through
a larger network – such as the Internet, an enterprise network, or both
– that is restricted only to designated member clients
|
9
|
- Use a VPN to save money on modems and telephone lines for remote access
to a network
|
10
|
|
11
|
- MS-DOS
- Windows 3.1 and 3.11
- Windows NT (all versions)
- Windows 95
- Windows 98
- Windows 2000 Server and Professional
|
12
|
- Asynchronous modems
- Synchronous modems through an access server
- Null modem connections
- Regular dial-up telephone lines
- Leased telecommunications lines, such as T-carrier
|
13
|
- ISDN lines (and digital modems)
- X.25 lines
- DSL lines
- Frame relay lines
|
14
|
- T-carrier: A dedicated leased telephone line that can be used for data
communications over multiple channels for speeds of up to 44.736 Mbps
and beyond
- Two common varieties of T-carrier are:
- T-1 at 1.544 Mbps
- T-3 at 44.736 Mbps
|
15
|
- Frame relay: A WAN communications technology that relies on packet
switching and virtual connection techniques to transmit at from 56 Kbps
to 45 Mbps
|
16
|
- Integrated Services Digital Network (ISDN): A telecommunications
standard for delivering data services over digital telephone lines with
a current practical limit of 1.536 Mbps and a theoretical limit of 622
Mbps
|
17
|
- An older packet-switching protocol for connecting remote networks at
speeds up to 2.048 Mbps
|
18
|
- Digital subscriber line (DSL): A technology that uses advanced
modulation technologies on regular telephone lines for high-speed
networking at speeds of up to 60 Mbps between subscribers and a
telecommunications company
|
19
|
- RAS supports telephony interfaces that include:
- Universal Modem Driver: A modem driver standard used on recently
developed modems
- Telephone Application Programming Interface: An interface for
communication line devices (such as modems) that provides line device
functions, such as call holding, call receiving, call hang-up, and call
forwarding
|
20
|
- RAS supports protocols such as:
- TCP/IP
- NWLink
- NetBEUI
- PPP
- PPTP
- L2TP
|
21
|
- One of the most common ways to connect through RAS is by using modems
either at the RAS server end, the client end, or both
- Cable TV modems are another possibility, but verify that the end-to-end
connections can be made secure
|
22
|
- Digital “modems” can be used to connect a RAS server to ISDN, but these
are really terminal adapters (TAs) and not modems, because ISDN is
digital and does not use modulation/demodulation
- A design advantage of ISDN is that you can aggregate multiple lines to
appear as one super fast connection
|
23
|
- An effective way to connect different telecommunications and WAN media
to RAS is through an access server
- For example, an access server can provide the following types of
connectivity:
- Modems
- ISDN
- X.25
- T-carrier
|
24
|
|
25
|
- Serial Line Internet Protocol (SLIP): An older remote communications
protocol that is used by UNIX computers. The modern compressed SLIP
(CSLIP) version uses header compression to reduce communications
overhead.
- Point-to-Point Protocol (PPP): A widely used remote communication
protocol that supports IPX/SPX, NetBEUI, and TCP/IP for point-to-point
communication.
|
26
|
|
27
|
- Point-to-Point Tunneling Protocol (PPTP): A remote communication
protocol that enables connectivity to a network through the Internet and
connectivity through intranets and VPNs
|
28
|
- Layer Two Tunneling Protocol (L2TP): A protocol that transports PPP over
a VPN, intranet, or Internet. L2TP works similarly to PPTP, but unlike
PPTP, L2TP uses an additional network communications standard, called
Layer Two Forwarding, that enables forwarding on the basis of MAC
addressing
|
29
|
- Configure a Windows 2000 server with RAS, including the appropriate
protocols
- Configure a DHCP Relay Agent (if IP addresses are assigned via DHCP)
- Configure RAS security
- Configure a dial-up and remote connection
- Configure RAS on client workstations
|
30
|
- Use the Routing and Remote Access tool to install RAS
|
31
|
|
32
|
|
33
|
|
34
|
|
35
|
- If you configure RAS for AppleTalk, then users access RAS through the
Guest account, which cannot have a password
|
36
|
- You can configure RAS properties after RAS is installed by
right-clicking the RAS server in the tree of the Routing and Remote
Access tool and then clicking Properties
|
37
|
|
38
|
- If you configure RAS to use DHCP to assign IP addresses, then you must
configure a DHCP Relay Agent:
- Double-click the RAS server in the tree of the Routing and Remote
Access tool
- Click IP Routing in the tree
- Right-click DHCP Relay Agent and click Properties
- Enter the IP address of the RAS server,
click Add, and then click OK
|
39
|
- If you plan to use an aggregated connection, such as for ISDN or
multiple modems, configure Multilink and Bandwidth Allocation Protocol
in the RAS Properties PPP tab
|
40
|
- Multilink: A capability of RAS to aggregate multiple data streams into
one logical network connection for the purpose of using more than one
modem, ISDN channel, or other communication line in a single logical
connection
- Bandwidth Allocation Protocol (BAP): A protocol that works with
Multilink in Windows 2000 Server that enables the bandwidth or speed of
a remote connection to be allocated on the basis of the needs of an
application, with the maximum allocation equal to the maximum speed of
all channels aggregated via Multilink
|
41
|
- Bandwidth Allocation Control Protocol: Similar to BAP, but BACP is able
to select a preferred client when two or more clients vie for the same
bandwidth
|
42
|
|
43
|
- Set up security on the client’s account properties via the Dial-in tab,
including whether to use a remote access policy for security and
callback security
|
44
|
|
45
|
|
46
|
- Configure remote access policies and a profile to secure the RAS server
and to manage access including:
- Dial-in constraints
- IP address assignment rules
- Authentication
- Encryption
- Allowing Multilink connections
|
47
|
|
48
|
- There are several authentication options that can be set in a remote
access policies profile:
- Extensible Authentication Protocol (EAP): An authentication protocol
employed by network clients that use special security devices such as
smart cards, token cards, and others that use certificate
authentication
|
49
|
- Challenge Handshake Authentication Protocol (CHAP): An encrypted
handshake protocol designed for standard IP- or PPP-based exchange of
passwords. It provides a reasonably secure, standard, cross-platform
method for sender and receiver to negotiate a connection.
- CHAP with Microsoft extensions (MS-CHAP): A Microsoft-enhanced version
of CHAP that can negotiate encryption levels and that uses the highly
secure RSA RC4 encryption algorithm to encrypt communications between
client and host
|
50
|
- CHAP with Microsoft extensions version 2 (MS-CHAP v2): An enhancement
of MS-CHAP that provides better authentication and data encryption and
that is especially well suited for VPNs
- Password Authentication Protocol (PAP): A non-encrypted plain-text
password authentication protocol. This represents the lowest level of
security for exchanging passwords via PPP or TCP/IP
|
51
|
- Silva’s Password Authentication Protocol (SPAP): A version of PAP that is used
for authenticating remote access devices and network equipment
manufactured by Silva (now Intel Network Systems, Inc.)
|
52
|
|
53
|
- The RAS encryption options incorporate IPSec and Microsoft
Point-to-Point Encryption (MPPE)
- MPPE: A starting to ending point encryption technique that uses special
encryption keys varying in length from 40 to 128 bits
|
54
|
- No Encryption: Clients do not employ data encryption
- Basic: Intended for clients using 40-bit encryption key MPPE or IPSec
- Strong: Intended for clients using 56-bit encryption key MPPE or IPSec
|
55
|
- Originally the beta version of Windows 2000 Server included strongest encryption
for 128-key MPPE or IPSec encryption, but this option is omitted in the
first release of Windows 2000 Server. Expect strongest encryption to be
included later in an update.
|
56
|
|
57
|
- Use the Network and Dial-up Connections tool to configure a new dial-up
connection for a RAS server
|
58
|
|
59
|
- Set up the network connectivity, such as through a WAN adapter, access
server, or router
- Install the Routing and Remote Access Service, configuring it as a VPN
server
- Establish the remote access policies and profile, including setting up
EAP authentication
- Configure the number of PPTP and L2TP ports
|
60
|
- If you select to use a static pool of IP addresses when you install the
VPN server, the upper limit of addresses that can be assigned is 253
|
61
|
|
62
|
- Configure VPN remote access policies and a profile using the same steps
as for configuring a RAS server
|
63
|
- Configure the number of ports to equal those available through the WAN
connection
|
64
|
- To configure the number of ports:
- Right-click Ports in the tree under the server in the Routing and
Remote Access tool
- Click Properties
- Double-click WAN Miniport (PPTP) and set the number of ports
- Double-click WAN Miniport (L2TP) and set the number of ports
|
65
|
|
66
|
- Use the Add/Remove Hardware tool or the Device Manager to test modems
and WAN adapters
- Use the Network and Dial-up Connections tool to check dial-up and WAN
connections
- Make sure access servers are working
- Make sure modem lines are properly connected and working
|
67
|
- Make sure that the Remote Access Auto Connection Manager and Remote
Access Connection Manager services are started
- Make sure the RAS or VPN server is enabled
- Use the Ports option to check the status of ports
- Make sure all IP parameters are properly configured
|
68
|
- Check the dial-up networking and RAS setup on the client
- Make sure that clients are using the right protocols
- Check the dial-in security on the client’s user account
- Check the client’s modem to make sure it is working and set for
compatible communications with the server
|
69
|
- RAS and VPN servers enable clients to remotely access Windows 2000
Server, such as those who telecommute
- Remote access can be configured through many types of WAN connectivity,
such as dial-up telephone lines, high-speed lines, Internet connections,
and routers
|
70
|
- RAS and VPN servers are compatible with remote access protocols such as
PPP, PPTP, and L2TP
- Manage RAS and VPN servers using remote access policies and profiles
|