Review and Evaluation Guide

loyalsockvillemobΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

95 εμφανίσεις




Network Operating System



Update to Routing and Remote Access Service for Windows NT


Server
4.0



Review and Evaluation Guide





R







This guide highlights the important features that are included

in
Microsoft’s
Routing a
nd Remote Access Service
Update
for Windows NT Server 4.0


previously
referred to as “Steelhead”
--

and how these features
benefit customers.

This new service, which is now
available to Windows NT Server 4.0 customers at no charge
as a released
-
to
-
web
product, enables routing over IP and
IPX
networks

and is particulary useful to branch office

networks
.
This new unifed Routing and Remote Access
Service running on Windows NT Server provides network
managers with
routing and inte
rnetworking that is easy to
use, flexible, and affordable. Significantly, this
service
update
also provides an extensible, open platform for value
-
added development for a variety of internetworking solutions.


This document includes some installati
on and usage tips,
but does not provide detailed instructions for installation and
use of this
service

update
. For that information, please refer
to the
Administrator’s Guide : Microsoft Routing and
Remote Access Service for Windows NT Server 4.0.

T
hat document should accompany your software and is also
downloadable off the Microsoft web site.
Reviewer Guide


R





The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Becaus
e Microsoft must respond to changing market conditions, it should

not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the publication date. This document is for info
rm
a
tional purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Microsoft, Windows, Windows

NT and BackOffice are either trademarks or registered trademarks of Microsoft
Corporation in the United States and/or other countries.

Other product and company names herein may be the trademarks of their respective owners.

March 1997



Copyright 1997 Microsoft Corporation




Microsoft Routing and Remote Access Service Update Overview
................................
...........
1

Communications Support Already I ncluded with Windows NT Server 4.0
.............................
3

Telephony

3

Remote Access Service (RAS)

3

Multi
-
Protocol Routing

4

What Does This Routing and Remote Access Service Update Offer?

................................
....
5

Integrated

5

Comprehensive

5

Easy
-
to
-
use and Affordable

5

Open and
Extensible

5

Routing and Remote Access Service Features at
-
a
-
Glance

................................
.....................
6

New Extensive Routing Protocol Support Built
-
in

................................
................................
....
9

Routing Information Protocol (RIP) for IP

9

Open Shortest Path First (OSPF) Protocol for IP

10

RIP and Service Advertising Protocol (SAP) for IPX

12

DHCP Relay Agent

13

Flexible, I ntu
itive Administrative and Management Support Tools
................................
.......
15

Easier Administration with an Intuitive Graphical User Interface

15

Common Administrative Tasks Enabled

16

New Wi
zard for Demand Dial Routing Set
-
Up

17

Scriptable Command Line User Interface

17

Remote Manageability

18

Microsoft BackOffice


Integration

18

Extensibility Enabled by API Structure

................................
................................
....................
19

APIs for Routing Protocols

1
9

APIs for Manageability

19

Point to Point Tunneling

................................
................................
................................
.............
21

Po
int
-
to
-
Point Tunneling Overview

21

Point
-
to
-
Point Tunneling in Out
-
Sourced Dial
-
Up Networks

22

Secure Access to Corporate Networks over the Internet (Virtual Private Networks)
23

New with this service
-

Point
-
to
-
Point Tunneling Server
-
to
-
Server

24

Security Considerations

25

Other Cost
-
Saving Features

................................
................................
................................
.......
26

Available as FREE Upgrade f
or Windows NT Server 4.0

26

Demand Dial Routing

26

Using the Service’s Demand Dial Routing

26

RAS Idle Disconnect

27

CONTENTS



Microsoft Point
-
to
-
Point Compression

27

Packet Filtering and Other Network Security Highlights

................................
......................
29

IP Packet Filtering

30

IPX Packet Filtering

30

Compleme
ntary Use with Microsoft Proxy Server

30

Authentication & Encryption

30

RADIUS Client Support

31

Multi
-
Link PPP

31

Unifies New Routing F
eatures with Existing Windows NT Server Remote Access Service
34

RAS
-

Built
-
in to Windows NT Server 4.0

34

RAS Carrier Service Support

34

RAS Client Support

34

RAS Security

34

Detailed Feature Matrix

................................
................................
................................
................
35

System Requirements

................................
................................
................................
..................
36

Other Sources of I nformation About Routing and I nternetworking

................................
.....
37

Tips for I nstalling The Routing and Remote Access Service Update
................................
....
38

Routing and Remote Access Service Documentation

38

Setup Issues

38

Miscellane
ous Issues

39

Enabling 128
-
bit Encryption for Routing and Remote Access

39

Using DHCP Instead of Static Pool Addresses on a RAS Server

40

Packet Filtering and Windows

NT 4.0 TCP/IP Security

41

Packet Filtering and Microsoft Proxy Server

41

Demand
-
Dial Interfaces

42

IPX Issues

43

Auto
-
static Route Upda
tes Failing for IPX Interfaces

43

OSPF Issues

44

For More I nformation

................................
................................
................................
...................
47


1
1
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

1

Internet and Intranet gro
wth is based on a foundation of interconnected co
m
puting
resources. Internetworking infrastructure, enabled by routers, LAN switching,
remote access and other means, has become a strategic asset of organizations
of all sizes.

Windows NT


Server is a hig
h performance, multi
-
purpose network operating
system which provides a great platform for a variety of communications needs
-

telephony, remote access, and internetworking. The new addition to this
foundational story is the

Routing and Remot
e Access Service

Update
, previously
referred to as “Steelhead.”

This
service

update
was created to provide IT managers with a new form of
openness and extensibility that is required to take full advantage of the rapid
evol
u
tion of internetworking tech
nology.

Routing and Remote Access Service

Update

is a set of new routing and
internetworking capabilities for use with Windows NT Server 4.0. It
provides
an
open, ext
ensible platform for routing and internetworking that is easy to use,
flexible, and affordable.


Routing and Remote Access Service offers:



A full complement of protocols for IP and IPX routing (including OSPF
&
RIP v2
for IP);



An intuitive

graphical user interface and command line interface with scripting
capabilities



both of these can be used via a remote PC for centralized
management
;



An extensible platform with APIs for additional third
-
party routing protocols,
user interface (UI), a
nd management;



Demand
-
dial routing support;



Secure virtual private networking with Point
-
to
-
Point Tunneling Protocol support
server
-
to
-
server; and



Great performance that is now effectively included with the operating system at
no additional charge (i.e., a
vailable via a FREE Web download).


All of this combines to make
Windows NT Server 4.0 with the
Routing and
Remote Access Service
Update
an easy, flexible way for bus
i
nesses to deploy
economical
routing and virtual private network (VP
N) solutions.

The service provides efficient ban
d
width utilization due to compression. It also
provides packet filtering for packet layer network security w
hen used alone and it
complements
security provided by Microsoft Proxy Server. It can be deployed
with an organization’s exis
t
ing
networking

infrastructure
. In addition, the service
integrates th
e remote access service capabilities already available in Windows
NT Server 4.0 into a new, more unified RAS/routing service on the PC running
Windows NT Server.

MICROSOFT ROUTING AN
D
REMOTE ACCESS SERVIC
E
UPDATE
OVERVIEW


2
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

2


In addition to working with off
-
the
-
shelf LAN and WAN cards, Microsoft offers a
Software Deve
lopers Kit (SDK) for Routing and Remote Access Service that
i
n
cludes APIs to enable third parties to add value with additional routing protocols
and management capabilities. And because the service runs on Windows NT
Server 4.0 at no additional charge, thi
rd
-
party solution providers can take
advantage of strong integration with the operating system and other applications.

The result is a solution that is ma
n
ageable, scal
able, reliable,
and
offers good
price performance
.

This service, because it is an open and extensible platform,

also

provides
opportunities for independent hardware vendors (IHVs), value
-
added resellers
(VARs) and other solution providers. Microsoft provides the application
programming i
nterfaces (APIs) for third
-
party developers to create custom routing
solutions
.

All of this is good news for IT
managers
who will benefit from
the
increased
choice and affordability they will have in building and managing their

internetworking infr
a
structures.







3
3
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

3

Windows NT Server was created as a great networking and communications
pla
t
form,
and it continues to evolve with the same goal in mind.

Windows NT
Server is reliable, scaleable, robust and secure. It has robust communi
cations
built
-
in, i
n
cluding telephony, remote access service (RAS), and
multi
-
protocol
routing. This great networking support covers an unbeaten array of network
protocols, network types, and carrier services.

Telephony

Windows


is now the only

operating system family with built
-
in, programmable
telephony support. The Windows Telephony Applications Programming Interface
(TAPI) is now available in Windows NT Server 4.0, Windows NT Workstation 4.0,
Windows 95, and even in Windows CE. TAPI enabl
es a telephony software
application provided by one vendor to work with phone system hardware provided
by another vendor. As a result, customers can enjoy a broader choice of less
expensive and more powerful telephony solutions to enable business process

automation within specialized areas such as call centers and help desks and
throughout
an organization
. Consumers are also benefiting from these computer
telephony advances.

Remote Access Service (RAS)

Windows NT Server 4.0 provides a great

platform for transparent remote access

service with built
-
in RAS. RAS on Windows NT Server is robust, secure,
scaleable, flexible, and programmable to enable information at your fingertips
even for mobile workers and telecommuters.

Here is a summary of

key RAS features built
-
in to Windows NT Server 4.0:



Unbeaten scalability

with support for 256 simultaneous connections per
server



Authentication
: Password Authentication Protocol (PAP), Shiva
-
PA
P,
Cha
l
lenge Handshake Authentication Protocol (CHAP), MS
-
CHAP, and
support for other complementary authentication methods.



Encryption

with 40
-
bit RSA RC4. North Ame
r
ican customers can also use
128
-
bit encryption for RAS, made available with Windows NT Se
rver 4.0
Service Pack 2.



PPP support for any client machine

that Windows NT Server supports
connected locally across a LAN.



Support over an unbeaten array of connectivity options

-

analog, ISDN,
frame relay, T1, X.25, and even the Internet.



Point
-
to
-
Point

Tunneling

support to enable low
-
cost, secure remote client
-
to
-
server connecti
v
ity across the Internet.



RFC 1717
-
compliant PPP multi
-
link

support to enable multiple analog
and/or digital links to be combined for higher
-
bandwidth remote connections.



RAS API
s

to enable RAS to be used as a platform for value
-
added solutions
and development.

COMMUNICATIONS SUPPO
RT
ALREADY

INCLUDED WITH
WINDOWS NT SERVER 4.
0


4
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

4


With Windows

NT Server, the RAS server provides a route between a remote
client and a LAN, as shown in this figure:



RAS is essentially routing between a remote client and a LAN

Multi
-
Protocol Routing

Microsoft introduced multi
-
protocol routi
ng support as a new feature area for
Windows NT Server 4.0. These routing functions include:



RIP (Routing Information Protocol) v.1 for IP;



DHCP relay agent for IP;



RIP for IPX;



SAP (Service Advertising Protocol
)

for IPX;



Static routing support over IP
and IPX networks; and



Manageability enabled by a command line user interface.


AppleTalk

routing suppo
rt is provided in the Services for Macintosh
component, which is also included with Windows

NT Sever 4.0.

After you install Windows

NT Server MultiProtocol Routing and enable the
Routing Information Protocol (RIP) routing options, your Windows

NT Server
c
omputer should be able to route network packets between two or more network
adapters using RIP on Internet Protocol (IP), Internetwork Packet Exchange (IPX)
,

or both. Your computer can also be a DHCP Relay Agent (depending on your
configuration), which all
ows a computer to relay DHCP messages across an IP
network.





5
5
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

5

This
new service builds on this foundation of built
-
in communications support,
adds extensive new features, and installs on the server PC as a new,
consolidated RAS and Routing Service for Windows NT Server 4.0.

Significantly, this
service

update

is availab
le at
no additional charge

as a web
-
based downloadable offering so it is extremely affordable.

The
service

update

enables extensive multi
-
protocol routing on Windows NT
Server
-
based PCs.

This service is an open, extensible platform for routing and inte
rnetworking that
is easy to use, flexible, and affordable.

Integrated

The service combines enhanced multi
-
protocol routing and RAS into a unifed
service for Windows NT Server. The service is tightly integrated with the
operating system and meets Microso
ft BackOffice


integration requirements.

Comprehensive

The service offers a comprehensive set of features, as discussed in this
reviewer guide.

Easy
-
to
-
use and Affordable

The service provides an intuitive graphical user interface and a scriptable
comma
nd
-
line user interface to make management easier and faster. Both of
these management approaches
are supported from remote locations
. These
management tools help reduce the total cost of ownership. The financial equation

is made all the mor
e attractive because this new administrative service is offered
by Microsoft at no additional charge for Windows NT Server 4.0 customers.

Open and Extensible


Perhaps the most important aspect of Routing and Remote Access Service is
its role as a platform
for value
-
added development. The service supports a set of
APIs, exposed and documented in an associated Software Development Kit
(SDK), which makes the service an extensible platform. The APIs allow routing
protocols to be added, the user interface to b
e completely customizable, and the
manageability to be directed by a variety of third party hardware and software
companies and system integrators.

WHAT DOES THIS
ROUTING
AND REMOTE ACCESS SE
RVICE
UPDATE
OFFER?



6
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

6

New Feature

Description

ROUTING PROTOCOLS


RIP v2 (and v1) for IP

Routing Information Protocol is a frequently used routing protocol for small to mid
-
sized
networks. It is
relatively easy to use and provides very good performance. The service supports both version 1 and
version 2 of RIP.

OSPF

Open Shortest Path First is a
n IETF standard

link state routing protocol used for routing IP,

OSPF is a more
soph
isticated routing protocol than RIP
,


offering
faster routing algorithm convergence. The service’s OSPF
implementation is a result of collaborative effort between Microsoft and Bay Networks
, a leading provider
of internetworking systems.

DHCP Relay Agent for IP

Dynamic Host Configuration Protocol (DHCP) provides lower cost of ownership for IP networks because it
dynamically assigns IP addresses to PCs or other resources connected to an IP n
etwork. This is a
dramatic improvement in time and dollar savings compared to manually assigning useable IP addresses.
The service provides a relay agent function for DHCP servers so that DHCP assignments can be made
across routed networks regardless o
f whether the connection is made via LAN or WAN (Wide Area
Network) links.

RIP and SAP for IPX

Routing Information Protocol (RIP) and Service Advertising Protocol (SAP) are two routing protocols
commonly used in Novell Netware (IPX) small
-

to mid
-
size n
etwork environments. The service supports
these routing protocols to enable interoperability in mixed network environments.

Static Routing

The service continues to support use of static, or fixed, routing assignments.

EXTENSIBILITY WHICH MAKES
THE SE
RVICE A PLATFORM


Routing APIs

Microsoft offers a Software Developer Kit (SDK) that describes for developers how to use these APIs.
This is a unique feature enabling Windows NT Server with this service to be a platform for value
-
added
development in routing

and ne
tworking
.

It also provides customers great flexibility and investment
protection.

Management and User
Interface APIs

The service supports an intuitive graphical user interface and command
-
line user interface for
administrators. This
manageability is extensible. This enables the service to work well in
e
xisting network
environments
&
makes it easier and less expensive to begin using the service in a variety of networks.
The service supports SNMP MIB II so the service can be

managed from an SNMP console. The service also

supports proprietary management functions. The service’s GUI and command
-
line controls are written to
these same management APIs.

EASE OF USE


Graphical User Interface


The service provides a comprehensiv
e, intuitive graphical user interface which provides a wide range of
monitoring and administrative functions for all routes, LAN or WAN interfaces, packet filtering features, and
more. The service supports administrative screens that are consistent with o
ther standard Windows GUI
approaches, including support for right clicking on the mouse for additional control and a setup wizard.

Scriptable, Command Line User
Interface

Many network managers are more comfortable using a command
-
line interface to manage

their network
infrastructure. The service supports command
-
line interface control, including support for scripting.

Remote Manageability

The service’s GUI controls and command
-
line controls are remote
-
able to enable enterprise network
management from a
central location, remote site, or from mobile workstations. The service’s GUI controls
are remote
ly
enabled

via Remote Procedure Calls.

RAS Restartable File Copy

This feature

automatically begins re
-
transferring a file upon re
-
connection whenever your RAS connection
has been lost. Nearly anyone who has used a modem can probably remember times when they’ve nearly
completed a file transfer across a modem only to have their remot
e connection disabled before the
transmission was completed. Re
-
establishing the connection and starting the file transfer process all over
again can be frustrating, time
-
consuming, and expensive. Re
-
startable file copy addresses these problems
by remember
ing the status of your file transmission and continuing the transfer from that point once you re
-
connect. This is a feature included with RAS in Windows NT Server 4.0 and Windows NT Workstation 4.0
ROUTING AND REMOTE A
CCESS SERVICE
FEATURES AT
-
A
-
GLANCE


7
7
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

7

New Feature

Description

and is retained in this
service

update
.

RAS Auto
-
dia
l and Auto Log
-
On
Dial

The Windows
operating

system can map and maintain an association between a Dial
-
Up Networking entry
and a network address to seamlessly integrate Dial
-
Up Networking with f iles and applications. This means
if you double
-
cli
ck on an icon to open a f ile and if that f ile is only accessible over the dial
-
up connection,
Dial
-
Up Networking will automatically initiate the call. This is a Windows NT 4.0 f eature that is retained in the
new
service.



IMPORTANT COST
-
SAVING
FEATUR
ES


Available at no additional
charge

This
service

update

is available to Windows NT Server 4.0 customers via web download at no additional
charge, making server
-
integrated routing and remote access with Windows NT Server uniquely affordable.

Demand
Dial Routing

The
service
update
supports on
-
demand dialing over any variety of WAN links, including via the Internet
with Point
-
to
-
Point Tunneling, eliminating the need for continuous, “nailed
-
up” connections. As a result,
demand dial provides signifi
cant cost
-
savings.

Point
-
to
-
Point Tunneling
-

Client
-
to
-
Server

The service includes support f or award
-
winning technology f irst introduced in Windows NT Server 4.0 and

Windows NT Workstation 4.0
-

Point
-
to
-
Point Tunneling. Point
-
to
-
Point Tunneling provides

a way to use
public data networks, such as the Internet, to create a virtual private network connecting remote client PCs
with servers. PPTP
encapsulates multiple

protocols (IP, IPX, NetBUI) via TCP/IP connections and allows data
enc
ryption for privacy, making it safer to send information over non
-
secure networks. This technology
allows you to securely extend private networks across the Internet without the need to change the client
software. As this is written, PPTP client support i
s also available now for Windows 95, Macintosh, and
Windows 3.1.

Point
-
to
-
Point Tunneling
Support: Server
-
to
-
Server

The service extends the Point
-
to
-
Point Tunneling support offered initially in Windows NT 4.0 by enabling
remote
networks

-

not just

remote
clients

-

to connect using a secure, encrypted tunnel. This important
feature enables branch offices to be connected to a corporate network via the Internet rather than via
more expensive leased line arrangements. This new use of the Internet as

a Virtual Private Network
(VPN)
can provide big cost savings compared to traditional WAN link alternatives.

Works with Industry Standard
LAN & WAN Cards

Because this is a service that runs on Windows NT Server 4.0, it can enable routing using any of the
2,000+ LAN and WAN cards that have earned the Windows NT Compatible logo. This provides unbeaten
customer choice. Now customers, for the first time, can take advantage of PC industry economics for
routing and internetworking.

Microsoft Point
-
to
-
Point
Com
pression

Microsof t Point
-
to
-
Point Compression (MPPC) lets an organization make the most use of WAN links for
remote access or routing. MPPC supports compression of up to about 4:1
-
compression performance
varies by the type of date being transmitted over
the link. MPPC is available for third party licensing.

RAS Idle Disconnect

This feature automatically terminates your RAS connection after a certain period of time if there has been
no activity over the remote dial
-
up communications link. The user or adm
inistrator can specify the amount of

time before this feature is activated. This is a Windows NT 4.0 feature that is retained in the
service

update
.

SECURITY & MANAGEABILITY


IP packet filtering


The service supports a variety of inbound and outboun
d packet filtering features. These packet filtering
features provide an important measure of network security. Here is a list of filtering options: TCP Port,
UDP port, IP protocol ID, ICMP type, ICMP code, source address, destination address.

IPX packe
t filtering

The service supports a similar level of packet filtering for IPX packets. Here is a list of IPX packet filter
options: source address, source node, source socket, destination address, destination node, destination
socket, and packet type.

RAD
IUS client
-

RFC 2058
compliant

Now a server PC running Windows NT Server and this
service
update
can act as a RADIUS client to a
RADIUS server, providing expanded
choice for authentication
. RADIUS (Remote Authent
ication D
ial
-
In User

8
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

8

Service) is a
dialup authentication and accounting protocol
commonly used by

Internet

Service Providers.

Complements use with
Microsoft Proxy Server

The service can be used with Microsoft Proxy Server to provide an even higher level of network security
and performance. Microsoft Proxy Server reduces networ
k costs and bandwidth needs by caching
Internet or Intranet sites. Microsoft Proxy Server
allows
network administrators

to
control what Internet or
Intranet services their users can access and provides application layer security, complementing the
s
ervice’s packet layer security.

Authentication, Encryption,
and more in Windows NT
Server RAS

The
service

update

inherits all the features that make Windows NT Server RAS a secure, scalable platform
for remote access.



9
9
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

9

Routing is the process of connecting networks and transferring information
between them.
A typical router is connected to two

or more networks over LAN or
WAN media. It learns network information (such as addresses and services) from
one network, and then propagates this information to other networks to facilitate
connectivity between all computers on all networks.

Routing prot
ocols


OSPF, RIP, SAP, and others


are used to learn and
propagate address and service information. Computers on any network can send
packets to the router to be forwarded to another network that the router is
connected to. The router examines the packet

and uses the destination address
in the packet header to decide which network should receive the packet.

This
service

update

provides built
-
in support for a wide cross
-
section of
internetworking needs for IP as well as IPX
-
based networks.
1

The servi
ce’s API
extensibility enables third party companies to offer those other routing protocols
not already included in the service.

Routing Information Protocol (RIP) for IP

The Routing Information Protocol (RIP) was designed for exchanging
information within

an
autonomous system

(AS), a network of relatively limited
size. A RIP router maintains a routing table and periodically sends
announcements to inform other RIP routers on the network of the networks it can
reach. RIP also announces when it can no longer
reach networks. RIP version 1
uses IP
broadcast

packets for its announcements. A later enhancement, RIP
version 2, uses IP
multicast

packets for its announcements.

Each entry in a RIP routing table provides information about the entry, including
the ultim
ate destination address, the next hop on the way to the destination, and
a
metric
. The metric indicates the distance in number of hops to the destination,
its "cost" to the router. Other information can also be present in the routing table,
including vario
us timers associated with the route.

Initially, each router’s table includes only the links to which it is physically
connected. A router depends on periodic updates from other routers to keep
current information on what routes are reachable through them.
RIP maintains
only the best route to a destination through broadcast messages at 30
-
second
intervals, or
triggered updates
. Triggered updates occur when the network
topology changes and routing update messages are sent which reflect those
changes. For exam
ple, when a router detects a link failure or a router failure, it
recalculates its routes and sends routing update messages (triggered updates).
Each router receiving a routing update message that includes a change updates
its tables and propagates the cha
nge.

The biggest advantage of RIP is that it is extremely simple to configure and



1

NOTE: Wi ndows NT Server 4.0 al so supports Appl eTal k routi ng, as wel l. The new servi ce does not
d
i sabl e these features, but the new servi ce does not expose any addi ti onal admi ni strati ve control or
add any addi ti onal features to the al ready bui l t
-
i n Appl eTal k routi ng support. The new servi ce
i ntroduces no changes to the way i n whi ch an admi ni strator w
oul d access and use the Appl eTal k
management functi ons provi ded by Wi ndows NT Server 4.0

NEW EXTENSIVE ROUTIN
G
PROTOCOL SUPPORT BUI
LT
-
IN

Benefits:



Broad support for leading routing
protoco
ls



Interoperability with existing
networking
infrastructure


10
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

10

deploy. The biggest disadvantage of RIP is that as networks grow larger in size,
the periodic announcements by each RIP router cause excessive traffic on the
network. RIP is
widely deployed in networks with up to 50 servers or so, but most
larger organizations use other routing protocols. Various industry sources
indicate that about 15% of the routed networks in place today make use of RIP
for IP and this number is holding s
teady or perhaps increasing slightly.

The
service
update
supports RIP versions 1 and 2. The service’s RIP
implementation has the following features:



Selection of which RIP version to run on each interface.


Split horizon
, a method used to avoid routi
ng loops.



Route filters for choosing which networks to announce or to accept
announcements for.



Configurable announcement and route aging timers.



Triggered updates for fast route change propagation.



Authentication or community string.

Open Shortest P
ath First (OSPF) Protocol for IP

OSPF was developed

as an IETF standard

in response to the inability of RIP to
serve large, heterogeneous internetworks. The biggest advantage of OSPF is that
it is efficient; It computes better routes and requires less “sig
nalization”
messages. The biggest disadvantage of OSPF is its complexity; it is harder to
configure and takes more management time. That is, OSPF routers need to
maintain both a link state database and a routing table; RIP routers need only a
routing table
.

Refer to the OSPF RFC for more information and administration details.

OSPF is a link state protocol based on the Shortest Path First (SPF)
algorithm. This algorithm computes the shortest path between one source node
and the other nodes in the network.

Various industry sources indicate that about
35% to 40% of the routed networks in place today make use of OSPF and this
number is growing.

Instead of exchanging distances to destinations like RIP routers do, OSPF
routers maintain a “map” of the network th
at is updated after any change in the
network topology. This map is called the
link state database
. The link state
database is used to compute the network routes, which must be computed again
after any change in the topology. From this computation, the rou
ter derives the
next hop for the destination, that is, the next router to which the data should be
sent and the link that should be used for reaching this next router. Network
changes are propagated or
flooded

across the entire network to ensure that each
copy of the database is accurate at all times.

Because OSPF routers keep an overview of the network from the perspective of
any router, some of the problems that are inherent in RIP (such as loops) are no
longer problems.

The following page includes an exa
mple of an OSPF link state database as

11
11
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

11

seen from the
Routing and Remote Access Service

Update
:


An OSPF link state database accessed via the Routing and Remote Access Service

As the size of the link state database increases, memory requirements and
ro
ute computation times increase considerably. To address this, OSPF divides
the network into many
areas
connected to each other through a
backbone area
.
Each router inside the area keeps only the state of links within its area and
advertises to only those r
outers within the area. Area border routers, between
each area and the backbone area, keep a link state database for each area to
which they belong.


12
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

12



A diagram of an OSPF network

Again, to summarize, OSPF has the following advantages over RIP:



Converge
nce for network topology changes is faster.



Routing information for stable networks generates less traffic.



Because each area is isolated, routing infrastructure is more robust.



OSPF is unaffected by loops in the network.


The new service’s router O
SPF implementation, which is the result of a
collaborative working arrangement between Bay Networks and Microsoft,
supports the following features:



Route filters for controlling interaction with other routing protocols



Dynamic reconfiguration of all OS
PF parameters



Coexistence with RIP



Dynamic addition and deletion of interfaces

RIP and Service Advertising Protocol (SAP) for IPX

IPX (Internetwork Packet Exchange) is used in NetWare environments and
provides interoperability with NetWare networks. It

is a fast LAN transport for
Windows
-
based networking as well. To route packets in an internetwork, IPX
uses RIP and SAP (Service Advertising Protocol).

RIP for IPX is a simple broadcast protocol used to exchange IPX network
routes across a network. This
protocol announces routes over each network
segment. It is configured periodically so that the routing information kept in the
routers is current. Various industry sources indicate that about 15% of the routed
networks in place today make use of RIP and SA
P for IPX and this number is
growing.

The service supports network route filters, which enable selective

13
13
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

13

announcements and reception of network routes. The service also enables
configuration of the timers used for route announcements (for example, the
peri
odic announcement timer).

The Service Advertising Protocol allows nodes that provide services, such as file
servers and print servers, to advertise their addresses and the services they
provide.

IPX routers send periodic SAP broadcasts to keep all routers
on the
internetwork synchronized. By default, this is set to every 60 seconds. Routers
also send SAP update broadcasts whenever they detect a change in the
internetwork configuration.

The implementation of IPX by Windows

NT Server (NWLink IPX/SPX
Compatibl
e Protocol [NWLink] ) conforms to the Novell IPX Router Specification.

DHCP Relay Agent

Windows NT Server 4.0 offers an integrated combination of support
for
Dynamic Host Configuration Protocol (DHCP)

service,
Windows Internet
Name Service (WINS)
, and
Doma
in Name System (DNS)
.

The
Routing and Remote Access Service
Update
works in conjunction with
these operating system services to act as a relay agent for DHCP addresses
across a routed network.


As a result,

RAS client PCs and distant routers
connect
ed to servers running
this service update
can
have IP addresses assigned to them from DHCP servers.

DHCP automatically and dynamically assigns IP addresses to hosts. WINS
provides a distributed, dynamically updated database of host names mapped to
IP addr
esses which allows users to use friendly host names instead of IP
address to locate network resources. Microsoft DNS server running under
Windows

NT Server version 4.0 is an RFC compliant DNS name server that is
used to manage and administer DNS services

on a TCP/IP network. Microsoft
DNS server supports RFC’s

1033, 1034, 1035, 1101, 1123, 1183, and 1536 and is

also compatible with the Berkeley Internet Name Domain (BIND) implementation
of DNS.

Because Microsoft DNS server is an RFC compliant DNS server,

it creates and

uses standard DNS database files and record types referred to as resource
record types. It is interoperable with other DNS servers and can by managed by
using the standard DNS diagnostic utility

nslookup
. (Nslookup is included with
the TCP/
IP utilities provided with Windows

NT Server version 4.0.)

Microsoft DNS server also has features above and beyond those specified in
the RFCs, such as tight integration with Microsoft Windows Internet Name
Service (WINS) and ease
-
of
-
administration by usin
g the graphical DNS Manager.

Integration of DNS and WINS services is an important feature that allows inter
-
operability between non
-
Microsoft and Windows
-
based TCP/IP network clients.
DNS and WINS integration provides a method to reliably resolve name que
ries for
Windows
-
based computers that use dynamic (DHCP
-
based) IP addressing and

14
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

14

NetBIOS computer names.

The other important feature of the Microsoft DNS server implementation in
Windows NT Server 4.0 is DNS Manager, a graphical user
-
interface that you us
e
to manage local and remote Microsoft DNS servers and database files.

Microsoft DNS server allows you to use a computer running under Windows

NT

Server version 4.0 to administer an entire domain or subdivisions of the domain
referred to as zones, subzones

and domains. These subdivisions are dependent
on your enterprise requirements for name and administrative groupings of
computers, integration of Windows

NT
-
based domains into the DNS domain
model, or your role as a Internet Service Provider (ISP) to other

enterprises.

The structure of a DNS zone changes whenever a new host is added or when
an existing host is moved to a different subnet. Because DNS is not dynamic,
someone must manually change the DNS database files if the zone is to reflect
the new confi
guration. This results in increased administrative overhead,
especially on zones that change frequently.

WINS, on the other hand, was created to ease this type of administrative burden.
Coupling DNS with WINS capitalizes on the strengths of each to provide

a form of
Dynamic DNS. This coupling is supported by the DNS service that runs under
Windows

NT Server 4.0. With it, you can direct DNS to query WINS for name resolution

of the lower levels of the DNS tree in your zones. All of this is transparent to the
DNS
resolvers, which perceive the DNS name server as handling the entire process. And, as
noted, all of these features can work transparently across a routed network with the
Routing and Remote Access Service

Update
.


15
15
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

15

Windows NT Server provides an excellent platform for network manag
e
ment.

Conventional communications systems require different organizations with
separate skills to manage the routers, servers and applications. The Routing and
Remote Access Service

Update
, by

bringing
branch office
networking

and related
functions into the consistent Windows NT Server environment, reduces
a
d
ministrative
costs
by allowing a common group of people to manage
the
communications
infrastructure and the applic
a
tions

environment
.

Easier Administration with an Intuitive Graphical User Interface

The
service

update

provides an intuitive graphical user interface for monitoring
and co
n
figuration, as well as command l
ine
-
based management for creating
scripts
. All routing and RAS management functions
can be used to manage
remote servers for
added flexibility.
Remote Procedure Calls
enable the remote
GUI
-
based comman
ds
. Plus, because of the
service’s
API management
extensibility, third party vendors can enable a machine running the service to act

and be managed like other
routers

and remote access servers
. This
enable
s

graceful co
-
existence with today’s network infrastructure.

Here is one of the primary administrative screens used with the new service:


Routing and Remote Access

Service Admin screen


making management easy


After you install the

service

update
, you can configure and monitor interfaces
and routing protocols by using Routing and RAS Admin. You can also use this
tool to configure and monitor your RAS server
. From this screen, an administrator
can monitor and control each of the LAN or WAN interfaces, routing protocols,
and other features quickly and easily.

The Routing and RAS Admin tool looks similar to the Windows NT Explorer.
FLEXIBLE, INTUITIVE
ADMINISTRATIV
E AND
MANAGEMENT SUPPORT
TOOLS

Benefits:



Easy to use



Intuitive GUI enables
administrators to set up routed
networks without having to learn
cryptic command line
instructions



Command

line support enables
scripting



Helps reduce total cost of
ownership


16
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

16

The
tree view

in the left win
dow displays the installed network and routing
components of the service. The
list view

in the right window displays the
interfaces for a selected protocol. You can access this tool in the
Start/Programs/Administrative Tools (Common) folder.



















The new service’s administrative screens provide rich management support


The
service
update
supports standard Windows user interface approaches so
administrators can be productive using the service as quickly as possible. For
example, you ca
n configure service components by right
-
clicking within Routing
and RAS Admin.

You can select the RIP for IP routing protocol and right
-
click to
configure global parameters for RIP.

You can then select a RIP for IP interface in
the right window

and
right
-
click to configure parameters and view monitoring
information specific to only that interface.

Common Administrative Tasks Enabled


Here is a summary of some common administrative tasks you can perform in
Routing and RAS Admin:




Adding a demand
-
dial

interface



Granting RAS clients dial
-
in permissions



Adding a routing protocol



Adding interfaces to a protocol



Deleting interfaces from a protocol




Managing RAS servers

\
\
ROUTERN
Y


17
17
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

17

New Wizard for Demand Dial Routing Set
-
Up


The most challenging set
-
up and configura
tion task that emerged from the
initial “Steelhead” technical beta program involved the process of setting up a
demand dial interface. In fact, this particular task generated the highest number
of support calls in that stage of the beta program.

The new

Routing Demand Dial InterfaceWizard makes set
-
up a snap

To address this issue, the previous public beta version and the final version of
the service makes use of a Demand Dial Interface Wizard. This wizard makes
setting up a demand dial interface quick
and easy. The wizard prompts the user
to type in or check off relevant information then uses that information to configure
the service.

Scriptable Command Line User Interface

The
routemon

utility is a scripting utility for the service that is intended as
a
command
-
line alternative to the router administration user interface available
through the Routing and Remote Access Administrator tool (
rtradmin.exe
).


You can use the
routemon

utility to configure interfaces, routing protocols,
filters, and routes

for routers running the service. You can also use it to display
the configuration of a currently running router service on any computer.

This utility also has a scripting feature that can be used to run a collection of
commands in batch mode against a sp
ecified router.

The capability of
routemon

falls into three classes:



Interface commands, which are independent of the transport being used



IP commands, which are specific to IP



IPX commands, which are specific to IPX

Please see Appendix B of the

Routing and Remote Access Service Administrator

Guide

for detailed instructions about how to use routemon.


Routing and Remote Access Service command line utilit
y
routemon


18
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

18




Remote Manageability

These days, network managers must have the ability to remotely manage their
network infrastructure elements. The
Rou
ting and Remote Access Service
Update
supports this requirement. Both the graphical UI and the command
-
line
UI are accessible remotely for administrators.
Remote support for the g
raphical UI
is enabled via
remote procedure calls
.


Microsoft BackOffice


Integration

Significantly, this
service

update

is the first routing and internetworking
technology to offer integration with the Microsoft Bac
kOffice family. This
integration enables the service to be r
e
motely installed and monitored using
Microsoft System Management Server. In addition, Windows NT Server’s
Performance Monitor and System Management Server’s Network Monitor
services can be used

to track the service’s performance.

Routing and Remote Access Service command line utility
routemon


19
19
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

19

This
service

update

is not only a product intended for use by IT administrators



it
is


also a platform for value
-
added development.

Windows NT Server and the Routing and Remote Access Service platform
open up to vendors new ways to participate in a very robust and thriving
marketplace
-

the internetworking market. The new service creates

opportunities
for a broad range of third
-
party vendors, i
n
cluding:



Server OEM Vendors



Networking Vendors



Independent Software Vendors (ISVs
)



WAN / LAN card Independent Hardware Ven
dors (IHVs)



Internet Service Providers (ISPs)



System Integrators


Customers benefit from this different approach to internetworking, as well, with
more choice, lower prices, and more flexibility.

APIs for Routing Protocols

The
service

update

includes a set of routin
g protocols that will be of immediate
use by many customers. In addition, Microsoft exposes APIs to enable third
party vendors to make other routing protocols work with the new service. For
example,
proprietary protocols such as
Novell Link State Protocol (NLSP)

and
others can be “plugged
-
in.”

Significantly, the routing protocols provided with the
service are written to the
same API structure that other third parties would use.

As a result, customers
have the option of using any combination of routing protocols with the service


routing protocols that Microsoft provides with the service and/or routing protocols
provided by third parties.

A separate
Routing and Remote Access Ser
vice Software Developer Kit
(SDK)

is available for hardware and software vendors
.

This SDK describes not
only how third parties can write to the routing protocol APIs, but also how third

parties can add manageability and usability value to the
service

update
.

APIs for Manageability

Windows NT Server running this
s
ervice
offers extensibility in management
support


not
just in routing p
rotocols.


The service
exposes APIs to allow a variety of
networking
protocols and Simple Network Manag
e
ment Protocol (SNMP)
Management Information Bases (MIBs) to be used. Because an SNMP
MIB contains the entire set

of objects that a service or protocol uses,
the service running on a Windows NT Server platform can appear, act,
and be managed like many other routers in an
organization
. This
allows the service to interoperate with
existing
net
working
systems
.
EXTENSIBILITY ENABLE
D BY
API STRUCTURE

Benefits:



Makes Windows NT Server with
this service a platform for value
-
added development



Opens n
ew opportunities

for
networking vendors


20
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

20

SNMP standards allow devices from different companies to be
administered from a central point, such as from an HP OpenView
console.
T
his
service

supports SNMP MIBs series II
.


21
21
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

21

Windows

NT Server 4.0 provides a very rich platform for Internet/intranet
computing The Remote Access Service in Windows

NT Server 4.0 allows remote
users to access their network via the Intern
et by using the
Point
-
to
-
Point
Tunneling Protocol (PPTP). PPTP is a
networking technology integrated with
RAS that supports multiprotocol virtual private networks (VPNs). PPTP uses the
Internet as the transfer mechanism instead of long distance tel
ephone lines or a
toll free

(1
-
800) service, which greatly reduces transmission costs.

Point
-
to
-
Point Tunneling was initially offered as a new feature in Windows NT
Server 4.0 and Windows NT Workstation 4.0 to enable the use of the Internet as
a “carrier
” for client
-
to
-
server RAS access. In addition, PPTP client support is
also now available for Windows 95, Windows 3.1, and Macintosh client
machines.

The
Routing and Remote Access Service
Update
builds on this foundation and
extends Point
-
to
-
Point Tu
nneling support for use between two or more
networks
,
enabling a wide array of cost
-
saving virtual private networking across the Internet.

A RAS server is usually connected to an analog phone line, ISDN, or X.25
network. A router is traditionally c
onnected to the WAN via these alternatives or
leased line facilities. These current networking alternatives can be costly not only

in terms of long distance recurring charges but also in terms of equipment
maintenance required on the customer premise to a
ccess and manage these
facilities.

PPTP enables remote users and even entire branch offices to access corporate

networks securely across the Internet by dialing into an Internet Service Provider
(ISP) or by connecting directly to the Internet. PPTP offers

the following
advantages:




Lower transmission

costs

PPTP uses the Internet as a connection
instead of a long
-
distance telephone number or 800 service. This can greatly
reduce transmission costs.



Lower hardware costs

PPTP enables modems and ISDN cards to be
separated from the RAS server. Instead, they can b
e located at a modem
pool or at a communications server (resulting in less hardware for an
administrator to purchase and manage).



Lower administrative overhead

With PPTP, network administrators
centrally manage and secure their remote access networks at th
e RAS
server. They need to manage only user accounts instead of supporting
complex hardware.



Enhanced security

Above all, the PPTP connection is encrypted and
secure, and it works with any protocol (including, IP, IPX, and NetBEUI).

Point
-
to
-
Point Tunnelin
g Overview

PPTP provides a way to route PPP packets over an IP network. Since PPTP
POINT TO POINT TUNNE
LING

Benefits:



Allows the creation of secure
virtual private networks via the
Internet



Works for remote client or server
access to the service



Encapsulates network protocols
allowing use of IP, IPX or
NetBEUI over the Internet wit
hout
the need for re
-
addressing



Enables Extranet applications


22
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

22

allows multiprotocol encapsulation, you can send any type of packet over the
network. For example, you can send IPX packets over the Internet.

PPTP treats your existing corp
orate network as a PSTN, ISDN, or X.25
network. This virtual WAN is supported through public carriers, such as the
Internet.

Compare PPTP to the other WAN protocols: When you use PSTN, ISDN, or
X.25, a remote access client establishes a PPP connection with

a RAS server
over a switched network. After the connection is established, PPP packets are
sent over the switched connection to the RAS servers to be routed to the
destination LAN.

In contrast, when you use PPTP instead of using a switched connection to
s
end packets over the WAN, a transport protocol such as TCP/IP is used to send
the PPP packets to the RAS server over the virtual WAN.

The end benefit for both the user and the corporation is a savings in
transmission costs by using the Internet rather than

long distance dial
-
up
connections.

The following three sections describe how PPTP can be used: for outsourcing
a dial
-
up network, for client connections directly through the Internet, and for
client connections through an ISP.

Point
-
to
-
Point Tunneling in
Out
-
Sourced Dial
-
Up Networks

Communications hardware available for supporting dial
-
up needs can be
complicated and not well integrated. For
many organizations
, putting together a
Windows

NT RAS server requires modems, serial controllers,
and many cables.
Furthermore, many solutions do not provide a single integrated way to efficiently
support V.34 and ISDN dial
-
up lines. Adding routing support can involve
additional cards to connect to the relevant leased line facilities.

Many corporation
s would like to outsource dial
-
up access to their corporate
backbone networks in a manner that is cost effective, hassle free, protocol
independent, secure, and that requires no changes to the existing network
addressing. Virtual WAN support using PPTP is
one way a service provider can
meet the needs of these organizations.

By separating the dial
-
up modems from a RAS server, PPTP lets you
outsource dial
-
up services or geographically separate the RAS server from the
hardware within a corporation. For example
, a
tele
pho
ne company can manage
modems and lines so that user account management can be centralized at the
RAS server.

An end user would then make a local call to the phone company
that connects to a Windows

NT RAS sever using a WAN link. The client the
n has
access to the corporate network.

This type of solution leverages existing proven PPP authentication, encryption,
and compression technologies.

The RAS client does not have to support PPTP if the dial
-
up point of presence
supports PPTP. In this case
, the client simply makes a PPP connection to the

23
23
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

23

point of presence communication server or modem pool, which, in turn,
communicates to the corporate RAS server using PPTP.



An out
-
sourced dial
-
up network using Point
-
to
-
Point Tunneling Protocol

Secure Access to Corporate Networks over the Internet (Virtual
Private Networks)

A RAS client
that has PPTP as its WAN driver can access resources on a
remote LAN by connecting to a Windows

NT RAS server through the Internet via
any ISP. In addition, Point
-
to
-
Point Tunneling support can also be provided for
other PPP clients as a value
-
added servi
ce enabled at the ISP’s point of presence

(POP).

In the first scenario, a remote client connects to the Internet via the ISP POP
then “dials” the IP address for the RAS server. PPTP on the client makes a tunnel

through the Internet and connects to the PP
TP
-
enabled RAS server. After
authentication, the client can access the corporate network, as shown below.


Remote clients which support PPTP that are directly connected to the
Internet can also use Point
-
to
-
Point Tunneling from their PC to connect to
a RAS
server. Connecting directly to the Internet means direct IP access without going
through a dial
-
up ISP. (For example, some hotels allow you to use an Ethernet
cable to gain a direct connection to the Internet.)













Note

Internet
Service

Provider

POPs

Internet

Windows
NT

Server RAS

Corporate
LAN

IP(PPP(IP))

A remote
PPP client

PPP(IP)

Remote
client with
PPTP

Secure Tunnel

Secure Tunnel


24
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

24



Windows NT Server 4.0 RAS supports PPTP enabled from remote clients PC
or

from
Internet Service Provider po
int of presence (POP) for other PPP clients


In the second example, a remote PPP client can dial into an ISP POP that
supports Point
-
to
-
Point Tunneling and achieve essentially the same secure
tunnel. This gives the ISP the ability to offer secure rem
ote access tunnels as a
value
-
added service to its customers


an important point of competitive
differentiation.



New with this service
-

Point
-
to
-
Point Tunneling Server
-
to
-
Server

The
Routing and Remote Access Service
Update
extends the Point
-
to
-
Point
Tunneling support initially made available in Windows NT Server 4,0 by enabling
server
-
to
-
server

secure tunnels in addition to RAS
client
-
to
-
server

tunnels.

Branch office

VPNs
.

This is significant because it allows organizations to
connect their remote locations with one another using the Internet as a Virtual
Private Network as an alternative to traditional leased line or other carrier
facilities. This can substantiall
y reduce the cost of internetworking between
different locations in an organization.

Extranets
In addition, this technology enables an organization to extend more
of its internal network to key business affiliates to enable secure transactions or
other bu
siness communications across the Internet.


















Internet
Service

Provider

POPs

Internet

Windows NT

Server

wService

Corporate
LAN

IP(PPP(IP)
)
)

Remote PPP
client

PPP(IP)

Remote
client with
PPTP

Secure Tunnel

Secure Tunnel

IP(PPP(IP))

Secure Tunnel

Windows NT
Server in
branch off
ice


25
25
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

25




The new service enables
server
-
to
-
server

secure tunneling and
client
-
to
-
server

tunneling

A server running the
Routing and Remote Access Service

Update

can
simultaneously support tunneled c
onnections via Point
-
to
-
Point Tunneling while it
provides routing and RAS support over other traditional WAN or LAN links. This
makes Windows NT Server with this service a versatile and money
-
saving
internetworking foundation.

Security Considerations

Dat
a sent across the PPTP tunnel is encapsulated within PPP packets.
Because RAS and routing support encryption, the data will be encrypted. The
service supports bulk data encryption using RSA RC4 and a 40
-
bit session key
that is negotiated at PPP connect tim
e between the RAS client and the
Windows

NT RAS server. A 128
-
bit session key is also available for use in North
America as a more secure option. This

128
-
bit security

is available

for the
original RAS support provided in the box with Windows NT Server 4
.0 via the

North American Service Pack 2
(or later)
for W
i
ndows NT Server 4.0
.

The 128
-
bit
support used with this service update comes from the North American Service
Pack 3 (or later) for Windows NT Server 4.0.

PPTP uses the Password Authenticat
ion Protocol and the Challenge
Handshake Authentication Protocol algorithms provided by Windows NT Server
4.0.

In addition to supporting encrypted PPP links across the Internet, a PPTP
-
based solution also enables the Internet to become a network backbone f
or
carrying IPX and NetBEUI remote
-
access traffic. PPTP can transfer IPX traffic
because it encapsulates and encrypts PPP packets so that they can ride
TCP/IP. Thus, a solution does not depend only on TCP/IP LANs. Network
administrators need not re
-
addres
s their networks in order to enable such virtual
private networking.

In addition to PPTP
, Microsoft will offer VPN solutions that are based
on
Layer 2
Tunneling Protocol (L2TP), which is the emerging Internet Engineering Task Force

(IETF) standard
tunnelin
g
protocol.

Therefore, customers can implement virtual
private networking solutions today
based on Windows
with complete assurance
that their investments will be preserved in the future when L2TP becomes
available.


26
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

26

Point
-
to
-
Point Tunneling provides one important source of cost
-
savings with this
service
update
but there are other features available with the service that help
red
uce the cost of owning and running a network. Its packaging, demand dial
routing, Microsoft Point
-
to
-
Point Compression, and RAS Idle Disconnect are
some of these key factors.

Available as FREE Upgrade for Windows NT Server 4.0

One of the most compelling a
spects of this
service

update

is its price


it is
available as a
no charge upgrade

for any Windows NT Server 4.0 customer.
Unlike other network operating systems vendors that charge for integrated routing
and/or remote access support, Microsoft is ma
king this
Routing and Remote
Access Service
Update
available for
free
via a Web
-
based download.

Demand Dial Routing

The
Routing and Remote Access Service

Update

includes support for demand
-
dial routing. Setting up a demand
-
dial interface ena
bles you to initiate a
connection to a remote site that becomes active only when there is data required
to be sent to that site or when you exchange routing information with that site.
When there is no data sent over the link for a specified amount of time
, the link
closes. By establishing a demand
-
dial interface, you can use existing telephone
lines instead of leased lines for low
-
traffic links. This can significantly reduce
connection costs.

Demand dialing lets users in one office location transpa
r
ently a
ccess files or
applications anywhere in a company, even if the desired resource is available on
a machine in a different location. For example, if a user in a branch office
requests a file that is not found on the local server, a DHCP server determines it
s
whereabouts, a connection is made to that location, say to the hea
d
quarters
location, and the file is transparently retrieved quickly and transparently to the
user. WAN connections can be created as persistent or demand
-
dial
conne
c
tions.

Demand dialing
eliminates the need for an organization to pay for a WAN
co
n
nection when no packets are being transferred across that connection. As a
result, demand dial routing provides major cost savings. The administrator can
define the demand dial characteristics.
Demand
-
dial routing through the server
also eliminates the need for a user in a remote branch office to dial into a
corporate headquarters using a client
-
based modem for RAS access. This saves
the user time and it saves the organization money. Plus it eli
minates a potential
network security exposure a
s
sociated with client PCs connected to LANs while
simultaneously connected to modems.

Using the Service’s Demand Dial Routing

Routers typically make decisions based on routing tables, which are built from
dyna
mic routing information. However, because routing updates cannot be sent
OTHER COST
-
SAVING FEATURES

Benefits:



Reduces to cost of owning and
running a network


27
27
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

27

over an inactive demand
-
dial connection, you must configure static routes so that
routing can continue and so that hosts can still find services when the demand
-
dial connection is ina
ctive.

Demand
-
dial routing supports the ability to schedule connections to remote
sites to update routing information. It also supports the ability to deny or restrict
outgoing connections to specific sites within a specified duration.

The figure below il
lustrates a demand dial routed network. Because networks
A and B are geographically separated, there is no LAN connection between them.

Router 1 and Router 2 can connect over an analog phone line and modems on
both ends (or another type of connectivity, s
uch as frame relay or ISDN). Router 1
establishes a phone connection with Router 2 when a computer on Network A
initiates communication with a computer on Network B. The modem connection
is maintained while there are packets going back and forth. When the
link is idle,
Router 1 hangs up to reduce connection costs.


A demand dial routing scenario

For a detailed explanation of what happens during a demand
-
dial connection,
see the Demand
-
Dial Connection section in Chapter 4 of the Routing and Remote
Access
administrator document.

And as noted earlier, the service’s
new Demand Dial Interface Wizard

makes the process of setting up and configuring a demand dial connection fast
and easy.

RAS Idle Disconnect

This feature is similar in principle to demand dial ro
uting except RAS idle
disconnect applies to RAS and remote client support. This is a feature built
-
in to
Windows NT Server 4.0 RAS already and is retained in the
service

update
.

This feature automatically terminates a RAS connection after a certain p
eriod
of time if there has been no activity over the remote dial
-
up communications link.
The user or administrator can specify the amount of time before this feature is
activated.

Microsoft Point
-
to
-
Point Compression

The new service also makes use of Micr
osoft’s Point
-
to
-
Point Compression

28
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

28

(MPPC) to efficiently move data across WAN links. Offering on average about 4:1

compre
s
sion, MPPC enables organizations to get the most performance out of
whatever WAN link carrier technology choice they are using. The
service
supports MPPC in both RAS client
-
to
-
server as well as in remote server
-
to
-
server
communications.


29
29
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

29

Network security is a top priority item for any administrator. Many
organizations rely on routers to provide an important measure of security at the
point where their internal networks come in contact with t
he outside world. This
security can also be used within an organization’s network to maintain a higher
degree of security for certain portions of a network
--

for example, a human
resource department or investor relations area
.

The
service
update
provides the same measure of packet filtering security that
a customer would

expect to find on a typical router. Filters are configured on an
exception basis. You can configure the filter to pass only the packets from the
routes you list, or pass everything except the packets for the routes you list.
Managing the packet filtering

is made easy with GUI
-
based tools like this:

Setting up packet filtering is quick and easy with the

service

update

PACKET FILTERING AN
D
OTHER NETWORK SECURI
TY
HIGHLIGHTS

Benefits:



Security to protect your internal
network



Complements Microsoft Proxy
Server for

a comprehensive
approach to network security


30
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

30

IP Packet Filtering

The service supports these packet filtering features for IP:



TCP port



UDP port



IP protocol ID



ICMP type



ICMP cod
e



Source address



Destnaton address

IPX Packet Filtering

The service supports these packet filtering features for IPX:




Source address



Source node



Source socket



Packet type



Destnaton address



Destnaton node



Destnaton socket

Complementary Use with M
icrosoft Proxy Server

Routing and Remote Access Service delivers
packet layer security

with its
packet filtering features. An o
r
ganization’s security can be further enhanced and
network performance can be improved by also making use of the
application lay
er
security

and other benefits provided by Microsoft Proxy Server.

Microsoft Proxy Server offers a single, secure gateway that provides each user
with accelerated Internet access. It reduces network costs and bandwidth by
caching frequently visited Inter
net and Intranet sites. Plus, Proxy Server enables
the network manager to decide who gets Internet access and which services they
can use.

Microsoft Proxy Server supports TCP/IP and IPX/SPX protocols so it can be
used with existing networks. Microsoft Prox
y Server supports a wide range of
Internet protocols, including streaming audio and video, Internet Relay Chat, and
more.

Microsoft Proxy Server is a great solution for easy and secure Internet access.
And because the Routing and Remote Access Service run
s on an industry
standard PC platform running Windows NT Server 4.0, an organization can install
and use Microsoft Proxy Server on the same server running this service. This is
another great example of an advantage that server
-
integrated internetworking
of
fers. This combination of server
-
based routing and Microsoft Proxy Server
provides a full spectrum of security and performance for organizations of virtually
any size.

Authentication & Encryption

The service supports the authentication and encryption prov
ided in Windows NT

Server 4.0 RAS and extends these resources for use with routing.

As noted, the service supports bulk data encryption using RSA RC4 and a 40
-
bit or 128
-
bit session key
. The key is
negotiated at PPP connect time between
the RAS client o
r Windows NT Server PC running the new service on one end and

31
31
Mi
Microsoft Routing and Remote Access
Microsoft
-

Routing and Remote Access Service for Windows NT Server 4.0 Reviewer Guide

31

the Windows NT Server
-
based PC on the other end. The service also supports
Password Authentication Protocol (PAP), Shiva PAP, and Challenge Handshake
Authentication Protocol algorithms.

RADIUS C
lient Support

RADIUS, Remote Authentication Dial
-
In User Service, provides
Internet
Service

Providers

another security

option that
complies with IETF RFC 2058
. With
this

new RADIUS client support, an
ISP
administrator can elect to use Windows NT
Server domain
-
based database for user authentication
or

can instead elect to use
some other RADIUS server database to perform the authentication.


RADIUS Authentication or Win
dows NT domain authentication can be used

RADIUS has become an important authentication

solution for
Internet Service
Providers
.
S
everal vendors support RADIUS solutions on a variety of platfo
rms.

Multi
-
Link PPP

In order to provide maximum flexibility for remote users, Microsoft expanded the
Remote Access Service (RAS) component of Windows

NT Server 4.0 to support


32
M
icrosoft
-

Routing and Remote Access Service for Windows NT Server 4.0
Reviewer Guide

32

Multi
-
link PPP connections. Multi
-
link PPP provides bandw
idth aggregation from
multiple links, including analog and ISDN, which gives customers higher
communications throughput. When used with two or more modems, Multi
-
link
PPP supports the simultaneous transfer of data across parallel connections
which effectiv
ely delivers scaleable bandwidth for maximum eff
i
ciency.

With Multi
-
link PPP you can combine the bandwidth of two or more physical
communications links to increase your remote access bandwidth and throughput
using Multi
-
link PPP. Based on the IETF standard

RFC 1717, Multi
-
link PPP lets
you easily combine analog modem paths, ISDN paths, and even mixed analog
and digital communications links on both your client and server PC. This will
speed up your access to the Internet or to your Intranet and cut down on t
he
amount of time you have to be remotely connected so it can reduce your costs
for remote access.


Multi
-
Link PPP


delivering the bandwidth of two or more analog or digital links

For example, a Windows

NT Workstation client PC or a branch office server
P
C running Windows NT Server and the
service

update

using

three 28.8 bits per
second (bps) modems can connect to a Windows

NT Server with multiple
modems, and achieve a transfer rate of more than 86K bps. This example can be
extended across
several

modems and/or ISDN lines to achieve even greater
bandwidth. The speeds of the modems and ISDN lines can vary
.

Multi
-
link
coordinates transfer across the various links to achieve performance equal to the
combined speed of the d
e
vices.


33
33
Mi
Microsoft Routing and Remote Access
Microsoft
-