Managing Routing And Remote Access in Windows Server 2003

maidtweetΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

92 εμφανίσεις

Managing Routing And Remote Access in
Windows Server 2003



Like its predecessors, Windows Server 2003 provides the ability to act as a router on your
network and to provide remote access services to users outside your network. Routing And
Remote Access (R
RAS) in Windows Server 2003 provides VPN, routing, NAT, dialup and basic
firewall services. Here's how to use and configure these services.


Getting started

To get started, open up the Routing And Remote Access configuration utility at Start |
Administrati
ve Tools | Routing And Remote Access. Initially, RRAS is not enabled on the
server. To enable it, right
-
click the server on which you wish to enable the services and choose
Configure And Enable Routing And Remote Access. In
Figure A

below, you can see that

I am
enabling the service on the server named RAS.


Figure A


Starting the initial RRAS configuration



The initial RRAS configuration starts a wizard that walks you through the steps that need to be
taken to enable the services that you would like to

offer. For the first example, I will enable VPN
and NAT services on this server as shown below in
Figure B
.


Figure B


Choose the services you wish to support.



When configuring VPN services under Windows Server 2003, you generally need to have two
n
etwork interfaces if you also want the remote users to be able to use other services on the
network. If you want them to use just the services on the VPN server, a single interface will do.
In either case, you need to select the interface which faces the I
nternet. In
Figure C
, the adapter
with address 192.168.229.128 acts in this capacity while 192.168.1.103 is the LAN side of the
server.


Figure C


Select the adapter that faces the Internet.



If you do decide to use Windows Server 2003’s VPN services,

I still recommend the use of a
hardware firewall between the Internet and your VPN server. Windows has too many holes to be
allowed a direct connection to the Internet.


To work on the local network, remote clients need to be assigned appropriate IP addre
sses. You
can choose to use your network’s DHCP for this purpose or you can specify a range of addresses
that are used by RRAS. If you decide to use a range of addresses, make sure that you remove
them from any DHCP scopes in order to prevent conflicts.


I

prefer to provide RRAS with a range of addresses rather than use DHCP. By providing a range,
I always know exactly which IP addresses are being used by remote users.


If you select the option to provide RRAS with a range of addresses, they are defined on
the next
step of the wizard, shown in
Figure D
. For this example, I have assigned 192.168.1.200 to
192.168.1.224. Remember to assign addresses from the right network. I’m not using the
192.168.229 network because that one faces the Internet, while 192.168.
1 faces my network,
which has the resources that remote users need.


Figure D


Provide a range of addresses for remote clients to use.



If you are using
RADIUS

to authenticate users for other services, you can include RRAS in the
mix if you like. This is especially useful in larger networks as RRAS will simply forward
authentication requests to the RADIUS server. For this example, I will not use RADIUS, as
shown
in
Figure E
.


Figure E


Do you want to use RADIUS for authentication?



That’s all there is initially to configuring VPN and NAT services. While there were no NAT
specific configuration options during the wizard, NAT was enabled and configured based on

responses to other questions. For example, the NAT interface was designated as network
interface facing the Internet and the private interface was designated as the LAN interface.


NAT

Even though NAT was configured during the wizard, there will come a ti
me when you want to
modify its configuration. To view NAT parameters and statistics, from the RRAS console,
choose Your Server | IP Routing | NAT/Basic Firewall, as shown in
Figure F
.


Figure F


NAT/Basic firewall parameters



To configure the NAT serv
ices, right
-
click an interface and choose Properties. This will display
the External Network Properties screen shown in
Figure G
. Since it’s responsible for the most
NAT functions, the external adapter has more options related to the service.


Figure G


NAT properties for the external network interface



The NAT/Basic Firewall tab provides a place for you to configure the details directly relating to
the service. If you don’t want to do NAT, you can uncheck the box marked Enable NAT on this
device and v
ice versa. You can also choose to enable a basic firewall on the interface. If your
server is directly connected to the Internet, I can’t stress enough the importance of enabling the
firewalling feature as well as defining appropriate inbound filters.


You

can configure both inbound and outbound filters by clicking the associated button at the
bottom of the window. You can define filters based on the traffic destination or source, by the
source or destination ports, or by ICMP type.


The Address Pool tab, s
hown in
Figure H,

requires that you enter the ranges of IP addresses
assigned by your ISP and available for use on the external interface for NAT applications. Once
you have this information in place, you can reserve addresses for specific internal machine
s by
clicking the Reservations button and providing the IP address of the internal machine and the
NAT IP address you would like it to use. Additionally, you can allow incoming connections to
this machine by selecting the Allow incoming connections to this

machine box (not shown).


Figure H


The Address Pool tab



On the Services And Ports tab, seen in
Figure I
, you can configure the services on your network
to which you would like to provide access. Since I have a VPN server on this system, some
option
s such as L2TP, PPTP, IKE and IKE NAT Traversal are already enabled. (IKE NAT
Traversal, you say? Yes
-

under Windows Server 2003 with the appropriate client on the remote
machine, you can use IPSec when using NAT). If you run other services on your networ
k to
which you would like to provide access to Internet users, select it from the list.


Figure I


The Services And Ports tab



Finally, the ICMP tab,
Figure J,

provides a place where you can allow specific ICMP services
such as PING to traverse the ro
uter. Since ICMP can be used for nefarious purposes as well as to
provide troubleshooting information, be careful what you enable.


Figure J


The ICMP interface



Routing

Routing is a basic component to both providing VPN services and NAT services unde
r RRAS on
Windows Server 2003. These services configure the router in order to best provide their
individual services. However, you can use your server to provide more granular routing services
as well. Specifically, Windows Server 2003 supports the RIP2 (
Routing Information Protocol
version 2) and OSPF (Open Shortest Path First) routing protocols. Of course, static routing
capability is also provided.


To add RIP2 or OSPF to your RRAS server, right
-
click General under Your Server | IP Routing.
From the sho
rtcut menu, choose New Routing Protocol. A list of the currently unused routing
protocols will be presented. Select the one you wish to enable and click OK. Once enabled, an
option for configuring that protocol will appear under the IP Routing option in th
e RRAS
console.


General IP routing options

Under the General option in the IP Routing section, there are a number of things you can do.
Selecting this option shows a list of available network interfaces including the internal and the
loopback interfaces,
as seen in
Figure K.


Figure K


The General IP routing tab



To perform further operations on an adapter, right
-
click the adapter and choose Properties from
the shortcut menu. As you can see below in
Figure L
, there are a number of things that can be
c
onfigured including filters, whether or not TCP/IP is enabled on this interface, router discovery
advertisements, and more.


Figure L


General interface configuration



RIP2

RIP2 is a distance
-
vector
-
based routing protocol which means basically that it

directs traffic
based on the number of router hops that have to be taken to reach a destination. It’s an excellent
choice for small
-

to medium
-
sized networks where static routes have become unwieldy. To see
which interfaces on which RIP is enabled, select

the RIP option under IP Routing, which will
show the screen in
Figure M
. See above if you have not yet enabled RIP.


Figure M


RIP
-
enabled interfaces



To configure RIP parameters, right
-
click an interface and choose Properties. The first tab is the
G
eneral tab, shown in
Figure N,

which is where you can define general information about how
RIP will operate on your server. On this tab, Operation Mode refers to how RIP will update its
tables. The two choices are Auto
-
static Mode and Periodic Update Mode,

which is the default.
Auto
-
static Mode means that an update will be triggered when another router requests an update
while Periodic Update Mode means that the routing table will be updated at a defined interval
(defined on the Advanced tab).


Figure N


The RIP General tab



The General tab also provides a place for you to define the incoming and outgoing protocol. For
outgoing packets, you can choose RIP1 broadcast, RIP2 broadcast, RIP2 multicast or silent RIP.
In silent mode, the system only listens f
or new RIP announcements but does not make any itself.
If your network uses consistent network masks throughout, you can use RIP1, but I don’t
recommend it unless you have devices that can only use RIP1. You can also specify the route
cost for this interfa
ce as well as a tag number for the routes on this interface. Finally, a password
can be specified to be used for RIP2 updates as a means of identification.


As with everything, security is a concern with network routing. You don’t want bad routes
propagati
ng across your network and interrupting communications. Fortunately, the WS2K3 RIP
service allows you to provide lists of incoming and/or outgoing route updates that should be
ignored. This is accomplished on the Security tab, shown in
Figure O
.


Figure O


The RIP Security tab



The Neighbors tab,
Figure P,

lets you specify how the RIP service should interact with its
neighbors. On this tab, you can configure RIP to only broadcast its routes, to broadcast its routes
in addition to notifying each neighbo
r, or to just notify neighbors.


Figure P


The RIP Neighbors tab



Finally, the RIP Advanced tab,
Figure Q,

provides a place to configure more advanced
parameters such as the update interval, route expiration time, whether split
-
horizon and/or poison
r
everse is enabled and much more. Split horizon and poison reverse are useful in preventing
routing loops.


Figure Q


The RIP Advanced tab



OSPF

Like RIP, OSPF is a routing protocol but that is where the similarities end. While RIP is
distance
-
vector
-
b
ased (loosely, “hop count”) protocol, OSPF is a link state protocol meaning that
OSPF routers exchange information about the current state of their network connections when
making routing determinations. While more complex than distance vector protocols, u
sing link
state protocols can result in more efficient network traffic flow as each router always has a map
of the network and its current state.


To enable OSPF, you need to define which interface(s) it will act on. To do this, right
-
click
OSPF and choose

New Interface from the shortcut menu. As an example, I’ll enable OSPF on
my internal network.


The General tab for the OSPF properties for the interface defines whether or not OSPF is
enabled, its Area ID, priority, cost and password as well as the networ
k types. Since I’m using
Ethernet, OSPF assumes a broadcast
-
based environment, as you can see in
Figure R
.


Figure R


OSPF is enabled on the internal interface



The NBMA neighbors tab,
Figure S,

is only used by X.25, ATM, and Frame Relay networks.
Thi
s allows you to manually specify neighbors in these types of networks.


Figure S


OSPF NBMA Neighbors tab



The OSPF Advanced tab,
Figure T,

allows you to customize OSPF operation to your network by
configuring options such as the MTU, Hello Interval,
and Transmit Delay.


Figure T


OSPF Advanced tab



Static Routes

The old standby and most people’s introduction to IP routing, static routes are also available in
RRAS. Static routes allow you to manually define routes for this server rather than using

a
routing protocol such as RIP or OSPF. Static routing is generally used on small, static networks.


To create a new static route, right
-
click Static Routes under IP Routing and select New Static
Route from the shortcut menu. To define a static route, you

need the destination network’s
address (the network address for a network route or the host address for a host route), the
network mask for the destination, and the IP address of the gateway used to get to this network.
Figure U

below shows a route from m
y RAS server to the network 172.16.1.0.


Figure U


A list of the static routes on the server



To see the current routing table, right
-
click Static Routes and choose Show IP Routing Table.
Figure V

shows the routing table from the RAS server I have bee
n using in these examples.


Figure V


The IP routing table



That's it!

Remote VPN access, NAT, and IP routing are all integral parts of RRAS available in Windows
Server 2003. While I don’t recommend a Windows server being directly exposed to the Inter
net,
these services can still be safely used on the internal network to provide network connectivity
and access to services that your users need.