www.syngress.com Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4 285 Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. C, D 2. C 3. C 4. B 5. D 6. C 7. A 8. C 9. A, B, D 10. C 11. C 12. B 13. A, C 14. B 15. C 255_70_293_ch04.qxd 9/9/03 5:17 PM Page 285 255_70_293_ch04.qxd 9/9/03 5:17 PM Page 286 287 Planning, Implementing, and Maintaining an Internet Connectivity Strategy Exam Objectives in this chapter: 2 Planning, Implementing, and Maintaining a Network Infrastructure 2.3 Plan an Internet connectivity strategy 2.5 Troubleshoot connectivity to the Internet. 2.5.1 Diagnose and resolve issues related to Network Address Translation (NAT). Chapter 5 MCSE 70-293  Summary of Exam Objectives  Exam Objectives Fast Track  Exam Objectives Frequently Asked Questions  Self Test  Self Test Quick Answer Key 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 287 Introduction Internet connectivity is no longer a luxury for most businesses; it is a necessity. Employees use the Internet to exchange e-mail with clients, suppliers, and co-workers in other physical locations; to conduct research via the Web; and to remotely access the local area network (LAN) from home or when on the road. Creating an effective policy for implementing and managing the organization’s Internet connections is an important part of the Windows Server 2003 network administrator’s job. This chapter is about how to develop the best strategy for connecting your company’s Windows Server 2003 network to the Internet.We’ll discuss connecting the LAN to the Internet using routed connections or translated connections (via Internet Connection Sharing or the Routing and Remote Access Service’s Network Address Translation compo- nent).You’ll learn how to use both Internet-based virtual private networks (VPNs) and router-to-router VPNs to provide connectivity to the company’s LAN from remote loca- tions or to connect two branch offices.We’ll discuss the intricacies of demand-dial/on- demand connections and persistent connections, and explain the difference between one-way and two-way initiation.We’ll also show you how to use Remote Access Policies to control VPN connections, and we’ll discuss VPN protocols supported by Windows Server 2003 and how to make VPN connections using either the Point-to-Point Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP).You’ll learn about VPN secu- rity and the authentication and encryption protocols that make your virtual network pri- vate. Next, we’ll take a look at the Internet Authentication Service (IAS) and how it can provide centralized user authentication and authorization, centralized auditing and accounting, and extensibility and scalability.You’ll learn about IAS integration with Windows Server 2003 Remote Access and Routing Service (RRAS), and how to control authentication via Remote Access Policies.We’ll show you how to use the IAS Microsoft Management Console (MMC) snap-in and how to implement monitoring of IAS, and we’ll discuss the use of the IAS Software Development Kit (SDK).Then we’ll delve a little deeper into the IAS authentication methods and discuss Remote Authentication Dial-In User Service (RADIUS) access server support, wireless access points (WAPs), and authenti- cating switches. In the next section, we’ll walk you through the process of using the Connection Manager Administration Kit (CMAK) to create service profiles, custom actions, and custom help files, as well as VPN support, to make it easier for nontechnical users to connect remotely without needing to do complex configuration.We’ll talk about security issues pertaining to Connection Manager, and show you how to prevent editing of service profile files, how to prevent users from saving their passwords, and how to distribute service pro- files securely. www.syngress.com 288 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 288 www.syngress.com Connecting the LAN to the Internet You can connect a Windows Server 2003 network to the Internet in two basic ways: ■ Using a router to directly route traffic to and from the Internet ■ Using a translation service to convert traffic from an internal network to Internet traffic The following sections discuss the advantages and disadvantages of these methods. Routed Connections The traditional method of connecting a network to the Internet is to use a router to route traffic between the external network and your local network.The advantages of this approach are that it is easy to configure, requiring only simple hardware setup, and that it allows full Internet access for all machines on the local network segment. It also allows all machines on the network to provide services to the Internet. Routed connections have two chief disadvantages. First, every machine on the local network is reachable from anywhere on the Internet.This is rarely necessary and creates a large number of potential security problems. Second, a separate Internet IP address is required for each machine that can access the Internet. Since IP addresses are scarce and are issued only to networks that can prove a need for them, this is not the most efficient approach. Advantages of Routed Connections Although translated connections are becoming increasingly popular, routed connections do have a number of advantages: ■ Since each client is connected to the Internet through the router, clients can con- nect even if the local network servers are not working. ■ Some Internet clients, such as multimedia applications and games, do not work correctly over a translated connection. ■ Each machine has a dedicated Internet IP address and can be used for services such as File Transfer Protocol (FTP) and Domain Name System (DNS) that require a unique IP address per host. Hardware and Software Routers A routed connection uses a router, a device that transmits data between the internal network and the Internet.There are two types of routers: ■ A hardware router is a dedicated device. Hardware routers provide a simple “out- of-the-box” solution for Internet connections. Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 289 EXAM 70-293 OBJECTIVE 2 2.3 2.5 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 289 ■ A software router runs as a service on one of the computers on the network.The Routing and Remote Access Service (RRAS) in Windows Server 2003 allows a computer to act as a router. In order to use a computer as a software router, it must have two network connections: one to the internal network (LAN) and one to the external network (the Internet). Microsoft sometimes refers to a computer with two network connections as a multihomed computer. IP Addressing for Routed Connections When you are using a routed connection to the Internet, each machine on the internal network will need a valid Internet IP address. IP addresses are managed by a central authority, the American Registry for Internet Numbers (ARIN).You will typically obtain IP addresses from an Internet Service Provider (ISP), which has obtained a block of addresses from ARIN for use by its clients. Once you have been issued one or more IP addresses, you can assign them to the com- puters in the network.There are two basic ways to accomplish this: ■ By manually configuring an IP address in each computer’s network connection properties ■ By using the Dynamic Host Configuration Protocol (DHCP) to assign addresses Using DHCP, you can define the IP addresses you have been issued in the DHCP server, and clients are automatically assigned, or leased, an address when they are booted. If a client disconnects from the network, its lease is terminated after a timeout period and avail- able to other computers. T EST DAY TIP Any Windows Server 2003 (or Windows 2000 Server) computer can act as a DHCP server. To configure DHCP, select Start | Administrative Tools | Configure Your Server Wizard and enable the DHCP Server role. Translated Connections The second strategy is to use a service that translates between internal IP addresses and external addresses used on the Internet. By using this technique, you can enable Internet access for many computers using a single Internet IP address. Along with conserving address space, address translation ensures that your computers are not accessible directly from the Internet, effectively preventing many types of network attacks. www.syngress.com 290 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 290 Network Address Translation (NAT) is an Internet standard defined in RFC 1631 for systems that translate between internal and external network addresses.Windows networks support two types of NAT service: ■ Network address translation (NAT) is a full-featured NAT implementation sup- ported by Windows 2000 Server and Windows Server 2003. ■ Internet Connection Sharing (ICS) is a simplified NAT implementation for small networks, and is supported by Windows 98 Second Edition,Windows Me, Windows XP, and Windows 2000 Professional. When you configure the NAT or ICS service, the computer that acts as the NAT server must have at least two network connections: a connection to the Internet (typically a modem or broadband connection) and a connection to the LAN containing the computers that will share the Internet connection. Network Address Translation (NAT) NAT is Microsoft’s full-featured address translation feature.When you access the Internet on a network that uses a NAT server, outgoing packets are sent to the NAT server, which changes their originating address and forwards them to the Internet.The returned packets are delivered to the NAT server.The server then translates the packets to internal IP addressing and sends them to the machine that made the original request. The Windows Server 2003 NAT server actually supports three separate services: ■ NAT, the address translation service ■ DHCP for assigning IP addresses to clients that are sharing the Internet connec- tion ■ DNS for name resolution Depending on your network configuration, you might not need the NAT server to handle address assignment or name resolution.You can choose whether to use these com- ponents when you configure the NAT server. If you have dedicated DHCP or DNS servers on the network, you can continue to use them with NAT. (The DNS service forwards requests to an Internet DNS server and returns the results to the appropriate client within the private network.) Installing the NAT Service NAT is part of the RRAS component of Windows Server 2003. RRAS is installed with Windows Server 2003 but is not enabled by default.You can enable this service using the Manage Your Server application that is launched when you install the operating system or by using the Routing and Remote Access MMC snap-in.Windows Server 2003 includes a wizard that can enable RRAS and set up a NAT server. Exercise 5.01 shows how to con- figure NAT using the wizard. www.syngress.com Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 291 EXAM 70-293 OBJECTIVE 2.5 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 291 TEST DAY TIP Remember that you need at least two network interfaces on the NAT server: one connected to the private network, usually a LAN adapter, and one connected to the Internet. You can configure a demand-dial Internet connection (if you’re using a modem or ISDN dial-up instead of an “always-on” connection to the Internet) during the NAT server setup process. You can also configure NAT manually using the Routing and Remote Access MMC snap-in.This is the only way to configure a NAT server on a machine that already has RRAS enabled. RRAS can perform NAT along with its other functions, which include acting as a network router or accepting dial-up network connections. EXERCISE 5.01 INSTALLING NAT USING THE WIZARD You can install NAT on a Windows Server 2003 server that does not yet have RRAS enabled using the Routing and Remote Access Server Setup Wizard. This exercise guides you through the process of setting up a basic NAT server using the Wizard. 1. Select Start | Administrative Tools | Routing and Remote Access to start the RRAS MMC snap-in. 2. Click the RRAS server name (usually the current machine) in the left column to highlight it. 3. From the menu, select Action | Configure and Enable Routing and Remote Access. 4. The Wizard displays a Welcome window. Click Next to continue. 5. The Configuration window appears. Select the Network address translation (NAT) option, as shown in Figure 5.1, and click Next. www.syngress.com 292 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 292 6. The NAT Internet Connection window is displayed. Here, you can choose how the NAT server will connect to the Internet. Choose either Use this public interface to connect to the Internet or Create a new demand-dial interface to the Internet. 7. You can optionally choose to enable basic security for the Internet interface by checking the Enable security on the selected interface by setting up Basic Firewall option. This option is enabled by default. 8. Click Next to continue. 9. The Ready to Apply Selections window is displayed. Click Next to start the RRAS service. If you chose to create a new demand-dial interface in Step 6, the Demand- Dial Interface Wizard will guide you through this process. This Wizard is described in Exercise 5.04, later in this chapter. Otherwise, you are returned to the Routing and Remote Access MMC snap-in, and you can now manage the NAT service as described in the next section. www.syngress.com Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 293 Figure 5.1 Select NAT from the RRAS Wizard 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 293 Managing NAT After you have enabled RRAS and set up a NAT server, you can manage the server from the Routing and Remote Access MMC snap-in. Select the server and select Action | Properties to display the Properties dialog box. Select the IP tab within this dialog to display the IP properties, shown in Figure 5.2.This page allows you to manage the address assignment feature of NAT.The NAT server can assign IP addresses in one of two ways: ■ Select Dynamic Host Configuration Protocol (DHCP) to use an existing DHCP server to handle addressing. ■ Select Static address pool to explicitly list the IP addresses this server can assign to clients. Once you have selected this option, you can use the Add, Edit, and Remove options to create a list of one or more IP address ranges for the address pool. The IP properties tab also include an option to manage the name resolution feature of NAT. Select the Enable broadcast name resolution option if you do not have a DNS or Windows Internet Name Service (WINS) server on the network to handle name resolu- tion. If this option is selected, the RRAS server uses network broadcasts to resolve names. This eliminates the need for a dedicated name server on single-subnet Windows-based net- works. www.syngress.com 294 Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy Figure 5.2 The IP Properties for an RRAS Server 255_70_293_ch05.qxd 9/9/03 5:20 PM Page 294 [...]... authentication, see Chapter 7 Advantages of IAS While IAS requires the use of an additional server component, it provides a number of advantages over the standard methods of RRAS authentication.These advantages include centralized authentication for users, auditing and accounting features, scalability, and seamless integration with the existing features of RRAS Centralized User Authentication and Authorization... needs a dedicated infrastructure for authentication RADIUS is a standard for dedicated authentication servers A RADIUS server provides centralized authentication and access control, and it can also provide detailed accounting for the use of its services RADIUS services can be scaled to handle any enterprise’s authentication needs and extended with multiple authentication servers Windows Server 2003 includes... into a database or analyze to determine traffic patterns or potential problems RRAS Integration IAS supports the same Remote Access Policy settings as RRAS.You can use these settings on a simple RRAS server in a small network, and later add an IAS server, move the policies to the IAS server, and configure one or more RRAS servers to authenticate using IAS When using IAS for authentication, RRAS servers... organization’s IAS server, which allows you to manage access to the modems and obtain auditing and accounting information for their use Outsourced dialing has a number of advantages.The ISP already maintains pools of modems, and you may be able to obtain access to them at a lower price than the cost of configuring your own modems.The ISP may also have physical presence in areas you do not have a facility... the Network Interfaces node in the RRAS MMC snap-in Exercise 5. 04 demonstrates how to add a new demand-dial interface EXERCISE 5. 04 CONFIGURING A DEMAND-DIAL INTERFACE You can add a new demand-dial interface on any RRAS computer that has RRAS configured If you have not yet configured and enabled RRAS, see the instructions earlier in this chapter Follow these steps to create a new demanddial interface:... technology called tunneling to encrypt private data and encapsulate it in packets to be transmitted over the public network Windows Server 2003 includes VPN functionality as part of RRAS.You can configure a Windows Server 2003 machine to act as a VPN server, which manages the VPN connections between clients or networks TEST DAY TIP One advantage of using a VPN connection, rather than a dedicated leased line,... see Chapter 7 EAP-RADIUS EAP-RADIUS is not a true authentication method.This option is an interface between EAP and RADIUS.When you select EAP-RADIUS, you specify an external RADIUS server, and all requests for authentication are forwarded to the RADIUS server for processing.This provides a way for clients that only support EAP to be authenticated using the RADIUS server Authorization Methods IAS supports... 317 Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 TEST DAY TIP EAP-TLS also supports smart cards These are hardware devices that implement public-key encryption Smart cards answer challenges within the hardware and do not transmit the private key, so they provide higher security than simple password authentication For more information about smart card authentication,... 301 Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5 tions, it is also relatively expensive A VPN eliminates the need for dedicated WAN links by taking advantage of readily available connections to the public Internet A VPN is defined as a private network that uses virtual links through a public network rather than dedicated WAN links.These virtual connections use a. .. In Windows terminology, this usually means RRAS servers IAS also supports the following alternate types of access servers: I RADIUS access server support IAS supports RADIUS standard access servers, whether they are Microsoft servers running IAS or those from other vendors.The standards for RADIUS access servers are defined in RFCs 2865 and 2866 I Wireless access points IAS can also provide authentication . Internet Authentication Service (IAS) and how it can provide centralized user authentication and authorization, centralized auditing and accounting, and extensibility and scalability.You’ll learn about. only way to configure a NAT server on a machine that already has RRAS enabled. RRAS can perform NAT along with its other functions, which include acting as a network router or accepting dial-up network. snap-in .Windows Server 2003 includes a wizard that can enable RRAS and set up a NAT server. Exercise 5.01 shows how to con- figure NAT using the wizard. www.syngress.com Planning, Implementing, and Maintaining