10. You will now use a certificate-requesting technique similar to one in a previous example , but with more advanced options. Launch Internet Explorer and type http://servername/certsrv in the Address bar, where servername is the server name of the CA you used in step 1. 11. Click Request a certificate and then click Advanced certificate request on the next screen. 12. Figure 24.13 shows the Advanced Certificate Request screen. Click Request a cer- tificate for a smart card on behalf of another user by using the smart card cer- tificate enrollment station. 13. Figure 24.14 shows the Smart Card Certificate Enrollment Station screen. Select Smartcard Logon from the Certificate Template drop-down box. 846 Chapter 24 • Planning, Implementing, and Maintaining a Public Key Infrastructure Figure 24.13 Advanced Certificate Request Screen Figure 24.14 Smart Card Certificate Enrollment Station Screen 301_BD_W2k3_24.qxd 5/13/04 2:12 PM Page 846 14. Select the CA used in step 1 from the Certification Authority drop-down box. 15. Select the appropriate CSP from the Cryptographic Service Provider drop-down box. 16. Click the Select User button and choose the user you are enrolling. 17. Place the smart card into the attached reader and click Enroll. 18. The CSP will now enable you to enter a PIN for the card. Enter the PIN and click OK. 19. Distribute the card to the user for testing. Using Smart Cards for Remote Access VPNs To use smart cards to log on to a remote access VPN server, the server must first be configured to enable it.This includes selecting a protocol, as discussed below. It also includes obtaining a machine certificate for the VPN server. When the server is able to accept smart card certificates, the client must be configured to send them.This means attaching a smart card reader and establishing a VPN connection. If you view the Properties of the client’s VPN connection, you will notice a Networking and a Security tab. For smart card use, the type of VPN selected under the Network tab should be the Level 2 Tunneling Protocol, or L2TP. The Security tab, shown in Figure 24.15, is a bit more complex.There are two options, Typical and Advanced. Choose Advanced (custom settings) and click the Settings button. Choose the Use Extensible Authentication Protocol (EAP) option and select Smart Card or other certifi- cate (encryption enabled) from the drop-down box. Click the Properties button and the Smart Card or Other Certificates dialog box appears, as shown in Figure 24.16. Choose the Use my smart card option.Your configuration of the VPN client is now complete. Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 24 847 Figure 24.15 Security Tab of the VPN Client’s Properties Sheet 301_BD_W2k3_24.qxd 5/13/04 2:12 PM Page 847 Using Smart Cards To Log On to a Terminal Server Using smart cards to log on to a terminal server is inherently more secure than using passwords, as we’ve discussed previously. Similar to using a smart card on a local workstation, using a smart card on a terminal client enables the server to verify your identity and give you appropriate access. Also, if you want the information contained in the card to be available for the entire terminal session, perform the following steps: 1. Click Start | Programs or All Programs | Accessories | Communications | Remote Desktop Connection. 2. Click Options and proceed to the Local Resources tab. 3. Under Local Devices, click the Smart Card option and click Connect. 848 Chapter 24 • Planning, Implementing, and Maintaining a Public Key Infrastructure Figure 24.16 Smart Card or Other Certificate Properties Sheet 301_BD_W2k3_24.qxd 5/13/04 2:12 PM Page 848 Planning, Implementing, Maintaining Routing and Remote Access In this chapter:  Planning the Remote Access Strategy  Addressing Dial-In Access Design Considerations  Configuring the Windows Server 2003 Dial-up RAS Server  Configuring RRAS Packet Filters  Addressing VPN Design Considerations  PPP Multilink and Bandwidth Allocaiton Protocol (BAP)  Addressing Wireless Remote Access Design Considerations  Planning Remote Access Security  Configuring Wireless Security Protocols  RRAS NAT Services  ICMP Routher Discover  Creating Remote Access Policies  Troubleshooting Remote Access Client Connections  Troubleshooting Remote Access Server Connections  Configuring Internet Authentication Services Chapter 25 849 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 849 Introduction In this chapter, we will explore planning, configuring and maintaining routing and remote access. We will explore the Routing and Remote Access Service (RRAS) for Windows Server 2003 along with the protocols used to support remote access. One of the key protocols used in dial-up and VPN environments is Point-to-Point Protocol (PPP). We will look at PPP and special features avail- able to PPP connections in Windows Server 2003. We will also look examine some of the features used to implement network security for Windows Server 2003. We’ll look at designing and implementing wireless networking and how to secure wireless communications. We’ll conduct an analysis of the Windows Server 2003 RRAS policy configuration and packet filter implementation. Because most internal systems today do not have a sufficient number of public IP addresses, we will discuss RRAS Network Address Translation (NAT) services. Finally, because even the best of intentions do not always go according to plan, we will look at trou- bleshooting remote access client and server configurations followed by a thorough review of Microsoft’s implementation of Remote Access Dial-in User Service (RADIUS), also known as Internet Authentication Service (IAS) in the Microsoft world. Planning the Remote Access Strategy Even if your network is small, chances are you have a need for remote access, whether it be for trav- eling employees, telecommuters, or remote branches.You can choose from several methods of remote access, including dial-in access, VPN access through the Internet, and wireless networking. Which methods you support and how you configure them will depend on the needs of your orga- nization and its individual users. Analyzing Organizational Needs Different organizations have different needs in a remote access strategy.The following are some of the organizational needs you might need to address: ■ Security of dial-in and VPN connections ■ Availability of modems and connections ■ Determining which resources or subnets must be reached remotely ■ Deermining whether existing network servers can adapt to provide remote access Analyzing User Needs You also need to consider the needs of individual users when planning a strategy for remote access. The following are some needs you may have to address: ■ The bandwidth requirements of users, and what their modems or connections can support ■ How frequently users need to connect to the network and how critical network avail- ability is 850 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 850 ■ The types of operating systems and computers used by clients ■ Whether clients have existing Internet connections that could be used for VPN access Selecting Remote Access Types To Allow When planning which types of remote access to allow, you should consider how they meet your orga- nization’s needs and the needs of the users, the expense and administrative effort involved in imple- menting each one, and their relative levels of security. In the next sections, we’ll look in more detail at those aspects of each of the remote access types mentioned earlier: dial-in, VPN, and wireless. Dial-In The traditional method of remote access uses a pool of modems and a server running the Routing and Remote Access (RRAS) service. Although there are popular alternatives, such as VPN access, modems still have some advantages. Because they do not communicate via the Internet, modem transmissions are often more secure and less prone to interception. If bandwidth is not an issue, modems can provide a consistent, low-cost solution. Dial-in access typically uses PPP (point-to-point protocol) for communication.This is an Internet-standard protocol for dial-in connections. PPP supports a negotiation process that authenti- cates and authorizes the user and can also assign an IP address, DNS server addresses, and other crit- ical configuration elements for remote access. VPN A VPN (virtual private network) uses encryption to create a virtual connection, or tunnel, between a remote node and your network, using a public network such as the Internet. VPN access has a number of advantages over dial-in remote access including speed, ability to work with large amounts of data and the increasing availability of Internet access. While VPN access is theoretically less secure than a dial-up connection, because data is trans- mitted over a public network, Windows Server 2003 supports strong levels of encryption to mini- mize this risk.You can also mandate a level of encryption so that clients that do not support your minimum encryption level cannot connect to the network. Wireless Remote Access Wireless network access is rapidly becoming more popular as a facet of remote access strategies. Wireless networks using the 802.11 standard enable a number of wireless users to connect to your net- work by connecting to a wireless access point, or WAP. The 802.11 standards do allow for security, but many wireless networks are not configured for maximum security, and allowing wireless access is always a security risk.You should plan for wireless access when your users will be within range of a WAP but without access to a wired connection, and when security is not the highest priority. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 851 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 851 Addressing Dial-In Access Design Considerations When you plan a system for dial-in access, you need to consider a number of factors, including: how IP addresses are assigned, the number and type of incoming ports to configure and security and administration procedures. Allocating IP Addresses When clients connect to RRAS, whether through a dial-in or VPN connection, the RRAS server assigns each client an IP address.You can configure the RRAS server to allocate IP addresses from a static address pool, to use DHCP or Automatic Private IP Addressing (APIPA). Static Address Pools You can configure the RRAS server to assign IP addresses from a static pool of addresses specified in the RRAS server’s configuration.This requires a range of addresses that are dedicated for this purpose.Although this is often the simplest approach, keep these considerations in mind: ■ Make sure the static address pool does not overlap the range of addresses assigned by a DHCP server.Two machines with the same address will cause a conflict and a loss of con- nection for both. ■ If you are using multiple RRAS servers with separate modem pools, you will need to define a static address pool for each one and make sure there are no conflicts between the ranges you assign. ■ Be sure the address pool includes at least as many addresses as there are modems for incoming connections. You can also assign a static address for a single user, group, or a particular type of connection using a remote access policy. Using DHCP for Addressing Rather than using a static address pool, you can configure the RRAS server to request IP addresses from a DHCP (Dynamic Host Configuration Protocol) server. If you are using DHCP to assign addresses in the network already, this technique allows you to assign remote client addresses from the same address pool and eliminate the possibility of address conflicts. It also makes it easy to manage addressing with multiple RRAS servers, because you can configure them to use the same DHCP server. Using APIPA Finally, you can configure the RRAS server to assign addresses using Automatic Private IP Addressing (APIPA).This system uses private addresses in the range of 169.254.0.1 through 169.254.255.254, a range reserved for use by Windows networks, and is usually used when a DHCP 852 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 852 server is unavailable. APIPA provides some of the advantages of DHCP without a dedicated server, but is usually only suitable for small networks. If you enable the DHCP option on the RRAS server but a DHCP server is unavailable on the network, it will automatically use APIPA to issue addresses to remote clients. Clients must be con- figured to obtain an IP address when they connect, rather than with a specific IP address, to use this feature. Determining Incoming Port Needs When you are designing a dial-in remote access solution, one of the most important considerations is the number of incoming ports (modems) you will need.The following are some of the factors you should take into account: ■ An estimate of the number of users who will need to concurrently access the network remotely. Keep in mind that a single user who requires access for several hours a day will require an additional modem for reliable access, but several users who use the network for only a few minutes at a time could be easily served by a single modem. ■ The bandwidth available on the RAS server’s connection to the LAN. If the bandwidth of all the modems combined approaches this limit, dial-in users will experience slow connec- tions. ■ The number of IP addresses available. If an address pool or DHCP server is out of addresses, additional modems will not allow additional users. Multilink and BAP Another factor that can affect the number of incoming ports you will need is whether you will be supporting multilink connections.This is a Windows Server 2003 feature that enables two or more ports on the RRAS server to be connected to a single client and combined into a higher-band- width connection. For example, if a client connects with two 56K modems and multilink enabled, their bandwidth with a perfect connection would be 112K. In practice, if you’ve spent time trying to get a single modem to work at 56K, you can imagine how unlikely this best-case scenario is, and few client computers have two modems installed. Nonetheless, multilink is sometimes the cheapest way to get a high-bandwidth connection. Multilink is also often used to combine two 64K ISDN channels into a single 128K connection. Windows Server 2003 also supports BAP (bandwidth allocation protocol).This is a system that automatically disconnects one or more ports from a multilink connection if it is using only a small percentage of its capacity.This enables you to make the best use of multiple ports without relying on users to reconfigure their connections. You can configure multilink and BAP settings as part of a dial-in profile. Remote access policies and profiles are described in detail later in this chapter.The Multilink settings tab for a dial-in profile enables you to enable or disable multilink and BAP and change their settings, as shown in Figure 25.1. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 853 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 853 Selecting an Administrative Model There are two basic ways for you to control remote access to your network.You can configure indi- vidual user accounts to allow or disallow remote access, or configure one or more remote access policies to control access based on users, groups, times of day, and many other criteria. Access by User You can allow or disallow remote access from the Dial-in tab of a user’s Properties dialog box in the Active Directory Users and Computers console. Access by Policy You can also configure one or more Remote Access Policies for precise control of which users can reach the network through remote access. Whether a user is affected by policies depends on the set- ting you choose in the Dial-in tab of the user’s Properties dialog box: ■ Allow access:The user is allowed remote access regardless of policy settings. ■ Deny access:The user is denied remote access regardless of policy settings. ■ Control access through Remote Access Policy: Allows a Remote Access Policy to control whether the user has access. 854 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.1 Multilink Options 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 854 Configuring the Windows 2003 Dial-up RRAS Server Dial-up connectivity is generally provided through the Point-to-Point Protocol (PPP). PPP will be discussed later in this chapter. First, let’s look at how an RRAS Dial-up server fits into a Windows Server 2003 network.The dial-up scenario using analog phone lines is most typically for local phone calls to the corporate office.To configure a RRAS Dial-up server, open Routing and Remote Access from Administrative Tools. Right-click the server name and select Configure and Enable Routing and Remote Access. This will launch the Routing and Remote Access Server Setup Wizard. The Setup Wizard will prompt you to enter the configuration information to easily setup a simple RRAS Dial-up server. Configuring RRAS Packet Filters Routing and Remote Access packet filters provide network security by controlling certain types of network traffic into or out of your LAN. RRAS packet filters are applied through the Routing and Remote Access Service MMC on a per-interface basis. RRAS packet filters work on an exception basis.This means that the filters can do either of the following: ■ Allow all traffic except that specified in the filter ■ Deny all traffic except that specified by the filter Packet filtering rules are a vital part of security in the Windows Server 2003 remote access net- work environment.You can use the following steps to configure RRAS packet filtering. RRAS Packet Filter Configuration In this example, we will configure inbound and outbound packet filters. We will configure the LAN interface to allow only traffic from the 192.168.0.0/16 series of networks. Figure 25.2 shows the network that we are configuring.To start our configuration, we will configure a basic RIP ver- sion 2 network. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 855 Figure 25.2 RRAS Network to Be Filtered EthernetEthernet Windows Server 2003 Router Windows Server 2003 Router 192.168.2.0 / 24 192.168.1.0 / 24 192.168.3.0 172.16.100.0 / 24 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 855 . type http://servername/certsrv in the Address bar, where servername is the server name of the CA you used in step 1. 11. Click Request a certificate and then click Advanced certificate request on the next screen. 12 Remote Access • Chapter 25 855 Figure 25.2 RRAS Network to Be Filtered EthernetEthernet Windows Server 2003 Router Windows Server 2003 Router 192.168.2.0 / 24 192.168.1.0 / 24 192.168.3.0 172.16.100.0. modem. ■ The bandwidth available on the RAS server s connection to the LAN. If the bandwidth of all the modems combined approaches this limit, dial-in users will experience slow connec- tions. ■ The