1. Start by opening Routing and Remote Access by selecting Start | Programs | Administrative Tools | Routing and Remote Access. 2. From the Routing and Remote Access management console, right-click the server name and select Configure and Enable Routing and Remote Access. If this option is grayed out, select Disable Routing and Remote Access to start with a fresh configuration. 3. On the first page of the Routing and Remote Access Server Setup Wizard, click Next. 4. Select Custom Configuration and click Next. 5. Select LAN Routing followed by Next, and then select Finish. A message box will dis- play asking if you would like to enable the Routing and Remote Access Service. Select OK to enable LAN routing. 6. Now that the Routing and Remote Access Service is enabled, we have to configure RIP v2. 7. In the left pane, select IP Routing. Right-click General and select New Routing Protocol. 8. On the next screen, select RIP Version 2 for Internet Protocol and click OK. 9. Now an entry for RIP will be displayed in the left pane beneath the IP Routing icon. This means that RIP is enabled on the server but at this point, RIP will not advertise any routes because we have to tell RIP which interfaces to use for route advertisement. 10. In the left pane, right-click RIP and select New Interface…. 11. From the New Interface for RIP Version 2 for Internet Protocol dialog box, select the interface that provides the common link between the routers as shown in Figure 25.2. In this case, the common interface has been named WAN. 12. The default setting for RIP in a Windows Server 2003 environment is Rip version 2 broadcast for the Outgoing packet protocol: drop-down list and Rip version 1 and 2 for the Incoming packet protocol: drop-down box. If we are using only RIP version 2 throughout our network, and the transport medium will be Ethernet, it is preferred to use RIP version 2 multicast for the Outbound packet protocol: drop-down selection and to ensure only RIP version 2 operation, select RIP version 2 only from the Incoming pro- tocol packet: drop-down list. 13. Repeat this process for the other Windows Server 2003 router that will be advertising RIP version 2 on your network. In our example, we have configured another network at 172.16.100.0/24.This is the network we wish to block using the packet filters.The direct approach would be to specifically block this network. We intend to block all network traffic except for our current network addresses. We will begin with the Routing and Remote Access management console to configure the packet filters for inbound and outbound traffic. 1. Before we begin filtering, verify connectivity to the 172.16.100.0/24 network by pinging the 172.16.100.3 interface from your server. 856 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 856 2. We intend to block all traffic except traffic to and from the 192.168.1.0, 192.168.2.0, and 192.168.3.0 networks.To accomplish this, we will apply inbound and outbound packet fil- ters on our WAN interface. Select General under the IP Routing icon in the left pane of the management console. 3. Right-click the WA N interface in the right pane of the management console and select Properties. 4. Under the General tab of the WAN Properties dialog box, select the Inbound Filters… button. 5. The inbound filters should allow traffic coming from the 192.168.2.0 and 192.168.3.0 networks only. We will add those networks as source networks for the inbound filter. Select New from the Inbound Filters dialog box.Then, select the Source Network check box and enter 192.168.2.0 for the IP address: and 255.255.255.0 for the Subnet mask: as shown in Figure 25.3. 6. Click OK to add the first filter to the inbound filter list. 7. Repeat this process for the 192.168.3.0 network. Select New from the Inbound Filters dialog box.Then, select the Source Network check box and enter 192.168.3.0 for the IP address: and 255.255.255.0 for the Subnet mask:. 8. Change the Filter Action to Drop all packets except those that meet the criteria below and click OK. 9. We will now configure Outbound Filters in the same fashion that we just configured the Inbound Filters. Select the Outbound Filters… button.The outbound filters should allow traffic going to the 192.168.2.0 and 192.168.3.0 networks only. We will add those networks as destination networks for the outbound filter. Select New from the Outbound Filters dialog box.Then, select the Destination Network check box and enter 192.168.2.0 for the IP address: and 255.255.255.0 for the Subnet mask:. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 857 Figure 25.3 Adding an Inbound Filter 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 857 10. Repeat step number 9 for the 192.168.3.0 network. Select New from the Outbound Filters dialog box.Then, select the Destination Network check box and enter 192.168.3.0 for the IP address: and 255.255.255.0 for the Subnet mask:. 11. Change the Filter Action to Drop all packets except those that meet the criteria below and click OK. 12. From the WAN Properties dialog box, click OK to complete the configuration. 13. To verify your configuration, test connectivity to the 172.16.100.0/24 network by pinging the 172.16.100.3 interface from your server. Addressing VPN Design Considerations Rather than using individual modem or ISDN ports for remote access, you can configure a VPN (virtual private network) and enable any number of connections through the Internet. A VPN uses an encrypted tunnel to create a secure virtual connection and transmit private data over the public network. Although using a VPN for remote access does not require any special hardware beyond an Internet connection for clients and the RRAS server, there are still a number of choices you must make when planning a VPN strategy.These include the VPN protocols you will support, the need for machine certificates, IP filtering, and remote access policies. Selecting VPN Protocols A VPN connection is created through the use of a tunneling protocol, (sometimes called a VPN protocol), supported by both the client and the server. Windows Server 2003 supports two tun- neling protocols: ■ PPTP (point-to-point tunneling protocol) is an Internet standard for VPN connections based on PPP (point-to-point protocol). PPTP uses the MPPE (Microsoft Point-to-Point Encryption) system to encrypt data. ■ L2TP (layer 2 tunneling protocol) is a newer standard for a tunneling protocol, developed in cooperation between Microsoft and Cisco. L2TP is used with IPSec (IP Security) to provide encryption. You can support one or both of these VPN protocols in your remote access strategy. Which protocols you support depends on the needs of clients, the requirements for public-key security, and whether you need the higher-security features of L2TP.These considerations are discussed in the following sections. Client Support Of course, a major factor in deciding which tunneling protocols you should support is the protocols supported by the client machines.The following is a summary of the VPN tunneling protocol sup- port of Windows clients: 858 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 858 ■ PPTP is supported by Windows 95, Windows 98, Windows ME, Windows NT 4.0 and later, Windows 2000, Windows XP, and Windows Server 2003. ■ L2TP is supported by Windows 2000, Windows XP, and Windows Server 2003. If you are supporting non-Windows clients, you should determine which VPN protocols they support.The easiest way to support a wide variety of clients is to enable both VPN protocols at the server level; clients that support L2TP will use it, and other clients will use PPTP. Data Integrity and Sender Authentication The IPSec encryption used with L2TP supports two features that are not available with PPTP and MPPE encryption, along with the data confidentiality that is provided by both encryption protocols. You should make sure your network supports L2TP if you require either of the following: ■ Data integrity L2TP over IPSec verifies the integrity of data by using hash algorithms (checksums). ■ Sender authentication IPSec provides mutual authentication for the client computer and VPN server.This authentication is based by PKI (public key infrastructure) certificates and is in addition to the user authentication handled by protocols such as MS-CHAP v2 and EAP-TLS. PKI Requirements To support L2TP over IPSec for VPN connections, you need to install computer certificates at both the VPN server and the clients. If you do not have an existing certificate server configured on the network, this might require additional planning and configuration. PPTP does not require a PKI at all and is the only choice if you do not wish to install certificates. Installing Machine Certificates To use IPSec with L2TP, you need to install computer certificates at each client for encryption. Windows 2000 and Windows Server 2003 support auto-enrollment, a feature that automatically dis- tributes certificates to computers the first time they connect to the network. If you are not using auto-enrollment, you can manually request a certificate for the computer.You can do this using the Certificates MMC snap-in or by connecting to the certificate server with a Web browser. If you do not have a certification authority (CA) on the network, you can install Certificate Services on a domain controller. Configuring Firewall Filters Because a VPN server is connected to the Internet, it is often used in conjunction with a software or hardware firewall to prevent unauthorized traffic from the Internet from reaching the internal network.You can arrange the firewall and VPN server in one of two ways: ■ The VPN server is directly connected to the Internet and the firewall separates it from the internal network. ■ The firewall is connected to the Internet and the VPN server is behind the firewall. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 859 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 859 Figure 25.4 shows these two configurations. The more common of the two arrangements is to connect the firewall to the Internet and keep the VPN server behind the firewall. In this scenario, you set up packet filters to allow all VPN traffic through the firewall. Since the VPN connection between the client and server handles authentica- tion and security itself, this does not represent a security risk. PPP Multilink and Bandwidth Allocation Protocol (BAP) The Point-to-Point Protocol (PPP) provides encapsulation, authentication, and encryption functions for remote access connectivity. Most VPN and remote access technology today is built upon PPP or extensions of this protocol. One of the many features of PPP is Multilink. PPP is generally used for different types of dial-up connections. Sometimes, there is an advantage to providing a single virtual link that encompasses multiple physical links, like the B-channels on an ISDN connection. Since ISDN has traditionally been billed per usage, and analog long distance phone calls are also typically billed per usage, maintaining the virtual link when the bandwidth requirements are low could prove costly. Multilink itself does not include provisions to monitor the connection require- ments. Enter Bandwidth Allocation Protocol (BAP). BAP adds features to PPP and Multilink to monitor the connection requirements and to adjust accordingly. If our ISDN link does not need the bandwidth provided through two B-channels, BAP will drop one of the two connections, based on our configuration settings. If the bandwidth requirements increase and the single B-channel in use cannot provide sufficient bandwidth, BAP will connect the second B-channel to double our band- width capabilities.This same configuration could include two analog phone lines at each end of the 860 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.4 Firewall Configurations Internet VPN Server VPN Server Outside Firewall Internet VPN Server Clients Clients VPN Server Inside Firewall Firewall Firewall 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 860 connection as opposed to the 2B+D ISDN configuration for Multilink. In order to take advantage of the capabilities of BAP, the remote access client and server must support BAP and have it enabled. PPP Multilink Protocol The PPP Multilink Protocol must be enabled on both the remote access client and the remote access server. PPP Multilink is enabled on the remote access server via remote access policy, using the Routing and Remote Access Service management console or the Internet Authentication Service (IAS).The nature of multilink requires dialing to multiple devices or endpoints.To enable Multilink on a remote access client, you must enable multiple device dialing on the client system through the Network and Dial-up Connections folder. Again, if unlimited connectivity is not available, the nature of Multilink presents cost prohibitive problems due to the lack of provisions to link and unlink extra physical connections on an as-needed basis. BAP Protocols To facilitate dynamic allocation of links for Multilink, Microsoft provides dynamic BAP. Dynamic BAP is a series of interrelated protocols. Dynamic BAP consists of the following protocols: ■ Bandwidth Allocation Protocol (BAP) ■ Bandwidth Allocation Control Protocol (BACP) ■ Extensions to the Link Control Protocol (LCP) BAP provides additional links on an as-needed basis, in response to specific configuration set- tings. BAP is the control mechanism used in dynamic BAP. BAP automatically will initiate a con- nection with your second modem to increase your available bandwidth to 112kbps (56kbps+56kbps) when needed. Once the bandwidth requirement drops below a predetermined setting for a predetermined amount of time, the second modem will disconnect. BACP works in conjunction with BAP, utilizing the same mechanism as PPP’s Link Control Protocol to provide connection control in a dynamic BAP environment.The sole purpose of BACP is to provide a negotiated, favored peer whose requests are implemented during a request to add or drop a connection. PPP provides connections for upper layer protocols through the Link Control Protocol. Extensions to LCP are an integral part of dynamic BAP, just as they are with any other implementa- tion or PPP.To transport TCP/IP traffic over an analog dial-up connection, Internet Protocol Connection Protocol (IPCP), an extension of LCP, carries the IP traffic through the PPP connec- tion. Likewise, to carry IPX/SPX traffic over a PPP connection, Internetwork Packet Exchange Control Protocol (IPXCP) provides the connection between the PPP endpoints and the IPX/SPX client.This encapsulation of upper layer data is commonly known as tunneling. Multilink with BAP support is implemented through the Routing and Remote Access manage- ment console and it is enabled by default. BAP is enabled via Routing and Remote Access in Administrative Tools. Once you select the server, right click and select Properties. On the PPP tab, select the Dynamic bandwidth control using BAP and BACP checkbox. Multilink is enabled within the Routing and Remote Access applet and selecting Remote Access Policies. Select Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 861 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 861 the remote access policy to modify, click Edit Profile and configure the specifics of the Multilink policy on the Multilink tab. Addressing Wireless Remote Access Design Considerations Wireless networks are fast becoming one of the most common network types. Although they are not cost-effective or efficient as a replacement for wired networking, wireless networks are a great choice for temporary networks, networking in areas where networking is normally difficult, or offering wireless access to customers or employees with portable computers. Windows Server 2003’s RRAS server can be used to manage wireless connections to the net- work. If you will be allowing wireless access, you will need to do the following: ■ Configure remote access policies. ■ Determine whether to use IAS for authentication. ■ Configure the WAPs. The 802.11 Wireless Standards Today’s wireless networks generally use one of the standards developed by the IEEE under the 802.11 working group and based on the original 802.11 protocol, which supported speeds of 2 Mbps in the 2.4 GHz radio spectrum.The newer standards support higher speeds and are popularly known as Wi-Fi.There are three current versions of 802.11 that define different wireless standards: ■ 802.11b was the first standard to be widely accepted. It operates at 11 Mbps and has a range of about 50 meters. It uses the 2.4 GHz spectrum. ■ 802.11a appeared in products in 2001.This standard uses the 5 GHz spectrum, has a theo- retical maximum speed of 54 Mbps, but does not handle distance and obstacles as well as 802.11b. ■ 802.11g is the latest standard, ratified in 2003. It uses the 2.4GHz band and is backward compatible with 802.11b equipment, but supports a theoretical throughput of 54 Mbps. Using IAS for Wireless Connections Many WAPs support RADIUS authentication. Because the security of normal wireless authentica- tion with the 802.11 protocols is minimal, using RADIUS provides stronger authentication as well as a centralized source for authentication and accounting for all wireless access. IAS can be used for this purpose. Because WAPs configured for RADIUS authentication rely on the presence of a RADIUS server, you might need to configure a second IAS server and specify it as a backup server in the WAP configuration.This ensures that wireless users can still connect if the primary IAS server is unavailable.The steps to configure an IAS Server are included at the end of this chapter. 862 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 862 Configuring Remote Access Policies for Wireless Connections To enable wireless connections, you need a basic remote access policy to allow wireless users.This policy can restrict access to a group, require certificate-based authentication, and/or mandate a high level of encryption.You can use the following steps to create a policy for wireless access. Create a Policy for Wireless Access 1. From the IAS or RRAS console, select Remote Access Policies in the left-hand column. 2. Select Action | New Remote Access Policy from the menu. 3. A welcome message is displayed. Click Next to continue. 4. The Policy Configuration Method dialog box is displayed. Select Use the wizard to set up a typical policy and enter Wireless access in the policy name field. Click Next to continue. 5. The Access Method dialog box is displayed. Select Wireless and click Next. 6. The User or Group Access dialog box is displayed. Select Group and click Add. Enter Domain Admins and click OK, and then click Next. 7. You are prompted to choose an EAP type to allow. Select Smart card or other certifi- cate and click Next. 8. A completion message is displayed. Click Finish to exit the wizard. Multiple Wireless Access Points You can support multiple WAPs for wireless access using RRAS or IAS for authentication. Because each access point covers only a limited area, it is common to have multiple WAPs. Keep the fol- lowing considerations in mind when planning to deal with multiple WAPs: ■ IAS authentication will enable all WAPs to use a central server for authentication. ■ Each WAP will need to be added to the IAS server’s list of clients and configured to use RADIUS authentication. ■ There are several variations of the 802.11 protocols and not all devices are compatible. Be sure all WAPs and clients support the same protocols. Placing CA on VLAN for New Wireless Clients Wireless clients typically use certificate-based authentication, either using the EAP-TLS protocol with a user certificate or using a certificate stored in a smart card. Each client also needs a computer certificate installed in order to use EAP-TLS authentication.You need to configure a certificate server to issue certificates to wireless clients. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 863 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 863 For new clients that might not have a certificate already, one strategy is to create a virtual LAN (VLAN) and place a certification authority (CA) on the VLAN to issue certificates.You can use a remote access policy to restrict new wireless clients to this VLAN so they will be unable to access other network resources and to limit their connection time. After a client successfully connects to the VLAN and is issued a certificate, it can reconnect using the standard wireless access policy and gain full access. Configuring WAPs as RADIUS Clients For WAPs to use the IAS server for authentication, you must configure both ends: ■ In the IAS MMC snap-in, add each WAP as a RADIUS client. ■ In the WAP’s configuration, enable RADIUS authentication and specify the IAS server (or both servers, if you have a backup server configured.) How you configure the WAP varies depending on the hardware in use. Consult the documen- tation provided by the manufacturer to find out how to do this. Planning Remote Access Security Windows Server 2003 includes a number of security features for remote access, including some new features that were not available in Windows 2000. When you plan a strategy for remote access secu- rity, you need to take several things into account: ■ The functional levels of your domains ■ The methods you will use for data encryption and authentication ■ Whether you will use advanced security features such as callback security and smart cards These items are discussed in the following sections. Domain Functional Level Domains hosted on Windows Server 2003 computers can have one of several different domain functional levels. The functional level of your domain affects which remote access security features you can use. Depending on your needs, you might need to raise the functional level of the domain to take advantage of new security features. Selecting Authentication Methods When a user attempts to connect to a remote access server, one or more protocols are used for authentication, verifying the user’s identity. After the user is authenticated, the RRAS server can determine what resources the user is authorized to access. When you configure a remote access server you can select which authentication methods will be allowed.You should choose authentication methods based on their relative levels of security. Additionally, the methods you choose will depend on the client operating systems and the authenti- cation methods they support. 864 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 864 Disallowing Password-Based Connections (PAP, SPAP, CHAP, MS-CHAP v1) A number of the available authentication methods use simple user names and passwords for authen- tication.The simplest of these is PAP (Password Authentication Protocol). In PAP, the client trans- mits the user’s password as unencrypted text.To ensure a secure network, you should disable PAP and SPAP, a variation of the same protocol that is used by Shiva clients. CHAP (Challenge Handshake Authentication Protocol) improves security by creating an encrypted challenge and enabling the client to create a response using the password.This avoids sending the password over the network. However, CHAP stores passwords using reversible encryp- tion, and is therefore also considered insecure. MS-CHAP v1, Microsoft’s adaptation of CHAP, improves security but is superceded by the more secure version 2. To ensure secure remote access, you should disable the less-secure authentication methods.You can use the following steps to disable password-based authentication. Disable Password-Based Authentication Methods 1. From the Start menu, select Programs | Administrative Tools | Routing and Remote Access. 2. Highlight the RRAS server name in the left-hand column. 3. Select Action | Properties from the menu. 4. The Properties dialog box is displayed. Click the Security tab. 5. The Security properties are displayed. Click the Authentication Methods button. 6. The Authentication Methods dialog box is displayed. Uncheck the box next to Microsoft encrypted authentication (MS-CHAP). 7. Uncheck the box for Encrypted authentication (CHAP). 8. Uncheck the boxes next to Shiva Password Authentication Protocol (SPAP) and Unencrypted password (PAP). 9. Click OK to exit the Authentication Methods dialog box, and then click OK to exit the Properties dialog box and save the changes. Using RADIUS/IAS vs. Windows Authentication Windows Server 2003 supports RADIUS, an Internet standard for a centralized server to handle a network’s authentication and accounting needs. Internet Access Server (IAS) is Microsoft’s imple- mentation of a RADIUS server, and is included with Windows Server 2003 but is not installed by default.You can install it through the Add/Remove Programs applet in Control Panel as a Windows component. We’ll walk through the steps for setting up an IAS Server at the end of this chapter. When you configure an RRAS server, you can choose one of two authentication methods: Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 865 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 865 . supported by Windows 95, Windows 98, Windows ME, Windows NT 4.0 and later, Windows 2000, Windows XP, and Windows Server 2003. ■ L2TP is supported by Windows 2000, Windows XP, and Windows Server 2003. If. OK to exit the Authentication Methods dialog box, and then click OK to exit the Properties dialog box and save the changes. Using RADIUS/IAS vs. Windows Authentication Windows Server 2003 supports. arrange the firewall and VPN server in one of two ways: ■ The VPN server is directly connected to the Internet and the firewall separates it from the internal network. ■ The firewall is connected to the