7. Click Finish to complete the basic NAT configuration. Now we will modify the configu- ration to provide public inbound requests for our private Web servers. 8. Click NAT/Basic Firewall in the left pane of the management console and right-click the WA N interface in the right pane of the management console. Select Properties. 9. From the WAN Properties dialog box, select the Service and Ports tab as shown in Figure 25.11. 10. Select the Web Server (HTTP) check box. In the Private address box, enter 192.168.1.100 as shown in Figure 25.12 to direct inbound Web traffic to the Web server located at 192.168.1.100. 876 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.10 Specifying the LAN Interface as the Private NAT Interface Figure 25.11 Specifying Services Available through NAT 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 876 11. Click OK. Click OK again to complete the configuration. ICMP Router Discovery RFC 1256 describes a method for IP hosts to detect a router’s availability by using Internet Control Message Protocol (ICMP). ICMP Router Discovery, the name for this process, works in two ways: ■ Hosts send router solicitations using ICMP to discover available routers on the network. ■ Routers send ICMP advertisements in response to the IP host solicitations as well as peri- odic ICMP updates to notify the hosts that the router is still available. Although Windows Server 2003 supports ICMP Router Discovery, it is disabled by default.You can use the following procedure to configure ICMP router discovery. Configure ICMP Router Discovery 1. Open Routing and Remote Access. Start | Programs | Administrative Tools | Routing and Remote Access. 2. In the left pane of the RRAS console, click General. 3. In the right pane, right-click the interface on which you want to enable router discovery, and then click Properties. 4. On the General tab, select the Enable router discovery advertisements check box. 5. In Advertisement lifetime (minutes), type or select the time after which a router is considered down after hearing its last router advertisement. 6. In Minimum time (minutes), type or select the minimum rate at which the router periodically sends ICMP router advertisements. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 877 Figure 25.12 Specifying the Private Network Web Server Address 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 877 7. In Maximum time (minutes), type or select the maximum rate at which the router periodically sends ICMP router advertisements. 8. In Level of preference, type or select the level of preference for this router to be a default gateway for hosts. Creating Remote Access Policies You can manage the security of your remote access server by creating one or more remote access policies. Depending on your configuration, you will need to create policies in one of these two places: ■ If you are using Windows authentication, use the Remote Access Policies item under each RRAS server in the Routing and Remote Access MMC snap-in. ■ If you are using RADIUS authentication, use the Remote Access Policies item under the IAS server in the Internet Authentication Service MMC snap-in. Regardless of the type of authentication you are using, the policies you create will work the same way, and the dialog boxes for creating and modifying policies are the same. Policies and Profiles Remote access security includes two key components: ■ Remote Access Policies Determine which users can connect remotely and the connec- tion methods they can use.You can have any number of remote access policies. ■ Remote Access Profiles Provide further restrictions after the connection is established. Each policy contains exactly one profile. Each remote access policy has an order number, or priority.You can define the order by using the Move Up and Move Down actions in the policy window.The list of policies in a default Windows Server 2003 RRAS installation is shown in Figure 25.13. Each policy can have various criteria against which connection attempts are checked.The policy can be set to either Grant or Deny access for users who match these criteria. 878 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 878 When a user attempts to connect, his or her connection criteria are compared to each policy’s conditions in order until a policy matches.The Grant or Deny setting of that policy then deter- mines whether the user is allowed access. If a policy grants access, its associated profile is used to fur- ther restrict the connection. In the following sections, you will learn how to make practical use of remote access policies and profiles to authorize or restrict remote access and to control aspects of the connections using remote access profiles. Authorizing Remote Access The simplest use for a remote access policy is to authorize remote access for a particular user or group. Windows Server 2003 includes a wizard that you can use to quickly create these types of policies. After you have created a policy, you can modify the properties of the policy to make more specific settings or restrictions.You can launch the wizard through Start | Administrative Tools | Routing and Remote Access. In the left pane, select Remote Access Policies then from the menu select Action | New Remote Access Policy.The wizard will step you through the process to autho- rize remote access by user. A similar process is used to authorize remote access by group. Authorizing Access By Group Unlike user accounts, security groups do not include dial-in properties. If you wish to enable access for a group, you can use the wizard to create a remote access policy that includes a condition to check the user’s group membership.You can use the following steps to authorize remote access by group. 1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu. If you are using RADIUS authentication, select Internet Authentication Service instead. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 879 Figure 25.13 Remote Access Policies 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 879 2. Click Remote Access Policies in the left-hand column. A list of the current policies is displayed in the window. 3. From the menu, select Action | New Remote Access Policy. 4. The wizard displays a welcome message. Click Next to continue. 5. The Policy Configuration Method screen is displayed. Select the Use the wizard to set up a typical policy option and enter Allow Admin Access in the Policy name field. Click Next to continue. 6. The Access Method screen is displayed.You can select whether this policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the Dial-up option and click Next to continue. 7. The User or Group Access dialog box is displayed. Select the Group option and click the Add button to add a group name. 8. The Select Groups dialog box is displayed. Enter Domain Admins in the Enter the object names to select field and click OK. 9. You are returned to the User or Group Access dialog box. Click Next to continue. 10. The Authentication Methods dialog box is displayed. Click Next to continue. 11. The Policy Encryption Level dialog box is displayed. Click Next to continue. 12. The wizard displays the completion dialog box. Click Finish to create the policy. Restricting Remote Access You can add any number of conditions to a remote access policy to restrict the users, connection types, and other criteria that can match the policy. Each policy can be configured to either allow access or deny access based on those criteria. To restrict access, you can create a policy that denies access based on a set of criteria. Because each connection will use the first policy that it matches, be sure your policies for denying access are placed early in the list, before any other policy that might match the same users. The current conditions for a policy are listed in its Properties dialog box.You can use the Add button to add a condition.There are a variety of attributes you can test to create a condition. Restricting by User/Group Membership You already used the wizard to create a simple policy to restrict by group membership earlier in this section.You can also add this condition manually to any policy using its properties.The attribute for group membership is Windows-Groups.You can specify one or more group memberships to match and set the policy to either grant or deny access. Restricting by Type of Connection You can use the NAS-Port-Type attribute to restrict a remote access policy to a particular type of connection. Connection types include modem, ISDN, wireless, VPN, and other network connec- 880 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 880 tions that can be used for remote access. For example, suppose you were discontinuing the use of dial-in remote access and want to add a policy to prevent dial-in access.You would create a policy to deny access when the NAS-Port-Type attribute indicates a modem connection and place it at the top of the list to override other policies. Restricting by Time You can use the Day-and-Time-Restrictions attribute to control the day of the week and times of day that a policy will be effective.You can use this feature to deny access at a specific time or day or to explicitly grant access at a certain time.To use this feature, use the Add button in the Properties dialog box to add a condition to a policy, and then select Day-and-Time- Restrictions.The Time of day Constraints dialog box enables you to allow or deny access for each hour of the day and each day of the week. Restricting by Client Configuration You can use the Network Access Quarantine Control (NAQC) feature to restrict connections based on aspects of a client’s configuration: the operating system, file system, and even details of which security updates have been installed.You need to create a custom script or program to check the client’s configuration to implement this feature. NAQC is included with the Windows Server 2003 Resource Kit. It includes several components: ■ The Remote Access Quarantine Agent service (RQS.EXE) runs on the RRAS servers. ■ A custom script to check the configuration.The script can use RQC.EXE, included in the resource kit, to notify the quarantine agent whether the client passed its tests. ■ Connection Manager, using a custom profile and a post-connect action to run the script. ■ A RADIUS (IAS) server to manage authentication. ■ A remote access policy that uses the quarantine attributes, installed with the quarantine agent, to determine whether the connection has been authorized by the script. NAQC is supported by Windows 98 SE and later clients that support Connection Manager. For details on implementing a quarantine script, consult Microsoft’s TechNet site. Restricting Authentication Methods You can use the Authentication-Type attribute to restrict a policy to certain authentication types. When you add this attribute, you can use the Authentication-Type dialog box to add one or more of the possible authentication types, as shown in Figure 25.14. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 881 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 881 Restricting by Phone Number or MAC Address You can use the following two attributes to add a phone number condition to a remote access policy: ■ Called-Station-ID: The phone number the user called. ■ Calling-Station-ID: The phone number the call originated from (Caller ID). Controlling Remote Connections After a connection is established by matching a remote access policy, the profile associated with the policy is used to control what the user can do with the connection. Some of the most useful profile settings include the following: ■ The amount of time the user is allowed to remain connected or remain idle ■ The encryption methods that will be allowed ■ Which traffic will be filtered using packet filters ■ The client IP address Controlling Idle Timeout The idle timeout is the amount of time the RRAS server will keep a session connected when there has not been any traffic to or from the remote access server.You can use this setting to ensure that clients who finish using their remote connection but fail to disconnect are disconnected automatically. The idle timeout is part of a remote access profile.You can change the timeout on the Dial-in Constraints tab of the Edit Dial-in Profile dialog box. 882 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.14 Restricting by Authentication Method 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 882 Controlling Maximum Session Time Along with the idle timeout, you can define a maximum amount of time a client can remain con- nected to the server whether they use the connection or not. When your supply of incoming ports is limited, this is one way to ensure that ports are opened up to enable other users to connect.The maximum session time is also defined in the Dial-in Constraints tab of a profile. Controlling Encryption Strength You can use the settings in the Encryption tab of a remote access profile’s Properties dialog box to allow or disallow particular types of encryption for a VPN connection. Encryption types include the following: ■ Basic encryption (MPPE 40-bit) ■ Strong encryption (MPPE 56-bit) ■ Strongest encryption (MPPE 128-bit) Any three of these encryption settings can be used, depending on what the server and the client support, to prevent unauthorized access. Controlling IP Packet Filters You can use IP packet filters to filter incoming or outgoing traffic for connections that match a partic- ular remote access profile.You might find this useful for denying access to a VPN from particular loca- tions or only allowing access from a particular address.You can manage outgoing and incoming packet filters from the IP settings tab of the Profile Properties dialog box, as shown in Figure 25.15. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 883 Figure 25.15 IP Settings 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 883 Controlling IP Address for PPP Connections You can also use the IP settings to control IP address assignment for PPP (dial-in) connections. The following options are available: ■ Server must supply an IP address ■ Client may request an IP address ■ Server settings determine IP address assignment ■ Assign a static IP address The last option enables you to specify a single IP address to be a assigned to clients that match this profile. If you use this feature, be sure only one client at a time will match the profile, because the IP address can only be assigned to one client. Troubleshooting Remote Access Client Connections Remote access client connections are often the most difficult connection problems to troubleshoot. In many cases, the system you are troubleshooting is not physically in front of you or even remotely accessible via remote control software, which makes it an added challenge.The best practice to follow when troubleshooting any type of connectivity problem is to start with the simpler areas and work your way up.The Open Systems Interconnect (OSI) reference model proves to be a handy guide for troubleshooting.Troubleshoot by starting at the lowest layers first, as seen in Table 25.1. Table 25.1 The OSI Reference Model Layer Number Layer Description 1 Physical Layer Cabling, connectors 2 Data Link Layer Network card, Hardware address (ARP, MAC, LLC) 3 Network Layer Logical Addressing (IP address, IPX address) 4 Transport Layer Segment and assemble upper layer information (TCP ports, UDP ports) 5 Session Layer Connection control (RPC, SQL, NFS) 6 Presentation Layer Data formatting (ASCII, MPEG, JPEG) 7 Application Layer Applications (e-mail client, Web browser, word pro- cessor) Most, if not all, networking problems will be solved within the first three or four layers. Begin the troubleshooting process with cabling. Work your way up the OSI reference model to test hard- ware settings and drivers next. At layer 3, the network layer, verify connectivity based on logical addressing like phone numbers or IP addresses.At the transport layer, verify available port numbers for your applications. Usually, transport layer problems will occur at a firewall or NAT system.This 884 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 884 should be one of the first things to check if you have made it to layer 4 in the troubleshooting pro- cess. Session layer troubleshooting would entail verifying that services are started and running prop- erly on your systems. Presentation and application layer problems do not generally affect network and/or remote access connectivity. Let’s take a closer look at the different types of remote access to see how our methodology applies. If the client is connecting through a modem, check the phone cable connectors to make sure they are securely connected to the wall and the modem. Ensure the modem is getting power and displays proper diagnostic indicators if you are working with an external modem.You might try shutting off and restarting an external modem. Check the Windows Device Manager to verify oper- ation and driver information. If necessary, update the drivers. Working our way toward the network layer, test full operation of the modem by dialing a phone number with the phone dialer.Test the modem itself to ensure it is dialing a different number using phone dialer. If possible, ensure that the routing and remote access service is operational on the remote access server. Make sure you are using the correct authentication algorithm. If you are connecting through VPN using an Internet connection, first verify Internet connec- tivity. If you are using a dial-up Internet connection to provide a transport for the VPN, follow the steps in the previous paragraph to ensure dial-up connectivity to your ISP and the Internet. If you are able to reach Internet servers, verify connectivity to the VPN server by issuing a ping command to the VPN server’s FQDN or IP address. Make sure that there are a sufficient number of L2TP or PPTP ports available on the VPN server. Make sure you are using the proper authentication algo- rithms and the proper encryption strength. Finally, verify remote access policy settings will allow connectivity. If any one of the remote access policy rules matches your client computer or your user account, rule processing ends at that step and the requested action is processed. If you are able to connect to the remote access server but you are unable to connect to resources within the remote LAN, you have already ruled out the first two layers of the OSI refer- ence model.Typical problems in this scenario include IP connectivity problems, name resolutions problems, and incorrect upper layer protocol selection. An approach here would be to check the IP address assigned to the PPP adaptor. Verify IP connectivity to the inside interface of the remote access server.This is the LAN interface on the RRAS server. Next, in a Windows 2000 or Windows Server 2003 Active Directory environment, issue an nslookup command to test DNS resolution for the client. If IP connectivity fails, name resolution will fail. When testing IP connectivity, verify that the address assigned to the PPP adaptor is a valid address for one of your LANs. If the address is in the range of 169.254.0.1 and 169.254.255.254, this is an Automatic Private IP Address assignment (APIPA).This signifies a problem in the address request process with the DHCP server.This problem could be between the client and the RRAS server or between the RRAS server and the DHCP server. Some utilities for troubleshooting Windows Server 2003 connectivity include: ■ Ipconfig ■ Netsh ■ Nslookup ■ Ping Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 885 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 885 . signifies a problem in the address request process with the DHCP server. This problem could be between the client and the RRAS server or between the RRAS server and the DHCP server. Some utilities. to check the IP address assigned to the PPP adaptor. Verify IP connectivity to the inside interface of the remote access server. This is the LAN interface on the RRAS server. Next, in a Windows. RADIUS authentication, use the Remote Access Policies item under the IAS server in the Internet Authentication Service MMC snap-in. Regardless of the type of authentication you are using, the policies