Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 74 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
74
Dung lượng
398,55 KB
Nội dung
492 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network To check the status of the ports, select the remote access server in the right pane of the RRAS console and double-click Ports in the right panel. You will see a display similar to Figure 9.12, informing you which ports are active and which are inactive. Figure 9.12 Check the status of the remote server ports for activity. Ensure there are sufficient IP addresses in the static address pool of addresses assigned by RRAS to dial-in clients if the server is configured with a static address pool. To add addresses to the static pool, right-click the server name in the left pane of the RRAS console, select Properties, select the IP tab, and click A DD. Inability to Aggregate the Bandwidth of Multiple Telephone Lines If you have multiple telephone lines (for instance, two ISDN channels) and are unable to aggregate the bandwidth of the two lines, check the following: ■ Ensure that your ISDN adapter supports multiple lines, or that you have two functional modems, each attached to a separate working telephone line. 91_tcpip_09.qx 2/25/00 11:13 AM Page 492 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 493 ■ Ensure that the Remote Access Server’s PPP options are configured to support multilink. On the Remote Access Server, PPP configuration options are set in the RRAS console’s Properties sheet for the remote access server, as shown in Figure 9.13. Figure 9.13 Windows 2000 RRAS allows you to configure PPP options on the remote server. Here, you can select the following PPP options to be used by the server: ■ Select whether multilink connections are allowed. Multilink is a way of aggregating two or more phone lines for greater bandwidth. ■ If multilink is enabled, you can select whether to use the Bandwidth Allocation Protocols (BAP and BACP) to allow multilink to adapt to changing bandwidth demands. ■ Choose to enable the Link Control Protocol (LCP) extensions. For information about LCP options, see RFC 1661. ■ Enable software compression for greater throughput. 91_tcpip_09.qx 2/25/00 11:13 AM Page 493 494 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Inability to Access the Entire Network If the client is able to establish a remote connection but cannot access the resources of any computer other than the remote server, ensure that IP routing has been enabled on the server. Check the Enable IP Routing check box on the IP Properties sheet for the server (refer back to Figure 9.11 to see this Properties sheet). Also, check to see that packet filtering has not been configured to pre- vent TCP/IP packets from being sent. If a static address pool has been configured instead of using DHCP, ensure that the routes to the address range(s) of the static IP address pool can be reached by the hosts and routers on the network. You may have to add routes to your routers via a static routing entry, or use a dynamic routing protocol like RIP or OSPF. If you have set up the remote access server to use DHCP for IP address allocation, and the DHCP server is not available, APIPA addresses (169.254.0.1 through 169.254.255.254) will be used. Unless your network computers are using addresses from this range, the remote clients will not be able to communicate over IP with them. Client Configuration Problems Although there is much more that can be misconfigured on the server, if only one client is having connection problems, and there is no physical reason (bad cable, NIC, etc.), chances are good that the client machine is not configured properly to make the remote connection. Inability to Establish a Remote Connection ■ Ensure that the client is configured to use the same authentication method as the remote server. ■ Ensure that the client is configured to use the same encryption strength as the remote server. To check (and change) the authentication method on the client machine, right-click the connection name after clicking Start | Settings | Network and Dial-up Connections, and select Properties. On the Security tab, choose A DVANCED, and you will see a dialog box similar to the one in Figure 9.14. NOTE 91_tcpip_09.qx 2/25/00 11:13 AM Page 494 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 495 The client and server must both use a common authentication and encryption method. ■ Ensure that the user account is configured to allow dial-in access. To do so, from the Active Directory Users and Computers administrative tool on a domain controller, expand the domain in the left pane of the console and right-click the user’s name in the right pane. Select Properties, and then select the Dial-in tab, shown in Figure 9.15. The Allow Access radio button must be checked for the user account to be able to make a remote connection. The user Properties Dial-in sheet also allows you to configure callback security requirements, assign a static IP address for remote connections, or apply static routes. Figure 9.14 The authentication method and encryption are set in Advanced Security settings. NOTE 91_tcpip_09.qx 2/25/00 11:13 AM Page 495 496 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Troubleshooting Remote Access Policy Problems Remote access policies consist of conditions and parameters placed on the incoming connection. Windows 2000 allows you to set policies to con- trol client access based on such things as day of the week or time of the day, group membership, connection type (VPN or dial-in), and set limits on duration of connection, idle time after which the connection is discon- nected, and security parameters. Figure 9.16 shows some of the limita- tions that can be placed on dial-in access. When a user attempts to make a remote connection, the characteris- tics of the connection attempt are compared with the authentication information, user dial-in properties, and remote access policies. When the connection attempt doesn’t match any of the remote access policies, access will be denied. Multiple remote access policies can be in place, but this makes troubleshooting connection denials more complex. Figure 9.15 Remote access permission must be granted in the user Properties sheet. 91_tcpip_09.qx 2/25/00 11:13 AM Page 496 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 497 Determining Which Multiple Policy Is Causing the Problem Microsoft recommends that one way to verify which policy is causing the denial is to create a new remote access policy called Troubleshooter and configure it to grant remote access permission for all days/times. Then, move this policy to the top of the list so it will be processed first. If the connection is denied, the problem is either with the Troubleshooter test policy itself, or more likely, with the user account’s dial-in Properties set- tings. If the connection succeeds, move the test policy down one level and attempt to connect again. If this connection fails, the problem is most likely with the policy just above the Troubleshooter policy. If it succeeds, keep moving the test policy down the hierarchy until a connection is denied, and then examine the properties of the policy that is causing the denial. Figure 9.16 Remote access policies let you place restrictions on dial-in access. 91_tcpip_09.qx 2/25/00 11:13 AM Page 497 498 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Troubleshooting NAT and ICS Configuration Problems Windows 2000 makes it easy to share a single public IP address for access to the Internet by using Internet Connection Sharing (ICS) on a Windows 2000 Professional computer or a choice of ICS or Network Address Translation (NAT) on a Windows 2000 Server. The Difference between ICS and NAT ICS is available on both Windows 2000 Professional and Server, while NAT is only available on the Server family of operating systems. This statement in itself could be a little confusing, since ICS actually is a form of NAT. You can think of Internet Connection Sharing as NAT Lite—it uses NAT to map internal network IP addresses and ports to a single external IP address, but it is not as flexible and configurable as the full- fledged form of NAT that comes with Windows 2000 Server. Common NAT Configuration Problems If you are having problems with the NAT computer not properly perform- ing translation, so that packets don’t get delivered to the internal comput- er (NAT client) for which they are intended, check the configuration of the NAT interfaces. The NAT routing protocol must have both public and pri- vate interfaces. To check this, in the RRAS console, under the server name, expand IP Routing and select Network Address Translation. You should see a public and a private interface listed, as shown in Figure 9.17. The public interface connects to the ISP, and the private interface con- nects to the LAN. Ensure that the public interface is configured for address translation, as shown in Figure 9.18. Right-click the interface name and select Properties. The radio button for “Public interface connected to the Internet” must be selected. You should also check the Translate TCP/UDP headers check box to allow NAT clients to send and receive data through the interface. Now, ensure that the private interface is also properly configured. Right-click the private interface’s name, and select Properties. The same configuration box will appear, only in this case the “Private interface con- nected to private network” radio button should be checked. 91_tcpip_09.qx 2/25/00 11:13 AM Page 498 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 499 Which Connection Sharing Solution Is Right for My Network? If you have a small network that needs access to the Internet, and only one public IP address, Windows 2000 Server gives you the choice of using ICS or NAT to provide Internet access to the entire network through a single computer’s Internet connection. Either of these solutions will save the cost of additional phone lines, modems, and ISP accounts for connecting additional comput- ers to the Net, as well as the time and work involved in setting them all up for Internet access and the difficulty of maintaining and mon- itoring their access. Which one, then, should you use to connect your network? ICS and NAT work in a similar fashion, but NAT is the more sophisticat- ed of the two. ICS is configured by right-clicking the connection’s icon in Network and Dial-up Connections and selecting Sharing. It is quick and easy to configure and suitable for many small, simple net- works. ICS assumes that this is the only computer on the network that is connected to the Internet, and it sets up all the internal net- work addresses. By selecting Enable Internet Connection Sharing for this Connection, you make the computer an ICS host. This computer will assign IP addresses to its ICS clients as a DHCP allocator. ICS is appropriate if you don’t have DNS servers, DHCP servers, Windows 2000 domain controllers, or systems using static IP addresses. That limits its use to small peer-to-peer networks. For larger or more complex networks, sharing of an Internet con- nection can be accomplished via NAT, which is configured as part of RRAS. To use it, you must install and configure the Routing and Remote Access Service (if it is not already installed). NAT requires more configuration by the administrator, but also allows you to spec- ify or change the IP address range assigned to NAT clients, and can be used on Windows 2000 domain networks or those connected to gateways or routers. So, if you have a small peer-to-peer workgroup among which you wish to share an Internet connection, and don’t need control over the IP address range, ICS will be the simplest solution. In most busi- ness networks, you will need the more sophisticated features of NAT. For Managers 91_tcpip_09.qx 2/25/00 11:13 AM Page 499 500 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Incorrect Public Address Range Another problem that can occur with NAT configuration is incorrect con- figuration of the public addresses when you have multiple public IP addresses. Ensure that the addresses are entered in the Properties sheet of the public interface, under the Address Pool tab. All addresses entered here should be addresses that were assigned to you by your ISP. NAT can provide address translation using multiple public IP addresses; ICS cannot. Incompatible Application Programs The packets of some programs will not work through NAT. If a program runs from the NAT host computer but you cannot run it from a NAT client, it may be because the program uses a protocol that is not translat- able by NAT. Windows 2000 NAT includes NAT editors for the following common protocols: FTP, ICMP, PPTP, and NetBIOS over TCP/IP. Additionally, some protocols such as HTTP do not require a NAT editor. Figure 9.17 NAT requires both a public and a private interface. NOTE 91_tcpip_09.qx 2/25/00 11:13 AM Page 500 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 501 A related problem, and a major limitation of NAT, is the inability to use it with IPSec for host-to-host security (sometimes called end-to-end). This is because IPSec hides the IP headers required by NAT for translation. You can, however, use NAT if you are using IPSec for a gateway-to-gateway solution. Other NAT Problems If none of the solutions just discussed uncovers the culprit, ensure that IP packet filtering is not configured to prevent sending and receiving IP traffic. If the problem is related to name resolution, ensure that NAT name resolution has been enabled on the private interface. Troubleshoot Internet name resolution problems as outlined in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.” Figure 9.18 The public interface must be configured for address translation. NOTE 91_tcpip_09.qx 2/25/00 11:13 AM Page 501 [...]... Tunneling Protocols Windows 2000 supports VPN connections using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) PPTP: Point-to-Point Tunneling Protocol PPTP is an industry standard tunneling protocol It was in Windows NT 4.0 and is also supported in Windows 2000 PPTP is an extension of the Point-to-Point Protocol (PPP) and uses the authentication, compression, and encryption... translation of the IP address in the IP header, TCP port in the TCP header, and UDP port in 91_tcpip_09.qx 2/25/00 11:13 AM Page 507 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 507 the UDP header This additional translation is required with certain protocols that store the IP address, TCP port, or UDP port in the payload (for instance, FTP) Windows 2000 includes NAT editors... built-in for FTP, ICMP, and PPTP Windows 2000 doesn’t include editors to translate SNMP, LDAP, Microsoft COM, or RPC 91_tcpip_09.qx 2/25/00 11:13 AM Page 5 08 91_tcpip_10.qx 2/25/00 11:15 AM Page 509 Chapter 10 Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level Solutions in this chapter: s NICs s Cable s Hubs and Repeaters s Bridges 509 91_tcpip_10.qx 2/25/00 11:15 AM Page 510... successful implementation L2TP utilizes the benefits of IPSec, and will likely eventually replace PPTP as the “tunneling protocol of choice.” Troubleshooting VPN Connections Troubleshooting a remote VPN connection is similar to troubleshooting other remote access connections, with a bit of added complexity 91_tcpip_09.qx 2/25/00 11:13 AM Page 503 Troubleshooting Remote Access in a Windows 2000 TCP/IP Network... callback (optional), and configuration Then we moved on to some specific tips for troubleshooting PPP problems, which include authentication failures, inadequate link/line quality, loss of carrier, and timeouts We looked at how to configure a dial-up connection to use PPP, and we gained an understanding of encapsulation, the method by which TCP/IP or other LAN protocol packets are wrapped inside the PPP or... mechanisms of PPP L2TP: Layer 2 Tunneling Protocol The Layer Two Tunneling Protocol (L2TP) supports multiprotocol VPNs that allow remote users to access corporate networks securely across the Internet It is similar to PPTP in that it can be used for tunneled end-toend Internet connections through the Internet or other remote access media However, unlike PPTP, L2TP doesn’t depend on vendor-specific encryption...91_tcpip_09.qx 2/25/00 11:13 AM Page 502 502 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Troubleshooting VPN Connectivity Problems Virtual Private Networking (VPN) is a popular solution for those who need a secure, yet inexpensive way to connect from a remote computer to a LAN when dialing in directly either isn’t possible or is costly due to long... network, which uses a Packet Assembler/Disassembler (PAD) and provides for data transfer over a public packet switched network Then we discussed the WAN protocols used for remote access networking: SLIP and PPP We learned that SLIP is used on some UNIX servers, but Windows 2000, like NT 4.0, supports only PPP for dial-in connections We talked about the four steps involved in making a PPP connection: configuration,... connection, the caller ID number will be the IP address of the client 91_tcpip_09.qx 2/25/00 11:13 AM Page 506 506 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Q: Does Windows 2000 work with modem-pooling equipment? A: Yes, as long as the modem-pooling device generates and accepts command strings equivalent to one of the supported modem types listed in the Install New Modem wizard... translated, and the importance of ensuring that IP packet filtering is not configured to prevent IP traffic from getting through Finally, we took a brief look at virtual private networking (VPN), the two tunneling protocols supported by Windows 2000 (PPTP and L2TP), and how to troubleshoot VPN connectivity problems Remote access gets easier to configure with each new Microsoft operating system, but . Tunneling Protocols Windows 2000 supports VPN connections using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP). PPTP: Point-to-Point Tunneling Protocol PPTP is. translation. NOTE 91_tcpip_09.qx 2/25/00 11:13 AM Page 501 502 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Troubleshooting VPN Connectivity Problems Virtual Private Networking (VPN). tunneling protocol. It was in Windows NT 4.0 and is also supported in Windows 2000. PPTP is an extension of the Point-to-Point Protocol (PPP) and uses the authentication, compression, and encryption