Chapter 8 DIAL-UP CONNECTIONS AND RRAS 243 M ANAGING AND L IMITING ISA D IAL -U P C ONNECTIONS After you configure ISA Server for dial-on-demand connections, you might want to limit ISA Server connections. Remember that you have the same options for controlling these connections as any oth- ers. You can restrict user’s access to sites, reduce available hours for connection, and so on. Several tips for managing and restricting dial-up connections are shown in Table 8.2. TABLE 8.2 M ANAGING AND R ESTRICTING D IAL -U P C ONNECTIONS Desired Action Limit the time a user can use dial out (Web access) Create a schedule for the time to deny or allow Internet access, then create a site and content rule using that schedule that denies or allows all access to the Internet. (All requests) Use this schedule in a protocol rule that denies access. Prevent unnecessary Internet dial-up List all internal servers in Local Domain Table to prevent Internet based DNS lookups. Limit active caching Active caching is configured on the Active Caching page of Cache Configuration prop- erties. If active caching is configured, dial-up occurs when it is necessary to refresh cache content. To reduce automatic recovery of cache refresh, select Less Frequently (see Figure 8.5). T ROUBLESHOOTING ISA S ERVER D IAL -U P C ONNECTIONS Setup for dial-up connections for ISA Server is fairly simple; never- theless, problems will occur. Table 8.3 lists some potential trouble spots and what to do about them. FIGURE 8.5 Reducing active caching refresh. 11 mcse CH08 6/5/01 12:05 PM Page 243 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 244 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES TABLE 8.3 ISA S ERVER D IAL -U P C ONNECTIONS T ROUBLESHOOTING Problem Possible Cause Resolution The event Dial-on-Demand The connection could not be created because Determine why there is no answer or if the line was Failure is recorded in the event log. the line was busy or there is no answer. busy and make necessary changes. The event Invalid Dial- The credentials are not valid. Check validity of username and password for the On-Demand Credentials is dialed resource. If the dial-up connection is to an recorded in the event log. ISP, the account to be entered in the dial-up creden- tials should be this information, not the W2K logon! The event upstream The credentials are not valid. Check validity of username and password for the Chaining Credentials is logged. upstream server; this may be a W2K user account and password. No user is requesting Internet Active caching is enabled. Active caching attempts to periodically refresh access and yet the ISA Server content in the cache. If dial-on-demand has been periodically dials out to the configured, ISA Server will dials on its own to col- Internet. lect the data. If you do not want it to do so, disable active caching. A DNS lookup is required to establish If a rule identifies a Web server by IP address, but a whether a request can be granted. client requests the resource by name (or vice versa), ISA Server cannot tell if the request should be granted. It therefore dials out to the Internet for name resolution or reverse lookup and then again qualifies the request. A requested server is internal but ISA Configure all internal domains in the Local Domain Server cannot resolve the name to Table that way, the ISA Server does not have to IP address so it dials out to do DNS lookup. dial-out to determine that the request is for a local resource. Event 14066 Can’t read dial-up entry configuration The dial-up configuration or the firewall service. configuration can’t be recognized. Check the dial-up entry configuration Message 14067 Failed to load rasapi32.dll. Usually, a result of incorrect system configuration. Manual dial to check the configuration and then restart the failed service. 14136 ISA Server dial-out connection failed. Manually dial the number to be sure it can be reached. 14142 Dial-out to the Internet failed. Dial-up attempt failed possible due to authentica- tion. Verify the phone book entry. Verify authenti- cation settings. Dial-up server hangs even ISA Server is attempting to send requests Configure ISA Server to use only internal DNS when no dialing activity. for DNS lookup to an external DNS servers. Configure the DNS server as an ISA Server server (even for internal requests). client. Configure the DNS Server to forward unre- solved requests to an external DNS server. 11 mcse CH08 6/5/01 12:05 PM Page 244 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 8 DIAL-UP CONNECTIONS AND RRAS 245 Problem Possible Cause Resolution Manual dial out works, but Dial-up entry credentials are not correct. Reconfigure or modify the ISA Server dial-up entry ISA Server dial-out doesn’t. connections. ISA Server doesn’t have permission to Reconfigure the W2K dial-up connection and allow use the dial-up connection. everyone to use the connection. Dial-up connection is dropped. Someone inadvertently disconnected Restart ISA Server services. This automatically the session. reestablishes the connection. Dial-out failed as another Another service on the computer is connection. Wait. ISA tries again after another request is made. connection is already being Or try restarting services. dialed. R OUTING AND R EMOTE A CCESS S ERVICE V ERSUS ISA S ERVER The Routing and Remote Access Service is a service of Windows 2000 that can be used to establish Windows 2000 server as a net- work router, NAT server, demand dial router, and VPN tunnel end- point. ISA Server can provide a demand dial Internet connection, SecureNAT services, and act as a VPN endpoint. Routing rules can be defined that direct requests received by ISA. ISA also provides a way to further control these services through policies. You should always use the ISA Server components that are present instead of using other Windows 2000 services. Be especially careful that you do not use the Routing and Remote Access services to make end-runs around the ISA Server firewall service. To do so would be a compro- mise to network security. It compromises security because enabling a Routing and Remote Access router on the ISA Server and not enabling packet filtering turns the ISA Server into a router and all packets are routed between the Internet and your private network. This is not what you purchased ISA Server to do. (You presumably purchased ISA Server to protect your network, not expose it to uncontrolled access.) 11 mcse CH08 6/5/01 12:05 PM Page 245 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 246 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES To control access always choose ISA Server when you provide remote access services via the ISA Server computer. Services you may want to provide and how they can be accomplished are á Routing á Connecting remote clients á Static routes Routing By using the ISA routing rules and packet filters, you can route requests appropriately and protect your network. As an added pro- tection, ISA Server-based routing rules cannot be used unless ISA packet filtering is enabled. Packet filtering on ISA Server drops all packets by default that have not explicitly been allowed by IP Packet filters or by access policy or publishing rules. Do not make the mis- take of configuring Routing and Remote Access to resolve network access issues. Instead, determine the reason for the problem and resolve it using ISA Server Management tools. Checking a box on the General tab of the IP Packet Filters proper- ties page enables packet filtering. (The IP Packet Filters folder can be found at Internet Security and Acceleration Server\Servers and Arrays\name\Access Policy\IP Packet Filters. See Figure 8.6.) Note that Packet Filtering is not available in cache mode. IP Routing is enabled on the same property page. Note that if you uncheck the Enable Packet Filtering box, the Enable IP Routing check box is grayed out (see Figure 8.7). Remember: Create demand-dial connections, routing rules, packet filters, and VPN endpoints using ISA Server. Connecting Remote Clients Many employees now work from home, or are frequently on the road. These employees also need access to resources on the corporate private network. In the past, this access was allowed through dial-up connections to a remote access server, perhaps using a Windows NT Remote Access Server. Although it is possible to configure this type of remote access, it is strongly recommended that remote client con- nections use a VPN connection to the ISA Server. Typical client software (Windows 9x, Windows ME, Windows NT Workstation, FIGURE 8.6 Enable packet filtering and routing. FIGURE 8.7 Protect and preserve—no routing without packet filtering. 11 mcse CH08 6/5/01 12:05 PM Page 246 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 8 DIAL-UP CONNECTIONS AND RRAS 247 and Windows 2000 Professional) includes VPN client capabilities and ISA Server makes an excellent VPN tunnel endpoint. For more informations see Chapter 9, “Virtual Private Networks (VPNs) Access.” Static Routes Set up and verify routing rules for static IP routes in Routing and Remote Access. One thing that ISA Server does not do is to provide facilities for cre- ating static IP routes (routes that are manually defined versus being automatically created) on the ISA Server. ISA Server does allow the use of routing rules to specify how received requests should be for- warded, that is, to a specific dial-up connection, to all internal desti- nations, all external destinations, or to a destination set. Destination sets, which are defined separately from routing rules, can contain IP address ranges. You can create a destination set and use it in rout- ing rules that specify where requests should be routed. However, these rules determine how internal requests for Web Internet access are routed, or how external requests for hosted servers are routed, and are not useful for simple routing from one IP network to another. If you need to define static routes on the ISA , then you must do so using Routing and Remote Access Services or using the route command. Using static routes is not recommended for large routing environ- ments. However, small, single path, static internetworks can benefit. A small internetwork is defined as one composed of two to ten net- works. Single path means that there is only one path, or route, for packets to take to get from one endpoint to another. Static, of course, means that the network architecture doesn’t change over time. Several typical small internetwork scenarios are á A branch office á A small business á A home network For these small internetworks, you may want to configure static routes on the ISA Server. There are two ways to do so: á Use RRAS. Step by Step 8.4 á Use the Route command. Step by Step 8.5 11 mcse CH08 6/5/01 12:05 PM Page 247 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 248 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 8.4 Create a Static Route Using RRAS 1. Open the Start\Programs\Administrative Tools\Routing and Remote Access Console. 2. If RRAS has not been enabled, do so by right-clicking on the server icon in the console and selecting Enable Routing and Remote Access Service. 3. Select Routing and Remote Access\name\IP Routing\Static Routes. 4. Right-click Static Routes and click New Static Route. 5. In the Static Route dialog box (see Figure 8.8) enter the Interface, Destination, Network Mask, Gateway, and Metric. STEP BY STEP 8.5 Create a Route by Using the Route Command 1. Open a command prompt. 2. Type the following command where network is the net- work address that you want to route to; subnetmask is the subnet mast of network and gateway is the IP address of the network card on the internal network. The –p makes the route persistent (a reboot does not remove the route from the computers routing table ). Figure 8.9 is an example command where the desired effect is to route all traffic to the 192.168.5.0/24 network through the 192.168.6.15 gateway. route add –p network mask subnetwork gateway FIGURE 8.8 Creating a static route. FIGURE 8.9 Using the route command. Don’t Do This! If you enable RRAS and set up static routes without enabling packet filtering in ISA Server, you have made ISA Server just another router. You compromise your firewall. IP traffic from the untrusted network, that is, the Internet, flows freely into your private network. WARNING 11 mcse CH08 6/5/01 12:05 PM Page 248 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 8 DIAL-UP CONNECTIONS AND RRAS 249 U SING RRAS FOR D IAL - ON -D EMAND C ONNECTIONS Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections. While Microsoft recommends that you use ISA Server facilities for configuring dial-on-demand connections, it is also possible to do so using RRAS. Demand dial connections in RRAS are point-to-point and require the configuration of two routers, one at each location (see Step by Step 8.6). STEP BY STEP 8.6 Using RRAS to Establish Dial-On-Demand Connections 1. On router 1: Create a demand-dial interface called Point1 that specifies the modem on the router and for authenti- cation the username and password of the account created in the other network—DDPoint2. 2. Create a static route that includes an interface name DDPoint1, destination network, and network mask that matches router 2. (Demand-dial connections are point-to- point so you do not configure the gateway IP.) 3. If this static route is to be used to initiate a demand-dial connection be sure the box Use This Route to Initiate Demand-Dial Connections is checked (see Figure 8.10). 4. On router 1: Create a Windows 2000 user account using the interface name, that is, DDPoint1. Be sure to clear User Must Change Password at Next Logon and select Password Never Expires. 5. Grant the user DDPoint1 dial-in permissions through the user interface or through remote access policies. 6. On router 2: Create a demand-dial interface (name it DDPoint2) that specifies the modem on that computer and the authentication credentials of Point1. TIP Mixed Signals While vociferously demanding that ISA Server be used to configure dial-on-demand connections for its clients, Microsoft lists an exam objective that requires knowledge of using RRAS to do this. Part of the confusion here is that ISA Server adds policy management and more flexible protection for these types of connections. The ISA Server packet filters and other security implementations can protect dial-on-demand connections and access to this feature can be managed by security policy. So you could read this objective as referring to the ISA Server capabilities alone. However, the wise stu- dent of Microsoft will be sure he or she clearly understands the capabilities and configuration of the separate service: Routing and Remote Access Service and how it can coexist with ISA Server. EXAM FIGURE 8.10 Use this route! continues 11 mcse CH08 6/5/01 12:05 PM Page 249 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 250 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 7. On router 2: Create a static route with the interface DDPoint2, destination network and network mask that matches router 1. 8. On router 2: Create a Windows 2000 user account using the interface name, that is, DDPoint2. Be sure to clear User Must Change Password at Next Logon and select Password Never Expires. Figure 8.11 illustrates the configuration described in Step by Step 8.6. Troubleshooting Common RRAS Problems Configuring RRAS demand-dial connections can be irksome. Creating static routes might be confusing as well. Some of the most common problems and likely answers can be found in Table 8.4. Point 1 Point 2 Phone number RB945 Phone number BR459 192.168.4.50192.168.5.50 Static route: Network: 192.168.4.0 Interface: DDPoint1 Demand Dial Interface: Name: DDPoint1 User: DDPoint2 Phone number RB459 Static route: Network: 192.168.5.0 Interface: DDPoint2 Demand Dial Interface: Name: DDPoint2 User: DDPoint1 Phone number RB945 XXXX XXXX FIGURE 8.11 RRAS demand-dial scenario. TIP What’s In a Name? In order for demand-dial routing to work, the username created must match exactly the demand dial interface name on the opposing router. Examine Figure 8.11 to see how this might be configured correctly. This issue, the matching of username to demand-dial interface is critical. EXAM continued 11 mcse CH08 6/5/01 12:05 PM Page 250 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 8 DIAL-UP CONNECTIONS AND RRAS 251 TABLE 8.4 T ROUBLESHOOTING C OMMON RRAS P ROBLEMS No. Problem Likely Causes Solution 1. A demand-dial IP routing is not enabled. Do so on the IP properties page of the router. connection occurs, but clients cannot No facility has been made for giving the Add DHCP or assignment from a static address pool reach locations incoming client an IP address on the local on the router (properties page of router). behind the router. network. The incoming call is interpreted as a router The user credentials must match the demand dial versus a remote access client. interface. The correct demand dial interface for the Add the correct interface for the protocol being used. protocol being routed has not been added. Routes do not exist on the routers to Add static routes. support this. (No default route is created by a demand-dial connection). Packet-filters are preventing traffic flow. Verify that the connection should occur, then correct the packet filters. Static routes on the router are not Correct the static routes. configured correctly. No routes in the intranet routers Add routes to intranet routers. of the networks. 2. Demand-dial IP routing is not enabled Do so on the IP properties page of the router. connection is not automatically made. Demand-dial interface is disabled. To enable, right-click the Routing and Remote Access\name\Routing Interface\name of demand dial interface\and select “Enable.” Static route does not have correct Reconfigure the static route. interface information in it. “Use this route to initiate demand-dial Select it. connections” is not selected in the static route. Dial-out hours prevent the connection Dial-out hours are configured by right-clicking from initiating. the demand-dial interface. 3. Cannot make a Routing and Remote Access Service is Check services on both routers to be sure they are demand-dial connection. not started on the calling router. started. The router is in an unreachable state. If RRAS service is started and the connection cannot be completed the router is said to be in an unreach- able state. To check the unreachable state, right-click on the demand-dial interface and click Ynreachability Reason. continues 11 mcse CH08 6/5/01 12:05 PM Page 251 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 252 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES TABLE 8.4 T ROUBLESHOOTING C OMMON RRAS P ROBLEMS No. Problem Likely Causes Solution Dial-up ports are note-enabled for Enable dial-up ports in the Routing and Remote inbound/outbound demand-dial Access\name\Ports\ Properties\Devices \Configure connections. Device dialog box. All ports available for demand-dial Wait, or configure and enable more ports. are already being used. Routers do not share a common Check routing policies and add a common authentication method. authentication method. Routing is not enabled on the routers. Enable routing. Remote access policy settings for the Change policies to match. demand-dial account are in conflict with the policy on the router. The user account used by the demand Clear this check box. dial-interface requires “User must change password at next logon.” The user account password has expired. Set the account password to never expire, and follow a regular manual schedule to update passwords. The user account password does not match. Obtain the correct password and modify the demand dial configuration. Remote access policy settings for the demand dial account are in conflict with the policy on the router. Change policies to match. Not enough addresses are in the Wait until an address becomes free or modify static address pool or the DHCP configuration so that more addresses are available. server has no free IP addresses to lease. If Active Directory accounts are used Be sure Active Directory is available to the router. for authentication: The answering router cannot contact the Active Directory. If certificates are used for authentication, Configure the router to use certificates. the router is not correctly configured. MS-CHAP v1 is used and the Reduce the length of the password or use password is over 14 characters. MS-CHAP v2. continued 11 mcse CH08 6/5/01 12:05 PM Page 252 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... the ISA Servers in the array You must, therefore, have permissions on all of the servers in the array You must á Be a local administrator on every ISA Server in the array á Be able to access and launch Distributed Component Object Model (DCOM) on every ISA Server in the array Two methods for remote administration exist: á Install ISA Management console on another system and connect to the ISA Server( s)... Terminal Services to Manage ISA Server To use terminal services to manage ISA Server: á The terminal services client must be installed on the client computer á Terminal server services must be installed on the ISA Server computer á You must be a member of the Administrators group on the ISA Server Computer Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 11 mcse CH08 6/5/01 12:05... 253 REMOTE ADMINISTRATION It’s not always possible or practical to sit at every ISA Server console in order to administer the server If you are on the private network side of the ISA Server, you should not experience problems Connection from the public side of the ISA Server is not recommended While remotely managing an ISA Server or Array, you may generate reports However, you must have the appropriate... Routing and Remote Access services on the ISA Server, this may be just what has happened It is possible to misconfigure the server so that it now acts as a router, not a firewall See the section, “Routing and Remote Access Server vs ISA Server. ” 2 A, B, C If the dial-up configuration is incorrect, that is, directing ISA Server to dial nonexistent devices, for example, and ISA is attempting to register some change... credentials without using the ISA Server 3 Configure the ISA Server to dial-on-demand when requests for Internet services are received Configure a client machine to act as the requesting client Any system with IE installed is okay (You are just going to try to browse the Internet through your ISA Server. ) 4 Be sure the client is on the same network as the internal NIC of the ISA Server and does not have an... this watermark 257 11 mcse CH08 258 6/5/01 Par t II 12:05 PM Page 258 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES A P P LY Y O U R K N O W L E D G E 5 Routing and Remote Access Services have been installed on both sides of a dial-up connection between two offices of the same company The ISA Server in New York is configured to use the ISA Server in Boston as its upstream server Connection cannot... using ISA Server as a firewall and asks you to test the newly configured ISA Server at a branch location He wants to know if it is truly working as advertised You attempt to penetrate the private network and are successful When you check the ISA Server configuration, it appears that it is correctly configured and should have blocked your access Your next step is A Tell the CTO he needs to rethink ISA Server. .. some alternative path around the firewall 2 The dial-up ISA Server periodically hangs, even though no one is attempting Internet access Check all the possible reasons for this problem A The dial-up configuration is incorrect B The ISA Server is accessing the Internet for DNS Lookup for all clients C The modem on the ISA Server has stopped working D ISA Server routinely checks to see if it is connected with... Configuration.” 2 If active caching is enabled, the ISA Server will periodically make requests in order to refresh the cache If DNS is not configured correctly, ISA Server may be making DNS lookup requests on the Internet unnecessarily See the section, “Troubleshooting ISA Server Dial-up Connections.” 3 Establish Internet access at corporate headquarters Install ISA Server at corporate headquarters and at each... the ISA Server Management Console 2 Right-click Internet Security and Acceleration Server 3 Click Connect To 4 If you want to manage a standalone ISA Server, click Connect to This Standalone Server 5 If you want to manage an enterprise or an array, click Connect to Enterprise and Arrays 6 Type the name of the computer to administer (see Figure 8.12) FIGURE 8.12 Connecting to remotely manage ISA Server( s) . to an external DNS servers. Configure the DNS server as an ISA Server server (even for internal requests). client. Configure the DNS Server to forward unre-. are not correct. Reconfigure or modify the ISA Server dial-up entry ISA Server dial-out doesn’t. connections. ISA Server doesn’t have permission to Reconfigure