Chapter 11, Using the Remote Access Service

Chapter 11, Lesson 1

Introducing the Remote Access Service

1. Overview of Remote Access

|1| A. In Windows 2000 RAS, there are two forms of remote access:

1. Point-to-point remote access connectivity. Remote access clients are connected to the remote access server’s resources only.

2. Point-to-local area network (LAN) remote access connectivity. Remote access clients are connected to the RAS server’s resources and the resources of the network to which the server is connected.

|2| B. A Windows 2000 RAS server provides two remote access connection methods:

1. Dial-in remote access. A remote access client uses the telecommunications infrastructure to create a temporary physical circuit to a port on a remote access server.

2. Virtual private network (VPN) remote access. A client uses an Internet Protocol (IP) internetwork (typically the Internet) to create a virtual point-to-point connection with a remote access server acting as the VPN server.

C. Dial-in remote access connections

|3| 1. Consists of a remote access client, a remote access server, and a wide area network (WAN) infrastructure

a. The connection between the server and the client is facilitated by dial-in equipment installed at the two sites and by the telecommunications network.

2. The most common type of WAN connection used by RAS is the Public Switched Telephone Network (PSTN), also known as Plain Old Telephone Service (POTS).

|4| a. Dial-in equipment consists of analog modems for the remote access client and the remote access server.

(1) For large organizations, the remote access server is attached to a modem array that can contain dozens or hundreds of modems, each of which can service a different client.

b. Because PSTN was not designed for data transmissions, the maximum bit rate that a PSTN connection can support is limited.

(1) With analog modems at both ends of the connection, the maximum bit rate supported is 33.6 Kbps.

(2) 56-Kbps modems require a digital connection on the server side and can achieve higher transmission speeds for traffic from the server to the client.

(3) Client-to-server traffic is still limited to 33.6 Kbps.

3. Integrated Services Digital Network (ISDN) is another form of dial-up connection that provides greater transmission speeds and an all-digital connection.

a. The standard ISDN installation in the United States is called the Basic Rate Interface (BRI), which consists of two 64-Kbps B channels and one 16-Kbps D channel.

(1) This combination is sometimes called 2B+D.

(2) The D channel is used exclusively for control traffic.

(3) It is possible to combine the two B channels into one 128‑Kbps data pipe or to use them separately with different devices.

b. Unlike most other high-speed WAN technologies, ISDN is a dial-up service that enables you to connect to different destinations as needed.

c. ISDN has not achieved great popularity because of its relatively high cost-per-megabit of transmission speed and its relatively difficult installation.

D. Remote access protocols

1. Remote access protocols control the establishment of connections and the transmission of data over the WAN links connecting RAS clients and servers.

2. In nearly all cases, RAS connections use the Point-to-Point Protocol (PPP) for WAN communications because PPP includes mechanisms that provide security and support for multiple protocols at the network layer.

3. After the WAN connection is established between the RAS client and server, the client can use PPP to access server resources.

2. Remote Access Security Features

A. User authentication

1. The most basic form of security for any network connection is authentication, which is the exchange and verification of credentials that identify the user to the network.

|5| 2. To prevent credentials from being intercepted by third parties, Windows 2000 RAS supports a variety of authentication protocols, including the following:

a. Password Authentication Protocol (PAP). An unsecured authentication protocol, meaning that it transmits the user’s credentials in clear text

(1) PAP typically is used only when the RAS client and server have no other authentication protocols in common.

b. Shiva Password Authentication Protocol (SPAP). A variant of PAP designed for use with Shiva remote networking products (now owned by Intel)

c. Challenge Handshake Authentication Protocol (CHAP). An authentication protocol that uses the Message Digest 5 (MD5) hashing algorithm to encrypt the authentication information

(1) Because CHAP never transmits passwords in clear text, the credentials remain secure during the authentication process.

d. Microsoft Challenge Handshake Authentication Protocol (MS‑CHAP) version 1 and version 2. An extension of the CHAP authentication protocol that provides greater security and support for Windows authentication information

e. Extensible Authentication Protocol (EAP). A protocol that enables RAS clients and servers to negotiate the use of any authentication mechanism that the two have in common

B. Mutual authentication

1. Mutual authentication is obtained by authenticating both ends of the connection through the exchange of encrypted user credentials.

a. This is possible through the use of PPP with MS-CHAP version 2 or PPP with EAP-Transport Level Security (TLS).

2. During the mutual authentication procedure, the remote access client authenticates itself to the RAS server, and then the RAS server authenticates itself to the remote access client.

C. Data encryption

1. Data encryption encodes the data sent between the remote access client and the RAS server.

a. Remote access data encryption provides protection only on the WAN link between the RAS client and server.

b. If end-to-end encryption is needed, such as between a RAS client and another computer on the server network, you can use the IP Security (IPsec) extensions instead.

2. Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and the client.

D. Callback

1. With callback, the remote client dials in to the RAS server, authenticates itself, and then severs the connection.

a. The server then calls the client back and reestablishes the connection.

2. You can configure the server to call the client back at a preset number or at a number specified by the client during the initial call.

E. Caller ID

1. RAS can use caller ID to verify that a call from a client is coming from a specified phone number.

a. If the caller ID number of the incoming connection for that user does not match the configured caller ID, the connection is denied.

F. Remote access account lockout

1. This feature specifies how many failed remote access authentication attempts a user is permitted before the server denies remote access.

G. Access control

1. You can configure individual Windows 2000 user accounts to permit or deny remote network access.

2. You can create remote access policies to control whether remote users can access a server, based on a variety of criteria.

3. Installing a Remote Access Server

|6| A. To configure RRAS as a remote access server:

1. Click Start, and then from the Administrative Tools program group, open the Routing And Remote Access console.

2. Select the icon for your server in the scope pane, and then select Configure And Enable Routing And Remote Access from the Action menu to start the Routing And Remote Access Server Setup Wizard.

3. Click Next to bypass the Welcome page and proceed to the Common Configurations page.

4. Select Remote Access Server, and then click Next to proceed to the Remote Client Protocols page.

5. If you see in the Protocols list all the protocols you want your remote access clients to be able to use, click Next to proceed to the IP Address Assignment page.

6. If you want the server to assign addresses on its own or to use Dynamic Host Configuration Protocol (DHCP) to assign addresses, select Automatically, and then click Next to proceed to the Managing Multiple Remote Access Servers page.

7. Select No, I Don’t Want To Set Up This Server To Use RADIUS Now, and then click Next to proceed to the Completing The Routing And Remote Access Server Setup Wizard page.

8. Click Finish to complete the configuration process.

Chapter 11, Lesson 2

Configuring a Remote Access Server

1. Configuring RAS Server Properties

A. Configuring general options

1. You can use the General tab of the Properties dialog box to activate and deactivate the RAS function of the server and control its routing functions.

a. The Remote Access Server check box is enabled by default, indicating that RRAS is currently functioning as a RAS server.

b. You can disable all RAS functionality by clearing the Remote Access Server check box, which does not affect any of the server’s other configuration parameters.

2. You can also enable or disable the RRAS routing functions in the General tab.

B. Configuring security options

1. You can use the Security tab in the Properties dialog box to specify the types of authentication you want the RAS server to use.

C. Configuring PPP options

1. You can use the PPP tab in the server’s Properties dialog box to configure the PPP features that are available to your RAS users.

a. The settings in this tab are global; they affect all RAS users.

b. If you want to configure these options for specific users, you can use remote access policies to do so.

2. Options in the PPP tab

a. Multilink connections. A RRAS feature that makes it possible to combine the bandwidth of two or more dial-up connections into a single link

b. Link Control Protocol (LCP) Extensions. A protocol used by PPP to negotiate the parameters of a connection between two systems

c. Software Compression. Enables the use of the Microsoft Point-to-Point Compression (MPPC) protocol, which compresses the data transmitted over remote access connections

D. Configuring network layer protocol options

1. Configuring IP options

a. The Enable IP Routing check box, which is enabled by default, lets clients access network resources by using the RRAS computer as a router to connect to the RAS server.

b. The Allow IP-Based Remote Access And Demand-Dial Connections check box controls IP connectivity for remote access users.

c. The IP Address Assignment box is where you specify how RAS clients will receive IP addresses from the server, either through DHCP address assignments or a static address pool.

2. Configuring IPX options

a. The Allow IPX-Based Remote Access And Demand-Dial Connections check box enables clients to use the Internetwork Packet Exchange (IPX) protocol to connect to the RAS server.

b. The Enable Network Access For Remote Clients And Demand-Dial Connections check box specifies whether RRAS should function as an IPX router.

3. Configuring NetBEUI options

a. The NetBEUI tab specifies whether clients can

(1) Use the NetBIOS Extended User Interface (NetBEUI) protocol to connect to the RAS server

(2) Access the entire network or just the RAS server

4. The AppleTalk tab has only one check box—Enables AppleTalk Remote Access—that lets you use the AppleTalk protocol to enable or disable client access.

2. Allowing Inbound Connections

|7| A. When you configure RRAS to function as a RAS server, the Routing And Remote Access Server Setup Wizard automatically creates

1. Five Point-to-Point Tunneling Protocol (PPTP) ports

2. Five Layer 2 Tunneling Protocol (L2TP) ports

3. A parallel port

4. A port entry for each modem, if any modems are installed in the computer when the wizard runs

B. To configure the individual ports in a RAS server:

1. Select the Ports icon, and then select Properties from the Action menu to display the Ports Properties dialog box.

2. Select one of the devices in the list, and then click Configure to display a Configure Device dialog box.

3. For each device, you can specify the following:

a. Whether to permit only inbound calls, or both inbound and outbound calls

b. The device’s phone number, which the server uses as the Called Station ID during remote access policy evaluations

c. The number of ports supported by the connected device if it has multiport capabilities

3. Using Multilink

A. Multilink is a technique that enables a RAS client to connect to a RAS server by using multiple communications links, which combine their bandwidth into a single, logical data pipe.

1. To use this technique, both the RAS client and the RAS server must support multilink (as the Windows 2000 client and server do).

B. Multilink is based on an extension to LCP, which PPP uses to negotiate the type of connection that will be established between two computers.

C. The computer initiating the connection includes an LCP option that indicates the following:

1. That the computer can combine multiple physical links into one logical link

2. That the computer can receive upper-layer data packets that have been fragmented using a special multilink header defined in the standard

3. That the computer can receive packets of a size specified in the option (which might be larger than the maximum receive unit for one of the physical links)

D. After the two computers have successfully negotiated the use of multilink, they are free to transmit packets that have been encapsulated with the multilink header.

4. Using RRAS with DHCP

A. When a Routing and Remote Access address pool is configured to use DHCP, no DHCP packets go over the wire to the clients.

1. RRAS uses DHCP to lease addresses in blocks of 10, stores them in the registry, and allocates them to clients as needed.

Chapter 11, Lesson 3

Managing Remote Access Security

1. Configuring Authentication

A. The authentication protocols you select for use with RAS determine how passwords are stored and transmitted over the network.

B. To select the authentication protocols your RAS server should use, open the server’s Properties dialog box, and then select the Security tab.

1. In the Authentication Provider selector, you specify whether you want Windows itself to provide authentication services for RAS or use a Remote Authentication Dial-In User Service (RADIUS) server for authentication.

|8| 2. RADIUS

a. Provides centralized authentication, authorization, and accounting services for remote access networking

b. Used primarily by Internet service providers (ISPs) and other organizations that maintain large numbers of RAS servers

c. Using a central RADIUS server lets users access any one of your RAS servers without requiring you to create individual accounts for every user on each server.

d. Remote access servers, such as a Windows 2000 RAS server, function as RADIUS clients, sending their user and connection information to a RADIUS server, which authenticates the users.

e. Windows 2000 Server includes a RADIUS server implementation called Internet Authentication Service (IAS).

3. When you select the RADIUS Authentication option, the Configure button is activated and the RADIUS Authentication dialog box opens.

a. In this dialog box, you specify the RADIUS servers you want RAS to use and other connection properties.

(1) No further authentication configuration is needed in RAS.

|9| 4. When you select the Windows Authentication option, you click the Authentication Methods button to open the Authentication Methods dialog box and then select one of the following authentication protocols for Windows to use:

a. Extensible Authentication Protocol (EAP). An open-ended system that enables RAS to use third-party authentication protocols, as well as those supplied with Windows 2000

b. Microsoft Encrypted Authentication Version 2 (MS-CHAP v2). The simplest and most secure option to use when your clients are running Windows 2000

c. Microsoft Encrypted Authentication (MS-CHAP). Windows 2000 RAS includes support for MS-CHAP v1 so that Windows computers using LAN Manager authentication (such as Microsoft Windows 95 and Microsoft Windows NT 3.51) can connect to the server.

d. Encrypted Authentication (CHAP). CHAP is a serviceable authentication protocol for clients that do not support MS-CHAP.

e. Shiva Password Authentication Protocol (SPAP). SPAP is not a particularly secure authentication protocol; use it only when it is required to support Shiva products.

f. Unencrypted Password (PAP). PAP transmits passwords in clear text, which provides virtually no security against intruders, but it is better than no password at all.

g. Allow Remote Systems To Connect Without Authentication. Windows 2000 RAS provides this option to enable connections to the server with no authentication at all.

5. After you have selected the authentication protocols you want to use, click OK twice to close the Authentication Methods and Properties dialog boxes.

2. Controlling User Access

A. Managing user account dial-in properties

1. Each user account on a stand-alone Windows 2000 server or in the Active Directory database contains a set of dial-in properties that a RAS server uses when allowing or denying a connection attempt made by a user.

a. For a stand-alone server, you set the dial-in properties by using the Local Users And Groups snap-in, which is accessed from the Dial-In tab of the user account’s Properties dialog box.

b. On an Active Directory network, you set the dial-in properties using the Active Directory Users And Computers console.

|10| 2. Dial-In tab options

a. Remote Access Permission (Dial-In Or VPN). You use this property to specify whether remote access should be explicitly allowed, explicitly denied, or determined by remote access policies.

b. Verify Caller ID. If this check box is selected, the server uses caller ID to verify the caller’s phone number.

(1) If the caller’s phone number does not match the configured phone number, the connection attempt is denied.

c. Callback Options. If this property is enabled, the server calls the client back during the connection establishment process at a telephone number specified by the caller or preset by the network administrator.

d. Assign A Static IP Address. If this check box is selected, you can supply a specific IP address that the RAS server will assign to the user during the connection establishment process.

e. Apply Static Routes. If this check box is selected, you can define a series of static IP routes that are added to the routing table of the remote access server when a connection is made.

(1) This setting is designed for accounts that Windows 2000 routers use for demand-dial routing.

B. Using remote access policies

|11| 1. A remote access policy is

a. A set of conditions that determines which users can connect to a remote access server

b. A series of connection parameters that define the characteristics of the incoming connection

2. You can use remote access policies to impose parameters such as maximum session time, idle disconnect time, required secure authentication methods, and required encryption.

3. By creating multiple remote access policies, you can apply different sets of conditions to different remote access clients.

4. To control user access with remote access policies, you must first open the Properties dialog box for each RAS user’s account and, in the Dial-In tab, select the Control Access Through Remote Access Policy option.

a. You then define the new remote access policies that allow or deny access to the RAS server, based on your needs.

5. You create and configure remote access policies in the Remote Access Policy node of the Routing And Remote Access console.

a. One policy always appears by default: Allow Access If Dial-In Permission Is Enabled.

(1) This policy gives RAS users default access to the server.

|12| 6. To create a new remote access policy:

a. Click Start, and then from the Administrative Tools program group, open the Routing And Remote Access console.

b. Select the Remote Access Policies node, and then select New Remote Access Policy from the Action menu to display the Add Remote Access Policy Wizard.

c. In the Policy Friendly Name text box, type the name by which the policy will be listed in the Routing And Remote Access console, and then click Next to proceed to the Conditions page.

d. Click Add to add a condition.

(1) The Select Attribute dialog box opens.

e. Select one of the entries from the Attribute Types list, and then click Add to open a new dialog box containing controls that are specific to the attribute type you selected.

|13| f. Configure the selected attribute in its dialog box, and then click OK.

g. Repeat steps d–f (steps 4–6 in Slides 12 and 13) to create additional conditions, if desired, and then click Next to display the Permissions page.

h. Select the appropriate option to specify whether you want to use the policy to grant or deny remote access permission, and then click Next to display the User Profile page

i. If desired, click Edit Profile to modify the dial-in profile for the users that match the conditions you specified.

j. Click Finish to create the remote access policy.

7. When you have multiple remote access policies, the server evaluates each user by comparing it to each policy in turn, based on the order of the numbers appearing in the list of policies.

a. A connection can be denied by any policy in the list when the user fails to meet its criteria.

b. You can modify the order of the list by selecting a policy and then selecting Move Up or Move Down from the Action menu.

8. When a user attempts to connect to the server, RAS accepts or rejects the connection attempt using the following logic (policy evaluation order):

a. Check the first policy in the ordered list of remote access policies.

(1) If no policies are in the list, reject the connection attempt.

b. If all the conditions of the policy do not match the connection attempt, go to the next policy.

(1) If there are no more policies, reject the connection attempt.

c. If all the conditions of the policy match the connection attempt, check the remote access permission setting for the user attempting the connection.

(1) If Deny Access is selected, reject the connection attempt.

(2) If Allow Access is selected, apply the user account properties and profile properties.

(a) If the connection attempt does not match the settings of the user account and profile properties, reject the connection attempt.

(b) If the connection attempt matches the settings of the user account and profile properties, accept the connection attempt.

(3) If Control Access Through Remote Access Policy is selected, check the remote access permission setting of the policy.

(a) If Deny Remote Access Permission is selected, reject the connection attempt.

(b) If Grant Remote Access Permission is selected, apply the user account properties and profile properties.

(4) If the connection attempt does not match the settings of the user account properties and profile properties, reject the connection attempt.

(a) If the connection attempt matches the settings of the user account properties and profile properties, accept the connection attempt.

C. Defining a remote access profile

1. A remote access profile is a group of connection configuration settings, associated with a remote access policy, that the RAS server applies to all users who meet the policy restrictions.

2. You can edit the remote access profile associated with a new policy by selecting an entry in the Remote Access Policies list, selecting Properties from the Action menu, and then clicking Edit Profile in the policy’s Properties dialog box to open the Edit Dial-In Profile dialog box.

|14| 3. The Edit Dial-In Profile dialog box contains six tabs:

a. Dial-In Constraints. Contains controls that set limits on the time of day the user can connect to the server and the time the user can remain connected

b. IP. Contains controls that specify whether the server or the client should supply the client’s IP address

(1) Also enables you to create incoming and outgoing packet filters

c. Multilink. Contains controls that enable you to control whether the connected client uses multilink and, if so, how many ports the client is permitted to use

d. Authentication. Enables you to specify the authentication protocols that RAS should support for this particular connection

e. Encryption. Enables you to specify the types of encryption that the RAS server should support for this connection

f. Advanced. Enables you to define dozens of additional parameters that enable the RAS server to interact with a RADIUS server on the network

Chapter 11, Lesson 4

Virtual Private Networking

1. Implementing a VPN

|15| A. Virtual private networking provides users with a relatively low-cost method of connecting to a network at a remote location.

1. VPNs enable users working at home or on the road to connect securely to a remote corporate server using the routing infrastructure provided by a public internetwork such as the Internet.

2. From the user’s perspective, the VPN is a point-to-point connection between the user’s computer and a corporate server.

3. The nature of the intermediate internetwork (also called the transit internetwork) is irrelevant because it appears as if the data is being sent over a dedicated private link.

4. A VPN enables both the client and server computers to connect to the Internet using a local ISP, which keeps the telephone charges to a minimum.

B. Tunneling basics

|16| 1. Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure to transfer a payload.

a. The payload might be the frames (or packets) generated by another protocol, such as PPP, or even a LAN protocol, such as Ethernet.

2. Instead of transmitting the frame as produced by the originating node, the frame is encapsulated with an additional header generated by a tunneling protocol.

a. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork.

3. The encapsulated packets are then routed between the tunnel endpoints over the transit internetwork.

a. The original frame produced by the sending computer passes through the tunnel without being accessed or modified in any way so that the information inside remains intact.

b. The tunneling protocol also encrypts the original frame.

4. After the encapsulated frames reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination.

C. Tunnel maintenance and data transfer

|17| 1. Tunneling protocols are responsible for two primary functions in a VPN:

a. Tunnel maintenance, which is the process of creating and managing the tunnel through the transit internetwork

b. Data transfer, which is the transmission of encapsulated data through the tunnel

2. The collective functionality of a tunnel maintenance protocol and a tunnel data transfer protocol is known as a tunneling protocol.

a. For a tunnel to be established, both the tunnel client and the tunnel server must be using the same tunneling protocol.

b. The two most popular tunneling protocols used in VPNs are PPTP and L2TP.

c. A tunnel maintenance protocol is the mechanism that VPN computers use to manage the tunnel.

3. Data transferred through the tunnel is typically sent by a datagram-based protocol such as the User Datagram Protocol (UDP) when L2TP is used, and a modified Generic Routing Encapsulation (GRE) protocol with PPTP.

a. In some cases, the tunneling protocols use a separate protocol, such as the Transmission Control Protocol (TCP), for tunnel management.

4. Before they transfer any application data, a VPN client and server must create a tunnel.

a. The tunnel client initiates this process, and the tunnel server at the other end receives the connection request.

b. To create the tunnel, the two computers perform a connection establishment process similar to that used for a PPP connection.

c. The tunnel server requests that the tunnel client authenticate itself.

(1) Once validated by the tunnel server, the connection is granted and the tunnel is formed; data transfer through the tunnel can then begin.

5. A tunnel data transfer protocol encapsulates the data to be transferred through the tunnel.

a. When the VPN client sends a payload to the server, the client adds a tunnel data transfer protocol header to the payload.

b. The resulting encapsulated payload is transmitted across the transit internetwork and routed to the server.

c. The server at the other end of the tunnel accepts the packets, removes the tunnel data transfer protocol header, and forwards the payload to the private network destination.

6. For some tunneling technologies, such as PPTP and L2TP, once the tunnel has been created it must be maintained.

a. Each end of the tunnel must be aware of the status of the other end in case of a connection fault.

b. Tunnel maintenance is typically performed through a keep-alive process that periodically polls the other end of the tunnel when no data is being transferred.

c. Certain tunneling technologies also allow either end of the tunnel to gracefully terminate the tunnel through an exchange of tunnel termination messages.

D. Point-to-Point Tunneling Protocol

1. PPTP is an extension of PPP that encapsulates PPP frames into IP datagrams for transmission over an IP internetwork such as the Internet.

2. PPTP uses a TCP connection for tunnel maintenance and modified GRE‑encapsulated PPP frames for tunneled data.

a. The payloads of the encapsulated PPP frames can be encrypted and compressed.

3. PPTP tunnels are authenticated using the same authentication mechanisms as PPP connections, such as PAP, CHAP, MS-CHAP, or EAP.

a. PPTP also inherits encryption and compression of PPP payloads from PPP.

4. In Windows 2000, PPP encryption can be used only when the authentication protocol is EAP-TLS or MS-CHAP.

5. PPP encryption provides confidentiality between the endpoints of the tunnel only.

a. If stronger security or end-to-end security is needed, IPsec is the preferred tunneling protocol.

|18| 6. Slide 18 shows a fully constructed PPTP packet, with the original application data encrypted and encapsulated by PPP and then the PPP frame encapsulated in turn by the GRE and IP headers.

a. The IP datagram is then packaged for transmission over the transit internetwork inside another data-link layer frame.

E. Layer 2 Tunneling Protocol

1. L2TP is a hybrid of the best features of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Corporation.

2. L2TP is a network protocol that encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks.

3. L2TP uses UDP and a series of L2TP messages for tunnel maintenance.

a. L2TP also uses UDP to send L2TP–encapsulated PPP frames as the tunneled data.

b. The payloads of encapsulated PPP frames can be both encrypted and compressed.

4. Windows 2000 uses IPsec to encrypt the data inside L2TP packets instead of using PPP encryption.

|19| 5. Slide 19 shows an L2TP packet prepared to be sent using IPsec authentication and encryption settings over a point-to-point WAN connection, such as a dial-in line.

6. Creation of L2TP tunnels must be authenticated using the same authentication mechanisms as PPP connections (PAP, CHAP, MS‑CHAP, or EAP).

7. L2TP inherits PPP compression but not encryption because PPP encryption does not meet the security requirements of L2TP.

a. IPsec provides data encryption for L2TP.

F. PPTP versus L2TP

1. Both PPTP and L2TP use PPP for point-to-point WAN connections to provide an initial envelope for the data and then to append additional headers for transport through the transit internetwork.

|20| 2. Differences between PPTP and L2TP

a. PPTP requires the transit internetwork to use IP; L2TP requires only that the tunnel medium provide packet-oriented point-to-point connectivity.

b. L2TP provides header compression capability.

(1) When header compression is enabled, L2TP operates with four bytes of overhead, compared to six bytes for PPTP.

c. L2TP provides tunnel authentication; PPTP does not.

d. PPTP uses PPP encryption; L2TP does not.

(1) Windows 2000 L2TP implementation requires IPsec for encryption.

G. IPsec

1. IPsec, a layer 3 tunneling protocol, is a series of standards that support the secured transfer of information across an IP internetwork.

2. The IPsec Encapsulating Security Payload (ESP) protocol, when running in Tunnel mode, supports the encapsulation and encryption of entire IP datagrams for secure transfer across a private or public IP internetwork.

3. With IPsec in Tunnel mode, a complete IP datagram is encapsulated and encrypted with ESP.

a. The result is then encapsulated—using a plain text IP header—and transmitted over the transit internetwork.

H. IP-IP

1. IP-in-IP, or IP-IP, is a simple network layer tunneling technique.

a. IP-IP creates a virtual network by encapsulating an IP packet with an additional IP header.

2. The primary use of IP-IP is for tunneling multicast traffic over sections of a network that do not support multicast routing.

3. The IP-IP packet structure consists of the outer IP header, the tunnel header, the inner IP header, and the IP payload.

a. The IP payload includes everything normally included in an IP datagram.

(1) This could be a TCP, UDP, or Internet Control Message Protocol (ICMP) header, plus application layer data.

4. A limited form of tunnel maintenance is achieved using standard ICMP messages, which enable the tunnel to do tunnel maximum transmission unit (MTU) discovery and detect congestion and routing failures.

2. Integrating a VPN in a Routed Environment

|21| A. In some corporate internetworks (as shown on Slide 21), the data of a particular department (such as the accounting or human resources department) is so sensitive that the department’s LAN is physically disconnected from the rest of the corporate internetwork.

1. Although physically disconnecting the LAN protects the department’s data, it creates information accessibility problems for users who are not physically connected to that LAN.

B. VPNs enable the department’s LAN to be physically connected to the corporate internetwork but separated by a VPN server.

1. In the figure shown on Slide 22, the VPN server is not acting as a router between the corporate internetwork and the department LAN.

2. Users on the corporate internetwork who have the appropriate credentials can establish a VPN with the VPN server and access the protected resources of the department.

3. All communication across the VPN can be encrypted for data confidentiality.

C. Integrating VPN servers with the Internet

1. Rather than having remote users make long-distance calls to a corporate or outsourced RAS server, the users call their local ISP.

|22| 2. Using the connection to the ISP, a VPN is created between the dial-in user and the corporate VPN server across the Internet, as shown on Slide 22.

|23| 3. To connect to a network over the Internet, you have two options, as shown on Slide 23:

a. Branch office using dedicated lines. Rather than using conventional methods such as frame relay, both the branch office and the corporate hub routers are connected to the Internet using a local dedicated circuit and local ISP.

(1) The local ISP connections are used to create a VPN between the branch office router and corporate hub router.

b. Branch office using a dial-in line. Rather than make a long-distance call to a RAS server, the router at the branch office calls its local ISP.

(1) From the connection to the local ISP, a VPN is created between the branch office router and the corporate hub router.

4. For VPN connections to be reliably available, the corporate router acting as a VPN server must use a dedicated line to connect to a local ISP.

3. Managing Virtual Private Networking

A. Managing users

1. Most administrators set up a master account database in the Active Directory service or on a RADIUS server.

2. As with RAS, this database enables the VPN server to send the authentication credentials to a central authenticating device.

a. The same user account is used for both dial-in remote access and VPN-based remote access.

B. Managing addresses and name servers

1. Like RAS, the VPN server must have IP addresses available to assign them to the VPN server’s virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process.

a. By default, the IP addresses assigned to VPN clients by Windows 2000–based VPN servers are obtained through DHCP.

b. You can also configure a static IP address pool for address assignments.

2. You must also configure the VPN server with the addresses of name resolution servers, such as Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses, to assign to the VPN client during IPCP negotiation.

C. Managing access

1. In Windows 2000, you configure the dial-in properties on user accounts and remote access policies to manage access for both dial-in networking and VPN connections.

a. If you are managing remote access on a user basis in the Dial-In tab of the user’s Properties dialog box for user accounts that are allowed to create VPN connections, select the Allow Access option.

b. If you are managing remote access on a group basis, select the Control Access Through Remote Access Policy option on all user accounts.

(1) Create a Windows 2000 group with members who are allowed to create VPN connections.

(2) If the VPN server allows only VPN connections, delete the default Allow Access If Dial-In Permission Is Enabled remote access policy.

(3) Create a new policy with a descriptive name such as VPN Access If Member Of VPN-Allowed Group, and then configure the policy to allow access to members of the appropriate group.

(4) If the VPN server also allows dial-in networking remote access services, do not delete the default policy; instead, move it so that it is the last policy to be evaluated.