Chapter 10, Routing and Remote Access Service
Chapter 10, Lesson 1
Introduction to Routing and Remote Access Service
1. Microsoft Windows 2000 Routing and Remote
Access Service
|1| A. Overview of Routing and Remote Access Service (RRAS)
1. When RRAS was implemented in Microsoft
Windows NT 4.0, it added support for a number of features.
a. RIP version 2 for IP (RIP for IP version 1
is still supported.)
b. Open Shortest Path First (OSPF) routing
protocol for IP
c. Demand-dial routing (routing over persistent
or on-demand wide area network [WAN] links such as analog phone lines)
d. Internet Control Message Protocol (ICMP)
router discovery
e. Remote Authentication Dial-In User Service
(RADIUS) client to benefit from the services provided by a RADIUS server
f. RADIUS server for providing centralized
authentication, authorization, accounting, and remote access policy to dial-up
and virtual private network (VPN) remote access clients (included with the
Windows NT 4.0 Option Pack)
g. IP and IPX packet filtering for
protocol-level security
h. A graphical user interface (GUI)
administrative program called Routing and RAS Admin and a command-line utility
called Routemon
2. Windows 2000 builds on RRAS in
Windows NT 4.0 and adds a number of new features.
a. Internet Group Management Protocol (IGMP)
and support for multicast boundaries
b. Network address translation with
addressing and name resolution components that simplify the connection of a
small office/home office (SOHO) network to the
Internet
c. Integrated AppleTalk routing
d. Layer 2 Tunneling Protocol (L2TP) over IP
Security (IPSec) support for VPN connections
e. Improved administration and management
tools. The graphical user interface program is the Routing and Remote Access
snap-in. The command-line utility is netsh (Net Shell)
f. Improved IAS
3. RRAS is fully integrated with Windows
2000 Server.
4. RRAS is extensible with application
programming interfaces (APIs) that third-party developers can use to create
custom networking solutions and that vendors can use to participate in
internetworking.
5. The combined features of Windows 2000
RRAS allow a Windows 2000 Server computer to function as a multiprotocol
router, a demand-dial router, and a remote access server.
a. An RRAS computer can route IP, IPX, and
AppleTalk simultaneously.
b. An RRAS computer can route IP and IPX over
on-demand or persistent WAN links or over VPN connections by using either
Point-to-Point Tunneling Protocol (PPTP) or L2TP over IPSec.
c. An RRAS computer can act as a remote
access server providing remote access connectivity to dial-up or VPN remote
access clients that use IP, IPX, AppleTalk, or NetBEUI.
|2| B. Combining Routing and Remote Access Service
1. Routing services and remote access
services have been combined because of Point-to-Point Protocol (PPP), which is
the protocol suite that is commonly used to negotiate point-to-point
connections.
2. Demand-dial routing connections also use
PPP to provide the same kinds of services as remote access connections.
3. The PPP infrastructure of Windows 2000
Server supports several types of access.
a. Dial-up remote access as either the client
or server
b. VPN remote access as either the client or
server
c. On-demand or persistent dial-up
demand-dial routing as either the calling router or the answering router
d. On-demand or persistent VPN demand-dial
routing as either the calling router or the answering router
|3| C. Installation and Configuration
1. Windows 2000 RRAS is automatically
installed in a disabled state.
2. You can use the Routing and Remote Access
snap-in to enable and configure RRAS.
3. Each computer on the intranet served by
the RRAS server should use a private IP address in one of the supported blocks
of addresses.
|4| D. Disabling RRAS
1. You can use the Routing and Remote Access
snap-in to disable RRAS.
2. You can refresh the RRAS configuration by
first disabling the service and then enabling it.
|5| 2. Authentication and Authorization
A. The distinction between authentication and
authorization is important.
1. Authentication is the verification of the
credentials of the connection attempt.
2. Authorization is the verification that
the connection attempt is allowed.
B. For a connection attempt to be accepted,
the connection must be both authenticated and authorized.
C. Types of authentication
1. If the remote access server is configured
for Windows authentication, Windows 2000 security verifies the authentication
and authorization.
2. If the remote access server is configured
for RADIUS authentication, the credentials of the connection attempt are passed
to the RADIUS server for authentication and authorization.
D. You can configure the authentication
provider on the Security tab of the properties of a remote access router in the
Routing and Remote Access snap-in.
Chapter 10, Lesson 2
Features of the Routing and Remote Access Service
|6| 1. Unicast IP Support
A. Windows 2000 provides extensive support
for unicast IP routing.
B. In unicasting, two computers establish a
two-way, point-to-point connection.
C. Routing and Remote Access Service includes
a number of features to support unicast IP routing.
1. Static IP routing
2. RIP versions 1 and 2
3. OSPF
4. DHCP Relay Agent
5. Network address translation (NAT)
6. IP packet filtering
7. ICMP router discovery
|7| 2. Multicast IP Support
A. Windows 2000 supports the sending,
receiving, and forwarding of IP multicast traffic.
B. Multicast traffic is sent to a single host
but is processed by multiple hosts who listen for this type of traffic.
C. Routing and Remote Access Service includes
a number of features to support multicast IP routing.
1. Multicast forwarding
2. IGMP versions 1 and 2
3. Specific forwarding and routing
4. Multicast boundaries
|8| 3. IPX Support
A. The Windows 2000 Server router is a fully
functional IPX router.
B. Routing and Remote Access Service includes
a number of features to support IPX routing.
1. IPX packet filtering
2. RIP for IPX
3. SAP for IPX
4. NetBIOS over IPX
|9| 4. AppleTalk
A. Windows 2000 RRAS can operate as an
AppleTalk router by forwarding AppleTalk packets and supporting the use of
RTMP.
B. Most large AppleTalk networks are
AppleTalk internets that are connected by routers.
C. A Windows 2000–based server can provide
routing and seed routing support.
|10| 5. Demand-Dial Routing
A. Windows 2000 provides support for
demand-dial routing.
B. IP and IPX can be forwarded over
demand-dial interfaces over persistent or on-demand WAN links.
|11| 6. Remote
Access
A. RRAS enables a computer to be a remote
access server.
B. RRAS accepts remote access connections
from remote access clients that use traditional dial-up technologies.
|12| 7. VPN Server
A. RRAS enables a computer to be a VPN
server.
B. RRAS supports PPTP and L2TP over IPSec.
|13| 8. RADIUS
Client-Server
A. IAS is the Microsoft implementation of a
RADIUS server.
B. RADIUS is a client-server protocol that
enables RADIUS clients to submit authentication and accounting requests.
C. The RADIUS server has access to user
account information and can check remote access authentication credentials.
D. RADIUS supports remote access user
authentication and authorization and allows accounting data to be maintained in
a central location.
|14| 9. SNMP MIB Support
A. RRAS provides Simple Network Management
Protocol (SNMP) agent functionality with support for Internet MIB II.
B. RRAS includes support for additional MIB
enhancements beyond Internet MIB II.
1. IP Forwarding Table MIB
2. Microsoft RIP version 2 for Internet
Protocol MIB
3. Wellfleet-Series7-MIB for OSPF
4. Microsoft BOOTP for Internet Protocol MIB
5. Microsoft IPX MIB
6. Microsoft RIP and SAP for IPX MIB
7. Internet Group Management Protocol MIB
8. IP Multicast Routing MIB
C. MIB support is also provided for Windows
2000 functions, legacy LAN Manager MIB functions, and the WINS, DHCP, and IIS
services.
|15| 10. API Support for Third-Party Components
A. RRAS has fully published API sets for
unicast and multicast routing protocol and administration utility support.
B. Developers can write additional routing
protocols and interfaces directly into RRAS architecture.
Chapter 10, Lesson 3
Remote Access
|16| 1. Overview of Remote Access
A. Remote access clients are either connected
to only the remote access server’s resources, or they are connected to the RAS
server’s resources and beyond.
B. A Windows 2000 remote access server
provides two remote access connection methods.
1. With dial-up remote access, a remote
access client uses the telecommunications infrastructure to create a temporary
physical circuit or a virtual circuit to a port on a remote access server.
2. With VPN network remote access, a VPN
client uses an IP internetwork to create a virtual point-to-point connection
with a RAS server acting as the VPN server.
|17| 2. Dial-Up Remote Access Connections
|18| A. Remote
access client
1. A number of remote access clients can
connect to a Windows 2000 remote access server.
a. Windows 2000
b. Windows NT 3.51 or later
c. Windows 98
d. Windows 95
e. Windows for Workgroups
f. MS‑DOS
g. Microsoft LAN Manager
2. Almost any third-party PPP remote access
clients can connect to a Windows 2000 remote access server.
3. The Microsoft remote access client can
dial into a Serial Line Interface Protocol (SLIP) server.
|19| B. Remote
access service server
1. The remote access server accepts dial-up
connections.
2. The remote access server forwards packets
between remote access clients and the network to which the remote access server
is attached.
|20| C. Dial-up
equipment and WAN infrastructure
|21| 1. Public Switched Telephone Network (PSTN)
a. PSTN is an analog telephone system
designed to carry the minimum frequencies to distinguish human voices.
b. The maximum bit rate that a PSTN
connection can support is limited.
|22| 2. Digital links and V.90
a. The maximum bit rate of the PSTN is a
function of the range of frequencies passed by the PSTN switches and the
signal-to-noise ratio of the connection.
b. When a RAS server is connected through a
digital switch based on T-Carrier or Integrated Services Digital Network (ISDN)
rather than an analog PSTN switch, there is no analog-to-digital conversion
when the remote access server sends information to the remote access client.
c. With V.90, remote access clients can send
data at 33.6 Kbps and receive data at 56 Kbps.
d. Specific conditions must be met to obtain
V.90 speeds.
(1) The remote access client must be using a
V.90 modem.
(2) The RAS server must be using a V.90 digital
switch and must be using a digital link, such as T-Carrier or ISDN, to connect
to the PSTN.
(3) There cannot be any analog-to-digital
conversions in the path from the RAS server to the remote access client.
|23| 3. Integrated Services Digital Network
a. ISDN is a set of international
specifications for digital replacement of the PSTN.
b. ISDN provides a single digital network to
handle voice, data, fax, and other services over existing local loop wiring.
|24| 4. X.25
a. X.25 is an international standard for
sending data across public packet switching networks.
b. Windows 2000 remote access supports X.25
in two ways.
(1) The remote access client supports the use
of X.25 smart cards.
(2) Windows 2000 remote access server supports
only direct connections to X.25 networks by using an X.25 smart card.
|25| 5. Asynchronous Transfer Mode (ATM) over
Asymmetric Digital Subscriber Line (ADSL)
a. ADSL provides higher bit rates than PSTN
and ISDN connections.
b. The bit rate is not the same in the
upstream and downstream directions.
c. ADSL equipment can appear to Windows 2000
as either an Ethernet interface or a dial-up interface.
(1) When an ADSL adapter appears as an Ethernet
interface, the ADSL connection operates in the same way as an Ethernet
connection to the Internet.
(2) When an ADSL adapter appears as a dial-up
interface, ADSL provides a physical connection, and the individual LAN protocol
packets are set by using ATM.
|26| D. Remote
access protocols
1. Remote access protocols control the
establishment of connections and the transmission of data over WAN links.
2. Windows 2000 remote access supports three
types of remote access protocols.
a. Point-to-Point Protocol (PPP) is an
industry-standard set of protocols providing the best security, multi-protocol
support, and interoperability.
b. Serial Line Internet Protocol (SLIP) is
used by older remote access servers. A Windows 2000 RAS server does not support
SLIP dial-up connections.
c. Microsoft RAS protocol, also known as
Asynchronous NetBEUI (AsyBEUI), is a remote access protocol used by legacy remote
access clients running Microsoft operating systems.
|27| E. LAN
protocols
1. LAN protocols are the protocols used by
remote access clients to access resources on the network connected to the RAS
server.
2. Windows 2000 remote access supports
TCP/IP, IPX, AppleTalk, and NetBEUI.
3. Remote Access Security
|28| A. Secure
user authentication
1. Secure user authentication is obtained
through the encrypted exchange of user credentials.
2. Secure authentication is possible through
the use of PPP and one of the supported authentication protocols.
a. Extensible Authentication Protocol (EAP)
b. Microsoft Challenge Handshake
Authentication Protocol (MS‑CHAP)
c. Challenge Handshake Authentication
Protocol (CHAP)
d. Shiva Password Authentication Protocol
(SPAP)
|29| B. Mutual
authentication
1. Mutual authentication is obtained by
authenticating both ends of the connection through the encrypted exchange of
user credentials.
2. It is possible for a RAS server not to
request authentication from the remote access client.
|30| C. Data
encryption
1. Data encryption encrypts the data sent
between the remote access client and the RAS server.
2. Data encryption on a remote access
connection is based on a secret encryption key known to the RAS server and
remote access client.
3. Data encryption is possible over dial-up
remote access links when using PPP along with EAP-TLS or MS‑CHAP.
4. Windows 2000, Windows NT 4.0,
Windows 98, and Windows 95 remote access clients and remote access
servers support Microsoft Point-to-Point Encryption (MPPE).
|31| D. Callback
1. The RAS server calls the remote access
client after the user credentials have been verified.
2. Callback can be configured on the server
to call the remote access client back at a number specified by the user of the
remote access client.
3. Callback can be configured to always call
back the remote access client at a specific number.
|32| E. Caller
ID
1. Caller ID can be used to verify that the
incoming call is coming from a specified phone number.
2. Caller ID requires that the caller’s
telephone line, phone system, RAS server’s telephone line, and the Windows 2000
driver for the dial-up equipment support caller ID.
|33| F. Remote
access account lockout
1. The remote access account lockout feature
is used to specify how many times a remote access authentication can fail
against a valid user account before access is denied.
2. The feature does not distinguish between
malicious attempts from authentic users.
3. An administrator must decide on two
remote access account lockout variables.
a. The number of failed attempts before
future attempts are denied
b. How often the failed attempts counter is
reset
4. Managing Remote Access
|34| A. Managing
users
1. Set up a master account database in the
Active Directory store or on a RADIUS server.
2. A master account database allows the RAS
server to send the authentication credentials to a central authenticating
device.
|35| B. Managing
addresses
1. For PPP connections, IP, IPX, and
AppleTalk, addressing information must be allocated to remote access clients
during the establishment of the connection.
2. The RAS server must be configured to
allocate IP addresses, IPX network and node addresses, or AppleTalk network and
node addresses.
C. Managing access
|36| 1. Overview of access management
a. Remote access connections are accepted
based on the dial-in properties of a user account and the remote access
policies.
b. Multiple remote access policies
(1) Different sets of conditions can be applied
to different remote access clients.
(2) Different requirements can be applied to
the same remote access client based on the parameters of the connection
attempts.
c. Multiple remote access policies can be
used to meet various conditions.
(1) Allow or deny connections if the user
account belongs to a specific group.
(2) Define different days and times for
different user accounts based on group membership.
(3) Configure different authentication methods
for dial-up and VPN remote access clients.
(4) Configure different authentication or
encryption settings for PPTP or L2TP connections.
(5) Configure different maximum session times
for different user accounts based on group membership.
(6) Send network access server–specific RADIUS
attributes to a RADIUS client.
d. RRAS and IAS use remote access policies to
determine whether to accept or reject connection attempts.
|37| 2. Access by user account
a. The user account for a stand-alone or
Active Directory–based computer contains a set of dial-in properties that are
used when allowing or denying a connection attempt made by a user.
b. Remote Access Permission (Dial-in or VPN)
(1) You can set remote access to be explicitly
allowed, denied, or determined through remote access policies.
(2) The Control access through Remote Access
Policy option is available only on user accounts in a native-mode domain or for
local accounts on remote access servers running stand-alone Windows 2000
computers.
c. Verify caller ID
(1) The server verifies the caller’s phone
number.
(2) If the caller’s phone number does not match
the configured phone number, the connection attempt is denied.
(3) Caller ID must be supported by the caller,
the phone system between the caller, and the remote access server.
d. Callback options
(1) The server calls the caller back at a
telephone number set by the caller or at a specific phone number.
(2) The limits on the number of characters in a
callback number depends on the type of domain.
e. The Assign a Static IP Address option
allows you to assign a specific IP address to a user.
f. The Apply Static Routes option allows you
to define a series of static IP routes.
|38| 3. Access by policy
a. The access by policy administrative model
is intended for RAS servers that are either stand-alone servers or members of a
Windows 2000 native-mode domain.
b. The Remote Access Policies node appears in
the Routing and Remote Access snap-in when the authentication provider is set
to Windows authentication.
c. A typical use of policy-based access is
to allow access through group membership.
|39| 4. Accepting a connection attempt
|40| 5. Managing account lockout
a. Changing settings in the registry on the
authenticating computer configures the account lockout feature.
b. If the RAS server is configured for
Windows authentication, modify the registry on the RAS server computer.
c. If the RAS server is configured for
RADIUS authentication and IAS is being used, modify the registry on the IAS
server.
|41| D. Managing
authentication
1. Windows authentication
a. The user credentials sent by users
attempting remote access connections are authenticated through normal Windows
authentication mechanisms.
b. If the remote access server is a member
server of a Windows 2000 domain and is configured for Windows authentication,
the computer account of the RAS server must be a member of the RAS and IAS
Servers security group.
2. RADIUS authentication
a. User credentials and parameters of the
connection request are sent as a series of RADIUS request messages to a RADIUS
server.
b. The RADIUS server receives a
user-connection request from the RAS server and authenticates the client
against its authentication database.
c. RADIUS can respond to authentication
requests based on its own database, or it can be a front end to another database
server.
3. Windows and RADIUS accounting
a. A remote access server supports the
logging of accounting information for remote access server connections in local
logging files.
b. Logging is separate from the events
recorded in the system event log.
c. A remote access server supports the
logging of accounting information for remote access server connections at a
RADIUS server.
Chapter 10, Lesson 4
Virtual Private Networks
1. Introduction to Virtual Private Networks
|42| A. Overview
1. VPNs allow remote users to connect
securely to a remote corporate server by using the routing infrastructure
provided by a public internetwork, such as the Internet.
2. VPN is a point-to-point connection
between the user’s computer and a corporate server.
3. VPN allows a corporation to connect with
its branch offices or with other companies over a public internetwork.
4. The secure connection across the
internetwork appears to the user as a virtual network interface.
|43| B. Connecting
networks over the Internet
1. Dedicated lines
a. The branch office and the corporate hub
routers connect to the Internet through the use of a local dedicated circuit
and local ISP.
b. A VPN is created between the branch office
router and the corporate hub router across the Internet.
2. Dial-up lines
a. The router at the branch office calls its
ISP.
b. A VPN is created between the branch office
router and the corporate hub router across the Internet.
|44| C. Connecting
computers over an intranet
1. VPNs allow a department’s LAN to be
physically connected to the corporate internetwork but separated by a VPN
server.
2. The VPN server is not acting as a router
between the corporate internetwork and the department LAN.
2. Tunneling Basics
|45| A. Overview
1. Tunneling is a method of using an
internetwork infrastructure to transfer a payload.
2. Instead of sending the frame as produced
by the originating node, the frame is encapsulated with an additional header,
which provides routing information.
3. The process of encapsulation and transmission
of packets is known as tunneling.
4. The logical path through which the
encapsulated packets travel the transit internetwork is called a tunnel.
|46| B. Tunnel
maintenance and data transfer
1. Tunnel maintenance protocol
a. A tunnel maintenance protocol is used as
the mechanism to manage the tunnel.
b. For some tunneling technologies, both
endpoints of the tunnel must agree to the tunnel and be aware of its presence.
c. A tunnel must be created before data
transfer can occur.
(1) The tunnel creation is initiated by one end
of the tunnel, the tunnel client.
(2) At the other end of the tunnel, the tunnel
server receives the connection request.
d. Tunneling maintenance is typically
performed through a keep-alive process that periodically polls the other end of
the tunnel when no data is being transferred.
e. Certain tunneling technologies allow
either end of the tunnel to gracefully terminate the tunnel through an exchange
of tunnel termination messages.
2. Tunnel data transfer protocol
a. Once the tunnel is established, tunneled
data can be sent.
b. A tunnel data transfer protocol
encapsulates the data to be transferred across the tunnel.
c. The encapsulated payload is sent across
the transit internetwork and routed to the tunnel server.
d. The tunnel server accepts the packets,
removes the tunnel data transfer protocol header, and forwards the payload
appropriately.
|47| C. Tunnel
types
1. Voluntary tunnels
a. Voluntary tunnels are configured and
created through a conscious action by the user at the tunnel client computer.
b. Voluntary tunneling occurs when the client
volunteers to create the tunnel to the target tunnel server.
c. Voluntary tunneling can occur in one of
two cases.
(1) The client already has a connection to the
transit internetwork that can provide routing of encapsulated payloads between
the client computer and its chosen tunnel server.
(2) The client may have to establish a
connection (via dial-up) to the transit internetwork before the client can set
up a tunnel.
2. Compulsory tunnels
a. Overview
(1) Compulsory tunnels are configured and
created automatically for users without their knowledge or intervention.
(2) If a client does not have a tunneling
protocol installed, it is possible for another computer or network device to
create the tunnel on the client’s behalf.
(3) With compulsory tunneling, the client
computer makes a single PPP connection, and when a client dials into a Network
Access Server (NAS), a tunnel is created and all traffic is automatically routed
through the tunnel.
b. Static compulsory tunnels
(1) Static tunnel configurations typically
require either dedicated equipment or manual configuration.
(2) In automatic tunneling, all dial-in clients
to the access concentrator are automatically tunneled to a specific tunnel
server.
(3) In realm-based tunneling schemes, the
access concentrator examines a portion of the user’s name to decide where to
tunnel the traffic.
c. Dynamic compulsory tunnels
(1) The choice of tunnel destination is made on
a per-user basis at the time the user connects to the access concentrator.
(2) Dynamic tunneling permits the access
concentrator to be a multi-use NAS.
3. VPN Protocols
|48| A. PPTP
1. PPTP encapsulates PPP frames into IP
datagrams for transmission over an IP internetwork.
2. PPTP uses a TCP connection for tunnel
maintenance and uses modified GRE encapsulated PPP frames for tunneled data.
3. PPTP tunnels must be authenticated by
using the same authentication mechanisms as PPP connections.
|49| B. L2TP
1. L2TP is a combination of PPTP and Layer 2
Forwarding (L2F).
2. L2TP is a network protocol that
encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or ATM networks.
3. L2TP uses UDP and a series of L2TP
messages for tunnel maintenance.
4. An L2TP tunnel is created between an L2TP
client and an L2TP server.
5. Creation of L2TP tunnels must be
authenticated by using the same authentication mechanisms as PPP connections.
|50| C. PPTP
vs. L2TP
1. PPTP requires that the transit
internetwork be an IP internetwork. L2TP requires only that the tunnel media
provide packet-oriented point-to-point connectivity.
2. When header compression is enabled, L2TP
operates with 4 bytes of overhead, compared to 6 bytes for PPTP.
3. L2TP provides tunnel authentication,
while PPTP does not.
4. PPTP uses PPP encryption and L2TP does
not.
|51| D. IPSec
1. Overview
a. IPSec is a series of standards that
support the secured transfer of information across an IP internetwork.
b. IPSec ESP tunnel mode supports the
encapsulation and encryption of entire IP datagrams for secure transfer across
a private or public IP internetwork.
c. With IPSec ESP tunnel mode, a complete IP
datagram is encapsulated and encrypted with ESP.
d. Upon receipt of the encrypted datagram,
the tunnel server processes and discards the clear text IP header and
authenticates and decrypts the ESP and IP packets.
2. ESP tunnel mode vs. ESP transport mode
a. The main difference between ESP tunnel
mode and ESP transport mode is that the former has an encapsulated IP header.
b. By using ESP transport mode, the packet is
always decrypted by the time it reaches its final destination.
3. IPSec ESP tunnel mode packet structure
a. IPSec ESP tunnel mode is performed through
multiple layers of encapsulation.
(1) First layer of encapsulation
(2) Second layer of encapsulation
(3) Third layer of encapsulation
(4) Data link layer of encapsulation
b. IPSec tunnel mode is an OSI layer 3
tunneling technique.
|52| E. IP-IP
1. IP-IP is a simple OSI layer 3 tunneling
technique.
2. A virtual network is created by
encapsulating an IP packet with an additional IP header.
3. The primary use of IP-IP is for tunneling
multicast traffic over sections of a network that does not support multicast
routing.
4. The IP payload includes everything above
IP.
4. Managing Virtual Private Networks
|53| A. Managing
users
1. A master account database is usually set
up on a domain controller or on a RADIUS server.
2. The same user account is used for both
dial-in remote access and VPN remote access.
|54| B. Managing
addresses and name servers
1. The VPN server must have IP addresses
available in order to assign them to the VPN server’s virtual interface and to
VPN clients.
2. By default, the IP addresses assigned to
VPN clients are obtained through DHCP.
|55| C. Managing
access
1. If you are managing remote access on a
user basis, configure the properties on the Dial-In tab of the users’
properties and modify remote access policy as necessary.
2. If you are managing remote access on a
group basis, configure the properties on the Dial-In tab of the users’
properties and modify remote access policy as necessary.
|56| D. Managing
authentication
1. The VPN server can be configured to use
either Windows or RADIUS authentication.
2. If Windows is selected, the user
credentials are authenticated by using Windows authentication and remote access
policy.
3. If RADIUS is selected, user credentials
and parameters are sent as a series of RADIUS request messages to the RADIUS
server.
|57| 5. Troubleshooting
A. Connection attempt is rejected when it
should be accepted.
B. Connection attempt is accepted when it
should be rejected.
C. Unable to reach locations beyond the VPN
server.
D. Unable to establish a tunnel.
Chapter 10, Lesson 5
RRAS Tools
|58| 1. Routing and Remote Access Snap-In
A. The Routing and Remote Access snap-in
allows you to perform a number of management tasks.
B. The Routing and Remote Access snap-in is
the primary management utility for configuring Windows 2000 local and remote
access servers and routers.
|59| 2. Net Shell Command-Line Utility
A. Overview of Net Shell
1. Net Shell is a command-line and scripting
utility for Windows 2000 networking components for local or remote computers.
2. Net Shell can support multiple Windows
2000 components through the addition of netsh helper DLLs.
B. The Net Shell utility includes a number of
options.
1. -a <AliasFile>
2. -c <Context>
3. Command
4. -f <ScriptFile>
5. -r <RemoteComputerName or
IP_address>
C. Commands can be abbreviated to the
shortest unambiguous string.
D. Commands can be either global or context
specific.
E. Global commands can be issued in any
context and are used for general netsh functions.
F. Netsh has two command modes.
1. In online mode, commands issued at a
netsh command prompt are carried out immediately.
2. In offline mode, commands issued at a
netsh command prompt are accumulated and carried out as a batch by issuing the
commit global command.
G. You can run a script either by using the
-f option or by typing the exec global command while in the Net Shell command
window.
H. To create a script of the current
configuration, type the global dump command.
I. The Net Shell command includes
context-specific commands.
1. ras
2. aaaa
3. routing
4. interface
|60| 3. Authentication and Accounting Logging
A. RRAS supports the logging of
authentication and accounting information for PPP-based connection attempts
when Windows authentication or accounting is enabled.
B. The authentication and accounting
information is stored in a configurable log file or files.
C. You can configure the type of activity to
log and log file settings.
|61| 4. Event Logging
A. The Windows 2000 Router performs extensive
error logging in the system event log.
B. Four levels of logging are available.
1. Log errors only.
2. Log errors and warnings.
3. Log the maximum amount of information.
4. Disable event logging.
C. Take specific steps if an OSPF router is
unable to establish an adjacency on an interface.
1. Disable OSPF on the interface.
2. Change the level of logging for OSPF to
log the maximum amount of information.
3. Enable OSPF on the interface.
4. Examine the system event log for
information about the OSPF adjacency process.
5. Change the level of logging for OSPF to
log errors only.
D. The level of event logging can be set from
various places with the Routing and Remote Access snap-in.
E. Logging consumes system resources and
should be used sparingly.
|62| 5. Tracing
A. RRAS has an extensive tracing capability
that you can use to troubleshoot complex network problems.
B. Tracing records internal component
variables, function calls, and interactions.
C. You can enable tracing for each routing
protocol by setting the appropriate registry values.
D. Tracing consumes system resources and
should be used sparingly.
E. To enable file tracing for each component,
you must set specific values within the registry.