Chapter 3 - Administering Routing and Remote Access Service
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
After you install Routing and Remote Access Service, you can configure and monitor interfaces and routing protocols by using Routing and RAS Admin or the command-prompt utility. For more information on how to use the command line to administer your computer, see Appendix B, "Command-Line Interface."
You can also use Routing and RAS Admin to configure and monitor your RAS server. Note that when you select a Windows NT version 4.0 or earlier RAS Server, the Remote Access Admin tool for Windows NT 4.0 automatically appears and enables you to administer the down-level RAS server.
Note Routing and Remote Access Service running on Windows NT Server version 4.0 is also referred to as the Windows NT router.
You can remotely administer a Windows NT router from a computer running Windows NT 4.0 by using the Copyadmn.cmd batch file. This file is part of the Routing and Remote Access Service files that are copied to your computer when you install Routing and Remote Access Service.
Note After copying these files to a computer running Windows NT version 4.0, you cannot use the Windows NT 4.0 RAS client on that computer. This is because some of the .dll files that are copied are incompatible with .dll files that are part of Windows NT version 4.0. To use a RAS client on the Windows NT version 4.0 computer, you must upgrade to Routing and Remote Access Service.
On the Windows NT router, open a Command Prompt window.
Run Copyadmn.cmd and type the source and destination directories.
For example, type:
copyadmn c:\winnt\system32\ \\admin\dept1\remote
On the remote computer (\\admin\dept1 in this example), make a network connection to the Windows NT router.
For example, at the command prompt type:
net use \\router1\ipc$ /u: Domain\User
On the remote computer, at the command prompt type mpradmin.
In Routing and RAS Admin, in the Server menu click Connect to Router.
In the Router Name box, type the name of the Windows NT router, for example \\router1, and click OK.
Routing and RAS Admin looks similar to Windows NT Explorer. The tree view in the left window displays the installed network and routing components of Routing and Remote Access Service. The list view in the right window displays the interfaces for a selected protocol.
Click the Start button, then point to Programs.
Point to the Administrative Tools (Common) folder, then click Routing and RAS Admin.
Figure 3.1 shows the Routing and RAS Admin tool interface.
Figure 3.1 The Routing and RAS Admin tool
You can configure Routing and Remote Access Service components by right-clicking within Routing and RAS Admin. As shown in Figure 3.1, you can right-click RIP for Internet Protocol to configure global settings for RIP. You can then right-click a RIP for IP interface in the right window to configure settings and view monitoring information specific to that interface only.
Note Selecting a component in Routing and RAS Admin and then selecting the Actions menu has the same effect as right-clicking a component.
You can use Routing and RAS Admin to view routing and protocol information when you troubleshoot or administer your routing and RAS connections.
Under IP Routing or IPX Routing, right-click Static Routes.
Click View IP routing table or View IPX routing table.
In addition to the routing table, you can see detail views of various router settings by right-clicking a component in the left window or an interface in the right window. Table 3.1 shows the available detail views.
Table 3.1 Available Tables and Information in Routing and RAS Admin
Component |
Views |
---|---|
IP Routing/Summary |
TCP/IP information |
|
Address translation table |
|
IP addresses |
|
IP routing table |
|
TCP connections |
|
UDP listener ports |
OSPF |
Area statistics |
|
Link state database |
|
Neighbor table |
|
Virtual interfaces |
RIP for IP |
RIP neighbors |
IPX Routing/Summary |
IPX global parameters |
|
IPX routing table |
|
IPX service table |
Active Connections and Ports |
Port status |
|
Device statistics |
|
Network registration information |
You can use the graphical capabilities of Routing and Remote Access Service for administrative tasks. This chapter describes how to use Routing and RAS Admin. For more procedures, see the online Help in Routing and RAS Admin: Click Contents on the Help menu.
If you are familiar with administering a router through the command line, you can also use a Command Prompt window and the routemon command-line tool. For details on using routemon commands, see Appendix B, "Command-Line Interface."
To open the Routing and RAS Admin tool, use the method described in the "Routing and RAS Admin Tool" section in this chapter, or type mpradmin at a command prompt.
The remainder of this chapter describes how to use the Routing and RAS Admin tool to accomplish these administrative tasks:
Adding routing protocols and interfaces
Adding a demand-dial interface
Deleting or disabling interfaces
Administering RAS servers
Viewing RAS Servers in a domain
Granting dial-in permissions to RAS clients
Adding and deleting static routes
Adding and deleting packet filters
Adding local host filters
Adding PPTP filters
To make your router functional, you can specify static routes or add routing protocols to your router and add interfaces to protocols. You can use Routing and RAS Admin to do this.
In Routing and RAS Admin under IP Routing, right-click Summary and select Add routing protocol.
In the Select Routing Protocol dialog box, click a protocol:
DHCP Relay Agent
Open Shortest Path First (OSPF) by Bay Networks
RIP Version 1 and 2 for Internet Protocol
Complete any configuration dialog boxes for the protocol.
Under IP Routing, right-click a protocol and click Add interface.
Select the interface you want to add and click OK.
Configure any settings for the interface.
Note All available IPX routing protocols are added automatically during Routing and Remote Access Setup. To add an interface to IPX, right-click Summary under IPX Routing, then click Add interface. The interface is added to all IPX protocols.
A demand-dial connection initiates a link to a remote site when data or routing information must be sent to that site, and closes the connection when a specified amount of time has passed without data being sent over the link.
Routing and RAS Admin includes a Demand-Dial Wizard to help you set up demand-dial interfaces. For more information on how to configure demand-dial routing, see the section "Demand-Dial Network" in Chapter 4.
To connect to a demand-dial router, you must first add a demand-dial interface for that router. For example, if you want to configure a dial-up connection from your Seattle office router to the New York branch office router, you must add an interface for New York on the Seattle router.
After adding a demand-dial interface, you must:
Set credentials on the interface to be used for authentication on the remote router.
Add a user account on the remote router that gives you permissions to dial in to the remote router.
When you configure a demand-dial interface, you must enable the port usage on the interface for routing.
Configure the Routing and Remote Access Service by using Network in Control Panel.
Select the port, then click Configure in the Routing and Remote Access Setup dialog box.
In the Configure Port Usage dialog box, click the Dial out and receive calls as a demand dial router check box.
You can delete an interface from the router, which removes the interface from all routing protocols, or you can delete an interface from a specific routing protocol. (However, you cannot delete LAN interfaces from Routing and RAS Admin.) You can also disable an interface if you no longer want to accept calls over that interface.
Under IP Routing or IPX Routing, click Summary.
Right-click an interface, then click Remove interface.
Click LAN and Demand Dial Interfaces and right-click an interface.
Select Disable.
Under IP Routing, click a protocol.
Right-click an interface, then click Remove interface.
Note You cannot delete an interface from a specific IPX routing protocol. However, you can disable an IPX routing protocol on the interface.
If you installed a RAS server when you installed Routing and Remote Access Service, you can view and manage RAS clients that dial into your router. You can also administer down-level Windows NT RAS servers and RAS clients on a Windows NT router.
You must use User Manager for Domains to add clients to your domain or server, and to grant users dial-in permissions.
In Routing and RAS Admin, click Active Connections and Ports.
The right window shows the RAS clients that are connected to your router as well as the currently available RAS lines.
Right-click a user to show status on the connection, or expand the user entry and right-click a device to get its status.
Note If you click a RAS server or client running on Windows NT version 4.0 or earlier, the Remote Access Admin tool appears and enables you to administer the down-level server.
In addition to viewing RAS clients on a particular computer, you can select a domain and then view statistics on RAS servers and Windows NT routers within that domain.
In Routing and RAS Admin, on the Server menu, click View Domain.
In the Domain Name box, type the name of the domain you want to view and then click OK.
You must use User Manager for Domains to assign dial-in permission to users in your domain. This functionality is not part of Routing and RAS Admin.
Click the Start button, then point to Programs.
Point to the Administrative Tools (Common) folder, then click User Manager for Domains.
Click a user.
- or -
From the User menu, click New User.In the User Properties dialog box, click Dialin.
In the Dialin Information dialog box, select the Grant dialin permission to user check box and click OK.
Both the IP protocol and the IPX protocol support static routes.
- Under IP Routing or IPX Routing, right-click Static Routes and click Add Static Route.
Under IP Routing or IPX Routing, select Static Routes.
Right-click the route and click Edit or Remove.
To provide security, a Windows NT router has the ability to allow or prohibit the flow of very specific types of IP traffic. This capability, called IP packet filtering, provides a way for the network administrator to precisely define which IP traffic is allowed to cross the router.
IP packet filtering consists of creating a series of definitions, called filters, that tell the router which types of traffic are allowed or prohibited per interface. Filters can be set for incoming and for outgoing traffic.
Input filters define which incoming traffic on an interface is allowed to be routed or processed by the router.
Output filters define which traffic is allowed to be sent out on an interface.
Because you can configure both input and output filters for each interface, it is possible to create contradictory filters. For example, the input filter on one interface can allow the inbound traffic and the output filter on the other interface can prohibit the sending of the traffic. In this case, the result is that the traffic is not passed across the Windows NT router.
Before any filters you set will work, you must enable packet filtering on a global level.
Under IP Routing, right-click Summary, then click Configure IP parameters.
On the General tab, select the Enable packet-filtering check box.
Filters are configured on an exception basis. That is, you can configure the interface to pass only the packets from the filters you list, or to allow everything except the packets for the filters you list.
Under IP Routing or IPX Routing, click Summary.
Right-click the interface on which you want to create a filter, then click Configure interface.
Click Input filters or Output filters.
In the Filters Configuration dialog box, click Add, Edit, or Delete to add, modify, or delete filters.
A local host filter enables your computer to receive only traffic destined for the computer. A local host filter works by enabling users to access your computer, but not to route through your computer. After this filter is set, only traffic destined either for this host or to all hosts on the host's network will be allowed in on the interface.
Under IP Routing, click Summary.
Right-click the interface over which you want to set the filter, then click Configure interface.
In the IP Configuration dialog box, click Input Filters.
In the IP Packet Filters Configuration dialog box, click Add.
You must create a set of five input filters and then select a Drop all except listed below option, as described in Table 3.2.
Table 3.2 Effects of Local Host Filter Options
Selecting this option |
Has this effect |
---|---|
Allow packets coming directly to your computer |
As an example, your router is configured with an IP address of 10.1.1.1 with a subnet mask of 255.255.255.255. To allow packets with a destination of your router, add a filter with the Destination IP address of 10.1.1.1, the Destination Subnet mask of 255.255.255.255, and select Any as the type of protocol. |
Allow packets broadcast to the local subnet |
The second filter enables you to receive packets that are going to the 10.1.x.x network. For this example, add a filter with the Destination IP address of 10.1.255.255, Destination Subnet mask of 255.255.255.255, and select Any as the type of protocol. |
Allow packets going to subnetted networks |
Set this filter to allow packets going to all subnets of the network. For this example, add a filter with the Destination IP address of 10.255.255.255, Destination Subnet mask of 255.255.255.255, and select Any as the type of protocol. |
Allow packets broadcasting all 1's |
For this example, add a filter with the Destination IP address of 255.255.255.255, Destination Subnet mask of 255.255.255.255, and select Any as the type of protocol. |
Accept multicast packets |
Set this filter to accept a limited form of mulitcast on the network 224.0.0.x. For this example, add a filter with the Destination IP address of 224.0.0.0, Destination Subnet mask of 255.255.255.0, and select Any as the type of protocol. |
You can configure filters on an interface so that only PPTP traffic can use the interface. For example, a branch office connection can use PPTP and the Internet as a WAN.
Before any filters you set will work, you must enable packet filtering on a global level.
Under IP Routing, right-click Summary, then click Configure IP parameters.
On the General tab, select the Enable packet-filtering check box.
For this type of configuration, you must set three input filters and three output filters on the interface over which you want to make the PPTP connection.
Note All six filters work together to complete a PPTP filter. The PPTP filter will not be secure unless all six filters are set correctly.
PPTP uses TCP Port 1723 for the control channel and IP Protocol ID 47 for the data channel. The process to set parameters when adding a filter includes the following procedures:
Select the interface over which you want to make the PPTP connection.
Set the Input filters.
Set the Output filters.
Under IP Routing, click Summary.
Right-click the interface over which you want to make the PPTP connection, then click Configure interface.
You need to set three input filters for the PPTP interface.
In the IP Configuration dialog box, click Input Filters.
In the IP Packet Filters Configuration dialog box, click Add.
In the Add/Edit IP Filter dialog box (see Figure 3.2), select Other in the Protocol box.
Type 47 in the Protocol box and click OK.
Figure 3.2 Adding the first filter
In the IP Packet Filters Configuration dialog box, click Add.
In the Add/Edit IP Filter dialog box (see Figure 3.3), select TCP in the Protocol box.
Type 1723 in the Source port box and type 0 (implying any) in the Destination port box, then click OK.
Figure 3.3 Adding the second filter
In the IP Packet Filters Configuration dialog box, click Add.
In the Add/Edit IP Filter dialog box (see Figure 3.4), select TCP in the Protocol box.
Type 0 in the Source port box and type 1723 in the Destination port box, then click OK.
Figure 3.4 Adding the third filter
In the IP Packet Filters Configuration dialog box, click Drop all except listed below, then click OK.
When you are finished adding filters and configuring, the IP Packet Filters Configuration dialog box should look like Figure 3.5.
Figure 3.5 The completed IP Packet Filters Configuration dialog box
First, specify output filters. Then, to add the three output filters, complete the same set of procedures as outlined in "Set Input Filters."
- In the IP Configuration dialog box, click Output Filters.