What's New in Routing and Remote Access

Applies To: Windows Server 2008

Windows Server® 2008 includes several new features designed to enhance security and manageability of Routing and Remote Access. This topic describes the new features and other significant changes made to Routing and Remote Access in Windows Server 2008.

New Features

Server Manager

SSTP tunneling protocol

VPN enforcement for Network Access Protection

IPv6 support

New cryptographic support

Removed technologies

Server Manager

Server Manager is a new feature designed to guide information technology (IT) administrators through the process of installing, configuring, and managing server roles and features that are part of Windows Server 2008. Server Manager is started automatically after the administrator completes the tasks listed in Initial Configuration Tasks. After that, it is started automatically when an administrator logs on to the server.

Use the following steps to install Routing and Remote Access using Server Manager:

To install Routing and Remote Access

  1. Install Windows Server 2008.

  2. Click Start, Administrative Tools, Server Manager.

  3. Under Roles Summary, click Add roles.

  4. Click Next. Select the Network Access Services role, and then click Next.

  5. Click Next. Select the Routing and Remote Access Services role service, and then click Next.

Note

This will select all three Routing and Remote Access services.

  1. Click Install. When the Installation Results dialog box appears, click Close.

Use the following steps to configure and enable the Routing and Remote Access service:

To configure and enable the Routing and Remote Access service

  1. Click Start, Administrative Tools, Routing and Remote Access.

  2. By default, the local computer is listed as a server. Right-click the server, and then click Configure and Enable Routing and Remote Access.

  3. Click Next. Click Custom configuration, and then click Next.

  4. Select all the services except NAT, click Next, and then click Finish.

  5. Click OK, click Start service, and then click Finish.

SSTP tunneling protocol

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access. Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

VPN enforcement for Network Access Protection

Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista® client operating system and in the Windows Server 2008 operating system. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

When making VPN connections, client computers that are not in compliance with health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. VPN enforcement with NAP is similar in function to Network Access Quarantine Control, a feature in Windows Server 2003, but it is easier to deploy.

Remote access policy configuration

You must use Network Policy Server to create and configure remote access policies. Use the following steps to set the remote access policy to grant user access:

To configure the remote access policy

  1. Open Routing and Remote Access.

  2. Right-click Remote Access Logging & Policies, and then click Launch NPS.

  3. Click Network Policies.

  4. Double-click Connections to Microsoft Routing and Remote Access server.

  5. On the Overview tab, under Access Permission, click Grant access, and then click OK.

IPv6 support

Windows Server 2008 and Windows Vista support the following enhancements to Internet Protocol version 6 (IPv6):

  • Protocols

    • PPPv6. Native IPv6 traffic can now be sent over PPP-based connections. (RFC 2472). For example, PPPv6 support allows you to connect with an IPv6-based Internet service provider (ISP) through dial-up or PPP over Ethernet (PPPoE)-based connections that might be used for broadband Internet access.

    • PPPv6 over dial-up/Ethernet as well as VPN tunnels

    • L2TP over IPv6

    • DHCPv6 Relay Agent

  • Stateless filtering, based on the following parameters:

    • Source IPv6 address/prefix

    • Destination IPv6 address/prefix

    • Next hop type (IP protocol type)

    • Source Port number (TCP/UDP)

    • Destination Port number (TCP/UDP)

  • RADIUS over IPv6 transport

IPv6 configuration

By default, Routing and Remote Access is configured to accept only Internet Protocol version 4 (IPv4) connections. In Windows Server 2008, you can use the Routing and Remote Access Microsoft Management Console (MMC) to configure IPv6 routing and connections. Use the following steps to configure Routing and Remote Access to accept IPv6 and IPv4 connections.

To enable IPv6 connections

  1. In the Routing and Remote Access MMC, right-click the server, and then click Properties.

  2. Click the IPv6 tab.

  3. Enter an IPv6 prefix (for example: 3ffe::).

  4. Click the General tab.

  5. Click IPv6 Router, and then click IPv6 Remote access server.

  6. Click OK, and then click Yes to restart the Routing and Remote Access service.

New cryptographic support

In response to governmental security requirements and trends in the security industry to support stronger cryptography, Windows Server 2008 and Windows Vista support the following encryption algorithms for PPTP and L2TP VPN connections.

PPTP

  • Only 128-bit RC4 encryption algorithm is supported.

  • 40 and 56-bit RC4 support is removed, but can be added (not recommended) by changing a registry key.

L2TP/IPsec

Data Encryption Standard (DES) encryption algorithm with Message Digest 5 (MD5) integrity check support is removed, but can be added (not recommended) by changing a registry key.

IKE Main Mode will support:

  • Advanced Encryption Standard (AES) 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.

  • Secure Hash Algorithm 1 (SHA1) integrity check algorithm.

  • Diffie-Hellman (DH) groups 19 (new) and 20 (new) for Main Mode negotiation.

IKE Quick Mode will support:

  • AES 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.

  • SHA1 integrity check algorithm.

Removed technologies

Support for the following technologies has been removed from Windows Server 2008 and Windows Vista:

  • Bandwidth Allocation Protocol (BAP). Removed from Windows Vista. Disabled in Windows Server 2008.

  • X.25.

  • Serial Line Interface Protocol (SLIP). SLIP-based connections will automatically be updated to PPP-based connections.

  • Asynchronous Transfer Mode (ATM).

  • IP over IEEE 1394.

  • NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.

  • Services for Macintosh.

  • Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access.

  • Basic Firewall in Routing and Remote Access (replaced with Windows Firewall).

  • Static IP filter application programming interfaces (APIs) for Routing and Remote Access (replaced with Windows Filtering Platform APIs).

  • The SPAP, EAP-MD5-CHAP, and MS-CHAP authentication protocols for PPP-based connections.

Additional references