Routing and Remote Access
Routing is the process of using addressing information present in a network packet to determine the path that packet should take to reach its destination. Routing is required when the source host and destination host are on different logical networks. Routing is required in larger network infrastructures because it is impractical to use one set of addresses for the entire network. This is because as networks increase in size, so does the addressing complexity. In addition, it is impractical to put all systems in a large network on the same logical network. This causes a large amount of network traffic.
You can segment a TCP/IP network by dividing the IP address range into subnets. Once the IP addresses are broken up, the newly formed subnets use routers to forward data from one subnet to another. You can also use routing to connect dissimilar networks such as Ethernet, ATM, and Token Ring.
Routing tables are used to keep track of routes from hosts that reside in one subnet to hosts that reside in another. As networks increase in size, so do the number of routers within the infrastructure and the size of routing tables. If administrators had to keep track of these routes, they would have to constantly monitor the network for routers that go offline or links that temporarily fail, then manually enter this information into routing tables. Routers use industry standard routing protocols to dynamically update routing tables as the network changes.
Windows 2000 Server supplies businesses with LAN-to-LAN routing and offers an alternative to purchasing dedicated router hardware, by integrating the Routing and Remote Access service within Windows 2000 Server. This service supports the ability to dynamically route TCP/IP, Internetwork Packet Exchange (IPX), and AppleTalk traffic by utilizing built-in routing protocols. The Routing and Remote Access service can also provide remote office connectivity by supporting wide-area connections.
New Features of Windows 2000 Routing and Remote Access Service
This section discusses the new features of the Windows 2000 Routing and Remote Access service, which allows businesses and their associated remote access clients to send and receive data more securely by utilizing the Internet as a data path. Clients within the Windows 2000 network structure can enjoy the benefit of accessing multicast data from the Internet.
Table 7.3 describes the new features of Windows 2000 Routing and Remote Access.
Table 7.3 New Features of Windows 2000 Routing and Remote Access
Feature |
Description |
|---|---|
Windows 2000 Active Directory Integration |
Permits browsing and managing Remote Access servers by using Active Directory–based tools such as the Routing and Remote Access administrative tool. |
Version 2 of Microsoft Challenge Handshake Authentication Protocol (CHAP) |
Strong security credential passing and encryption key generation. This protocol is designed specifically for authenticating VPN connections using the PPTP protocol. |
Extensible Authentication Protocol (EAP) |
Allows third-party authentication methods to plug in to the Windows 2000 point-to-point protocol (PPP) implementation. The built-in EAP/Transport Layer Security (TLS) method supports deployment of smart cards for secure authentication and strong encryption key generation. |
Bandwidth Allocation Protocol |
Allows a more efficient Multilink PPP connection by dynamically adding and dropping links to accommodate changes in traffic flow. This is useful for networks that carry charges based on bandwidth use. Useful with ISDN channels and similar communications technologies. |
Remote access policies |
Gives administrators the ability to control connections based on time of day, group membership, type of connection, and other criteria. |
Layer 2 Tunneling Protocol (L2TP) |
Provides client-to-gateway and gateway-to-gateway VPN connections, secured by Internet Protocol security (IPSec). |
IP multicast support |
Supports Internet Group Membership Protocol IGMP Version 2 and acts as a multicast forwarding router, which allows the forwarding of IP multicast traffic between connected clients and the Internet or a corporate network. |
Network Address Translation (NAT) |
Provides a small to medium network with a single interface that connects to the Internet and provides IP address translation services between public and private IP addresses. Also provides IP address assignment and DNS proxy name resolution services to internal network clients. |
Internet Connection Sharing (ICS) |
Provides a small network with an easy to configure, but limited interface that connects SOHO clients to the Internet. ICS provides DNS name resolution, automatic address allocation, and a single IP address range for IP distribution. |
Remote Access Policy
In Windows NT versions 3.5 x and 4.0, remote access authorization was based on a simple Grant dial-in permission to user option in User Manager or the Remote Access Administration tool. Callback options were also configured on a per-user basis. In Windows 2000, authorization is granted based on the dial-up properties of a user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility when authorizing connection attempts. Windows 2000 Routing and Remote Access service and Windows 2000 Internet Authentication Service (IAS) both use remote access policies to determine whether to accept or reject connection attempts. In both cases, the remote access policies are stored locally. Policy is now dictated on a per-call basis.
With remote access policies, you can grant or deny authorization by time of day or day of the week, by the Windows 2000 group to which the remote access user belongs, by the type of connection being requested (dial-up networking or VPN connection), and so on. You can configure settings that limit the maximum session time, specify the authentication and encryption strengths, set Bandwidth Allocation Protocol (BAP) policies, and so on.
It is important to remember that with remote access policies, a connection is authorized only if the settings of the connection attempt to match at least one of the remote access policies (subject to the conditions of the dial-up properties of the user account and the profile properties of the remote access policy. If the settings of the connection attempt do not match at least one of the remote access policies, the connection attempt is denied regardless of the dial-up properties of the user account.
Remote Access Design Considerations
The following are some considerations when designing remote access schemes:
If you have installed a DHCP server, configure the Routing and Remote Access server to use DHCP to obtain IP addresses for remote access clients.
If you do not have a DHCP server installed, configure the Routing and Remote Access server with a static IP address pool, which is a subset of addresses from the subnet to which the remote access server is attached.
If configuring IPX, configure the remote access server to automatically allocate the same IPX network ID to all remote access clients.