Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Routing with Windows NT
View the book table of contents
Author: Emmett Dulaney
Vijay Sankar
Sharon E. Sankar
Published: June 1999
Copyright: 1999
Publisher: 29th Street Press
 


Abstract
This chapter looks at Remote Access Services. The chapter addresses static routing with Windows NT, Windows NT security, and Routing and Remote Access Services.

With current product lifecycles of about nine months, it may not seem productive to talk about old versions of software. However, when it comes to Remote Access Services (RAS), it is useful to take a quick look at where it has come from to understand where it is going. In addition, in this chapter, we address the following topics:
  • Static routing with Windows NT
  • Windows NT security
  • Routing and Remote Access Services (RRAS)
Under Windows NT 3.1, RAS was essentially a way for a remote computer to connect to a network through a telephone connection using NetBEUI. NT Advanced Server 3.1 allowed up to 64 modems on an NTAS computer and allowed up to 64 computers to connect to the network through phone lines.

When NT 3.5 was introduced, the number of modems allowed was increased to 256, and the Point-to-Point Protocol (PPP) was introduced as a way to support multiple protocols (IPX, IP, and NetBEUI) through a single link.

With NT Server 3.51, it was possible to use an NT server as a router for small networks, with static routing. You could, for example, dial out through the modem interface using PPP and become a member of the remote network. Local computers could then use the NT server as their default router and access resources on the remote network.

With the introduction of NT 4.0, RAS’s capabilities were enhanced further. RAS can now use auto-dial. Instead of dialing out manually and using the NT server as a router, you can automatically dial to one remote network if one of the client computers wants to access an external resource. RAS is able to use multiple links for increasing network throughput. So if you have more than one modem on the NT Servers, RAS client, and RAS server, you can have a bigger pipe between these two networks.

Service Pack 3 for NT Server 4.0 increased network security and as a result, a new piece of software was introduced — Routing and Remote Access Services (RRAS, formerly called Steelhead). RRAS introduced routing services as part of RAS, increased the number of possible autodial connections to 48 and the number of network interfaces to 16; included support for protocols like RIP-2, OSPF, and DHCP Relay as part of RAS; and provided most of the basic security requirements useful in small networks.

Additional components for RRAS are included with the NT Option Pack. Called Internet Connection Services for RAS, the components provide additional functions such as dialer applications that can be customized; an Internet authentication server (Remote Authentication Dial-In User Service — RADIUS) for remote authentication, authorization, and accounting services; and Phone Book servers for automated deployment of remote client connections.


WINDOWS NT WITH STATIC ROUTES

If you have two network cards on an NT computer, you can configure it to be a router. From the Network Control Panel applet, select Protocols, TCP/IP, Properties, Routing to bring up the dialog box shown in Figure 10.1. To allow NT to have static routes and learn routes by using the Routing Information Protocol (RIP), you enable IP forwarding by checking the box. If you have routers or Unix systems that have RIP enabled, NT will listen for RIP packets and add new routes. While not as sophisticated as the routed or gated daemons in Unix, enabling IP forwarding lets you build small interconnected networks quickly or learn routes through RIP.

Setting static routes in NT is similar to setting them in Unix. In the example shown in Figure 10.2, Nomad1 has two Ethernet cards, one with the IP address 10.0.0.101 and the other with the IP address 192.168.1.5. The two cards are connected to two separate hubs. To make Nomad1 work as a static router between these two networks, you simply check Enable IP Forwarding as illustrated in Figure 10.1.

You can reach the 192.168.1.0 network from the 10.0.0.0 network using one of two methods. You can set up a static route on each computer in the 10.0.0.0 network by typing

route add 192.168.1.0 MASK 255.255.255.0 10.0.0.101

at the command prompt (make sure that you type the keyword MASK in capitals). Or you can use 10.0.0.101 as the default router.

Tip: Static routes can cause confusion, and the way in which NT behaves adds to this. Consider the computer called Nomad1 in Figure 10.2. Most administrators would add the enterprise router as the default gateway. In this network, there are two routers: one at 10.0.0.100 and another at 192.168.1.1. The first NIC, a 3COM network card, is bound to the IP address 10.0.0.101 and the second NIC, a Xircom NIC, is bound to 192.168.1.101. NT’s user interface lets you add a default gateway for each network card, so let’s add 10.0.0.100 as the default gateway for the first card and 192.168.1.1 as the default gateway for the second card.

To view the bindings, right-click Network Neighborhood, select Properties, TCP/IP, and switch to the Bindings tab to bring up a dialog box similar to Figure 10.3.

In this installation, we happened to install the 3COM card first and as a result, it appears first in the bindings. As a result, only the first default gateway — the 10.0.0.100 entry — is used. Typically we find it useful not to set up any default gateways through the user interface on multihomed NT Servers. You can always add a new route using the route add command.

In small-to-medium-sized businesses and in midsized departments, wide area networking and connections to remote sites are established using midsized routers. Usually, these routers provide very good price-to-performance ratios and have good management interfaces. One potential problem, though, is that the person managing the router must know the commands, administrative structure, and other details, and must master the router environment while handling the multitude of other things required of a network/system administrator in a small business or department. So, in some cases, router software may not be updated, filters may be inadequate, or routers may be treated as black boxes that are never to be touched.

Tip: If you don’t need any major routing capabilities and are just looking for remote access services, you may want to install the RAS that comes with the NT Server 4.0 CD-ROM. Install RRAS only if you need the additional capabilities. We suggest this because RRAS needs Service Pack 3. If you add any components and apply Service Pack 3 again, the RRAS software stops functioning properly, and you have to install RRAS again. This problem doesn’t occur with 2000 Server or NT 4.0 with Service Pack 4 or later.

Implementing and managing routers recently became much easier with the new updated RRAS 2.0 that is now included with 2000 Server. This service lets your NT Server take on the role of a small-to-medium-sized router. To implement RRAS 2.0 on an existing NT 4.0 Server, you can download it for free from http://www.microsoft.com/ntserver. Although it follows all the user-friendly characteristics of other NT administration and management tools, RRAS does require some knowledge of routers, routing principles, and sometimes just plain luck! If you are just looking for remote access and would prefer a real router or a Unix computer to do the job of routing, you may want to stick with RAS.


REMOTE ACCESS SERVICES

RAS is a secure, easy way to connect mobile and remote users to your network. RAS on NT makes it possible for a network to use TCP/IP, IPX, and NetBEUI. The RAS that is included with the standard NT 4.0 Server has the following features:
  • Multi-protocol routing via PPP support
  • Demand-dial routing
  • Multilink PPP
  • Integration with NetWare and SNA networks
  • Software data compression and data encryption
  • Programmability through RAS APIs
To install RAS, in Control Panel, open the Network applet, switch to the Services tab, and add the RAS service. You need one or more supported modems to allow dial-in and dial-out connections. After installing RAS, you must also install Service Pack 3 or later and apply any hot fixes that may be available.

To access the Remote Access Setup dialog box, in Control Panel, open the Network applet, switch to the Services tab, highlight Remote Access Service, and click Properties. From the dialog box that opens you can add modems, remove modems, clone modem settings, and modify the network configuration (see Figure 10.4).

If you click Network from the dialog box in Figure 10.4, you can select the protocols used to dial out as a RAS client — typically TCP/IP or IPX — as well as the protocols that the remote clients can use to access your network through RAS. For example, you can allow remote TCP/IP clients to access the entire network or only the RAS server. IP addresses can be assigned to remote clients using a DHCP server or from a static address pool. If a DHCP server is available, you should select Use DHCP to assign Remote TCP/IP Client Address. If you are using a static pool, you must provide a range of addresses that are valid in the RAS server’s subnetwork. Otherwise static address pool selection will allow the RAS client to be authenticated by the RAS server but not allow it to communicate with the network or even the RAS server.

When you select the protocols, you also select the encryption settings. The following encryption settings are available:
  • Allow any Authentication including Clear Text — Use this setting if
    • your clients are Unix computers or computers that use authentication schemes like SecurID
    • any of your clients use the Password Authentication Protocol (PAP)
    • different clients are using different authentication mechanisms
  • Require encrypted authentication — Use this setting when all clients are using encrypted authentication — for example, when all of your dial-up services are processed through a communications server that uses encrypted authentication.
  • Require Microsoft Encrypted Authentication — Uses the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). The benefit of this setting is that even encrypted passwords aren’t sent through the wire. Instead, the server sends a challenge to the client. Because the client has the password from the user, the client creates an answer to the challenge based on the password and a message digest. The server also calculates the answer from the user’s authentication information. If the server’s answer is the same as the answer that the client sends, the user is authenticated. Otherwise, the connection is rejected.
  • Enable Multilink — Allows NT Server computers to combine two or more physical links into a single pipe, also called a logical bundle. You can combine ISDN B channels or analog modem channels. (Note that this feature seems to work well in the United States and Canada. We’ve had difficulties implementing this in other countries.)
To continue with RAS installation, click Configure from the Remote Access Setup dialog box (Figure 10.4) to open a dialog box similar to Figure 10.5.

The selections available here are largely self-explanatory. You can dial out, receive calls, or do both.

Once you add RAS, you can allow users access to the service by configuring user accounts in User Manager for Domains. Double-click a user account in User Manager, then click Dial-in to bring up the dialog box in Figure 10.6. You can grant dial-in permission to specific users and set up call back options as listed.

For ease of use, you could set up dial-in permissions in a template account, then copy the template account for each new dial-in user so that each user has the same permissions. This technique is explained in detail in Chapter 4.

You can start and stop RAS from the command prompt. The command net stop rasman stops all three RAS-related services — Remote Access Autodial Manager, Remote Access Connection Manager, and Remote Access Server. You can also click Start and select Programs, Administrative Tools, Remote Access Admin. Use the Server Menu items within Remote Access Admin to stop the RAS server.

You can also pause the RAS server from the command prompt with the net pause servicename command. Pausing the service keeps any new users from accessing the server, but existing users can continue their work. When everyone has logged off, you can shut down the service for maintenance.

Special Note: The RAS setup that we have discussed so far is intended to let external clients communicate with the internal network. It is not intended to provide internal clients access to a modem pool through the network.

Microsoft has a bundled version of BackOffice and NT, called the Microsoft BackOffice Small Business Server (SBS). If you have a small network and are looking for an integrated solution in which you share modems and allow remote access from a small number (fewer than 50) of clients, you may want to consider SBS. SBS also has a number of other application services, including SQL Server and Exchange Server.

You can create a similar integrated solution with Linux. You can use Linux with Sybase server, sendmail, inn, ppp server, SAMBA, and assorted other tools to assemble a set of services that are comparable to those that SBS offers. But SBS’s ease of configuration and manageability may make it easier to deploy.


WINDOWS NT SECURITY

Because you are allowing access to your network when you set up a RAS server, it’s important to consider the security issues that outside access raises. In the following sections, we cover
  • The NT security model
  • Security for files and directories
  • Device security
  • User security
  • Network access
  • Security objects
  • Registry security
  • Secure services


Page: 1, 2, 3
next page



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing