SON SON
Windows Server 2003 provides the ability to act as a router on your network and to provide remote access services to users outside your network. Routing And Remote Access (RRAS) in Windows Server 2003 provides VPN, routing, NAT, dialup and basic firewall services. Here’s how to use and configure these services.
Getting started
To get started, open up the Routing And Remote Access configuration utility at Start | Administrative Tools | Routing And Remote Access. Initially, RRAS is not enabled on the server. To enable it, right-click the server on which you wish to enable the services and choose Configure And Enable Routing And Remote Access. In Figure A below, you can see that I am enabling the service on the server named RAS
Figure A, Starting the initial RRAS configuration
The initial RRAS configuration starts a wizard that walks you through the steps that need to be taken to enable the services that you would like to offer. For the first example, I will enable VPN and NAT services on this server as shown below in Figure B.
Figure B, Choose the services you wish to support
When configuring VPN services under Windows Server 2003, you generally need to have two network interfaces if you also want the remote users to be able to use other services on the network. If you want them to use just the services on the VPN server, a single interface will do. In either case, you need to select the interface which faces the Internet. In Figure C, the adapter with address 192.168.229.128 acts in this capacity while 192.168.1.103 is the LAN side of the server.
Figure C, Select the adapter that faces the Internet.
If you do decide to use Windows Server 2003’s VPN services, I still recommend the use of a hardware firewall between the Internet and your VPN server. Windows has too many holes to be allowed a direct connection to the Internet.
To work on the local network, remote clients need to be assigned appropriate IP addresses. You can choose to use your network’s DHCP for this purpose or you can specify a range of addresses that are used by RRAS. If you decide to use a range of addresses, make sure that you remove them from any DHCP scopes in order to prevent conflicts.
I prefer to provide RRAS with a range of addresses rather than use DHCP. By providing a range, I always know exactly which IP addresses are being used by remote users.
If you select the option to provide RRAS with a range of addresses, they are defined on the next step of the wizard, shown in Figure D. For this example, I have assigned 192.168.1.200 to 192.168.1.224. Remember to assign addresses from the right network. I’m not using the 192.168.229 network because that one faces the Internet, while 192.168.1 faces my network, which has the resources that remote users need.
Figure D, Provide a range of addresses for remote clients to use.
If you are using RADIUS to authenticate users for other services, you can include RRAS in the mix if you like. This is especially useful in larger networks as RRAS will simply forward authentication requests to the RADIUS server. For this example, I will not use RADIUS, as shown in Figure E.
Figure E, Do you want to use RADIUS for authentication?
That’s all there is initially to configuring VPN and NAT services. While there were no NAT specific configuration options during the wizard, NAT was enabled and configured based on responses to other questions. For example, the NAT interface was designated as network interface facing the Internet and the private interface was designated as the LAN interface.
NAT
Even though NAT was configured during the wizard, there will come a time when you want to modify its configuration. To view NAT parameters and statistics, from the RRAS console, choose Your Server | IP Routing | NAT/Basic Firewall, as shown in Figure F.
Figure F, NAT/Basic firewall parameters
To configure the NAT services, right-click an interface and choose Properties. This will display the External Network Properties screen shown in Figure G. Since it’s responsible for the most NAT functions, the external adapter has more options related to the service.
Figure G, NAT properties for the external network interface
The NAT/Basic Firewall tab provides a place for you to configure the details directly relating to the service. If you don’t want to do NAT, you can uncheck the box marked Enable NAT on this device and vice versa. You can also choose to enable a basic firewall on the interface. If your server is directly connected to the Internet, I can’t stress enough the importance of enabling the firewalling feature as well as defining appropriate inbound filters.
You can configure both inbound and outbound filters by clicking the associated button at the bottom of the window. You can define filters based on the traffic destination or source, by the source or destination ports, or by ICMP type.
The Address Pool tab, shown in Figure H, requires that you enter the ranges of IP addresses assigned by your ISP and available for use on the external interface for NAT applications. Once you have this information in place, you can reserve addresses for specific internal machines by clicking the Reservations button and providing the IP address of the internal machine and the NAT IP address you would like it to use. Additionally, you can allow incoming connections to this machine by selecting the Allow incoming connections to this machine box (not shown).
Figure H, The Address Pool tab
On the Services And Ports tab, seen in Figure I, you can configure the services on your network to which you would like to provide access. Since I have a VPN server on this system, some options such as L2TP, PPTP, IKE and IKE NAT Traversal are already enabled. (IKE NAT Traversal, you say? Yes – under Windows Server 2003 with the appropriate client on the remote machine, you can use IPSec when using NAT). If you run other services on your network to which you would like to provide access to Internet users, select it from the list.
Figure I, The Services And Ports tab
Finally, the ICMP tab, Figure J, provides a place where you can allow specific ICMP services such as PING to traverse the router. Since ICMP can be used for nefarious purposes as well as to provide troubleshooting information, be careful what you enable.
Figure J, The ICMP interface
Routing
Routing is a basic component to both providing VPN services and NAT services under RRAS on Windows Server 2003. These services configure the router in order to best provide their individual services. However, you can use your server to provide more granular routing services as well. Specifically, Windows Server 2003 supports the RIP2 (Routing Information Protocol version 2) and OSPF (Open Shortest Path First) routing protocols. Of course, static routing capability is also provided.
To add RIP2 or OSPF to your RRAS server, right-click General under Your Server | IP Routing. From the shortcut menu, choose New Routing Protocol. A list of the currently unused routing protocols will be presented. Select the one you wish to enable and click OK. Once enabled, an option for configuring that protocol will appear under the IP Routing option in the RRAS console.
General IP routing options
Under the General option in the IP Routing section, there are a number of things you can do. Selecting this option shows a list of available network interfaces including the internal and the loopback interfaces, as seen in Figure K.
Figure K, The General IP routing tab
To perform further operations on an adapter, right-click the adapter and choose Properties from the shortcut menu. As you can see below in Figure L, there are a number of things that can be configured including filters, whether or not TCP/IP is enabled on this interface, router discovery advertisements, and more.
Figure L, General interface configuration
RIP2
RIP2 is a distance-vector-based routing protocol which means basically that it directs traffic based on the number of router hops that have to be taken to reach a destination. It’s an excellent choice for small- to medium-sized networks where static routes have become unwieldy. To see which interfaces on which RIP is enabled, select the RIP option under IP Routing, which will show the screen in Figure M. See above if you have not yet enabled RIP.
Figure M, RIP-enabled interfaces
To configure RIP parameters, right-click an interface and choose Properties. The first tab is the General tab, shown in Figure N, which is where you can define general information about how RIP will operate on your server. On this tab, Operation Mode refers to how RIP will update its tables. The two choices are Auto-static Mode and Periodic Update Mode, which is the default. Auto-static Mode means that an update will be triggered when another router requests an update while Periodic Update Mode means that the routing table will be updated at a defined interval (defined on the Advanced tab).
Figure N, The RIP General tab
The General tab also provides a place for you to define the incoming and outgoing protocol. For outgoing packets, you can choose RIP1 broadcast, RIP2 broadcast, RIP2 multicast or silent RIP. In silent mode, the system only listens for new RIP announcements but does not make any itself. If your network uses consistent network masks throughout, you can use RIP1, but I don’t recommend it unless you have devices that can only use RIP1. You can also specify the route cost for this interface as well as a tag number for the routes on this interface. Finally, a password can be specified to be used for RIP2 updates as a means of identification.
As with everything, security is a concern with network routing. You don’t want bad routes propagating across your network and interrupting communications. Fortunately, the WS2K3 RIP service allows you to provide lists of incoming and/or outgoing route updates that should be ignored. This is accomplished on the Security tab, shown in Figure O.
Figure O, The RIP Security tab
The Neighbors tab, Figure P, lets you specify how the RIP service should interact with its neighbors. On this tab, you can configure RIP to only broadcast its routes, to broadcast its routes in addition to notifying each neighbor, or to just notify neighbors.
Figure P, The RIP Neighbors tab
Finally, the RIP Advanced tab, Figure Q, provides a place to configure more advanced parameters such as the update interval, route expiration time, whether split-horizon and/or poison reverse is enabled and much more. Split horizon and poison reverse are useful in preventing routing loops.
Figure Q, The RIP Advanced tab
OSPF
Like RIP, OSPF is a routing protocol but that is where the similarities end. While RIP is distance-vector-based (loosely, “hop count”) protocol, OSPF is a link state protocol meaning that OSPF routers exchange information about the current state of their network connections when making routing determinations. While more complex than distance vector protocols, using link state protocols can result in more efficient network traffic flow as each router always has a map of the network and its current state.
To enable OSPF, you need to define which interface(s) it will act on. To do this, right-click OSPF and choose New Interface from the shortcut menu. As an example, I’ll enable OSPF on my internal network.
The General tab for the OSPF properties for the interface defines whether or not OSPF is enabled, its Area ID, priority, cost and password as well as the network types. Since I’m using Ethernet, OSPF assumes a broadcast-based environment, as you can see in Figure R.
Figure R, OSPF is enabled on the internal interface
The NBMA neighbors tab, Figure S, is only used by X.25, ATM, and Frame Relay networks. This allows you to manually specify neighbors in these types of networks.
Figure S, OSPF NBMA Neighbors tab
The OSPF Advanced tab, Figure T, allows you to customize OSPF operation to your network by configuring options such as the MTU, Hello Interval, and Transmit Delay.
Figure T, OSPF Advanced tab
Static Routes
The old standby and most people’s introduction to IP routing, static routes are also available in RRAS. Static routes allow you to manually define routes for this server rather than using a routing protocol such as RIP or OSPF. Static routing is generally used on small, static networks.
To create a new static route, right-click Static Routes under IP Routing and select New Static Route from the shortcut menu. To define a static route, you need the destination network’s address (the network address for a network route or the host address for a host route), the network mask for the destination, and the IP address of the gateway used to get to this network. Figure U below shows a route from my RAS server to the network 172.16.1.0.
Figure U, A list of the static routes on the server
To see the current routing table, right-click Static Routes and choose Show IP Routing Table. Figure V shows the routing table from the RAS server I have been using in these examples.
Figure V, The IP routing table
Remote VPN access, NAT, and IP routing are all integral parts of RRAS available in Windows Server 2003. While I don’t recommend a Windows server being directly exposed to the Internet, these services can still be safely used on the internal network to provide network connectivity and access to services that your users need.