Compartilhar via


RRAS Server

Applies To: Windows Server 2008

With Routing and Remote Access, you can deploy virtual private network (VPN) and dial-up remote access services and multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

Managed Entities

The following is a list of the managed entities that are included in this managed entity:

Name Description

RRAS RIP for IP

Routing and Remote Access supports Router Information Protocol (RIP) versions 1 and 2. RIP version 2 supports multicast announcements, simple password authentication, and more flexibility in subnetted and Classless InterDomain Routing (CIDR) environments.

RRAS DHCP Relay Agent (IPBOOTP)

The DHCP Relay Agent component is a Bootstrap Protocol (BOOTP) relay agent that relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and DHCP servers on different IP networks. The DHCP Relay Agent is compliant with RFC 1542, "Clarifications and Extensions for the Bootstrap Protocol." For each IP network segment that contains DHCP clients, either a DHCP server or a computer acting as a DHCP Relay Agent is required.

RRAS IGMP

Internet Group Management Protocol (IGMP) maintains host group membership on a local subnet. Hosts use IGMP to communicate multicast group membership requests with their local multicast router. Routers receive the group membership requests and periodically send queries to determine which host groups are active or inactive on the local subnet. This protocol is required to support Level 2 multicasting. Internet Protocol version 6 (IPv6) uses Multicast Listener Discovery (MLD) instead of IGMP to manage group membership.

RRAS Multicast Group Manager

The Multicast Group Manager (MGM) application programming interface (API) enables developers to write multicast routing protocols that interoperate with routers running the Multicast Group Manager. When more than one multicast routing protocol is enabled on a router, the MGM coordinates operations between all routing protocols. The MGM informs each routing protocol when group membership changes occur, and when multicast data from a new source or destined to a new group is received.

 

RRAS DHCPv6 Relay Agent

The DHCPv6 Relay Agent relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and DHCP servers on different Internet Protocol version 6 (IPv6) networks. The DHCPv6 Relay Agent is compliant with RFC 3315.

Aspects

The following is a list of all aspects that are part of this managed entity:

Name Description

RAS Connection

A server running Routing and Remote Access provides two different types of remote access connectivity: virtual private networking (VPN) and dial-up networking. VPN is the creation of secured, point-to-point connections across a private network or a public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server. In dial-up networking, a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone or ISDN. In contrast to dial-up networking, VPN is always a logical, indirect connection between the VPN client and the VPN server over a public network, such as the Internet.

RASMAN Service Configuration

Connection Manager is a client dialer and connection software program. You can customize it by using the Connection Manager Administration Kit (CMAK) wizard to create a service profile.

The Remote Access Connection Manager (RASMAN) service establishes the connection to the remote server.

RRAS Audits

The Routing and Remote Access service has determined that RRAS audits generated an audit entry when a system event was executed successfully. These events confirm successful Routing and Remote Access operations.

RRAS Authentication and Accounting

If a remote access server is configured for Windows authentication, the security features of Windows Server 2008 are used to verify the credentials for authentication, and the dial-in properties of the user account are used to authorize the connection.

If the remote access server is configured for RADIUS authentication, the connection request, including credentials, is forwarded to the RADIUS server for authentication and authorization. If the RADIUS server is a computer running Network Policy Server (NPS), NPS performs authentication against the credentials that are stored in the user account database, such as Active Directory Domain Services (AD DS) or the local Security Accounts Manager (SAM) database on the server running NPS. NPS performs authorization using the dial-in properties of the user account and with network policies that are configured in NPS.

RRAS Computer Certificate for EAP-TLS

When you use EAP with a strong EAP type, such as Transport Layer Security (TLS) with smart cards or certificates, both the client and the server use certificates to verify their identities to each other. For successful authentication, certificates must meet requirements both on the server and on the client.

For information about computer certificates for EAP-TLS, see "EAP Overview" and "Certificate Requirements for PEAP and EAP" in Windows Server 2008 NPS Help.

RRAS Connection Licenses

A client access license (CAL) is required for each client device or user that accesses a Windows Server operating system. Per-server connections to a server are allocated on a first-come, first-served basis, and are limited to the number of CALs allocated to the server. A server that is over its licensed connection limit will not accept remote connections.

RRAS Demand-Dial Connections

A demand-dial interface is a logical interface that represents a point-to-point connection. The point-to-point connection is based on either a physical connection, such as two routers connected over an analog phone line that uses modems, or a logical connection, such as two routers connected over a virtual private network (VPN) connection that uses the Internet. Demand-dial connections are either on-demand (the point-to-point connection is only established when needed) or persistent (the point-to-point connection is established and then remains in a connected state). Demand-dial interfaces typically require an authentication process to become connected. The equipment required by a demand-dial interface is a port on a device.

 

RRAS Hardware Devices

Routing and Remote Access uses network interface cards and modems to establish remote access connections.

RRAS IPCP Negotiation

The virtual private networking (VPN) server must have IP addresses available to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client. Routing and Remote Access can be configured to use a DHCP server to obtain IP addresses or it can use a static pool of IP addresses to assign to remote access and demand-dial connections.

RRAS IPsec Configuration

For L2TP-based virtual private networking (VPN) connections, a certificate infrastructure is required to issue computer certificates used to negotiate authentication for Internet Protocol security (IPsec). If a computer certificate required for IPsec is not available, the connection will fail.

 

RRAS Multicast Scope Configuration

A multicast scope is a named range of IP multicast addresses that is expressed with an IP address and mask. After multicast scopes are configured, you can use them to create scope-based multicast boundaries in the properties of an IP routing interface.

Routing and Remote Access can forward multicast traffic in limited network configurations. The primary use of Routing and Remote Access as a multicast router is to connect a subnet to a multicast-enabled intranet that contains routers running multicast routing protocols. To fully support efficient multicast forwarding on a multiple-router intranet, you must install multicast routers that run one or more multicast routing protocols.

RRAS NAP and Network Access Quarantine Control

Network Access Protection (NAP) provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access, or when client computers attempt to communicate with other network resources.

Network Access Quarantine Control is similar in function to NAP VPN enforcement, but it provides added protection for remote access connections only. NAP provides added protection for Internet Protocol security (IPsec)-based communications, 802.1X authenticated connections, VPN connections, Dynamic Host Configuration Protocol (DHCP) configuration, and Terminal Services Gateway (TS Gateway) connections.

.

RRAS Non-Microsoft DLLS

To successfully load a non-Microsoft dynamic-link library (DLL), the DLL must have the correct Windows system environment path and registry location.

RRAS Other Remote Access Server Configurations

Successful remote access and routing connections require the correct configuration of firewall settings and IP routing protocols.

 

RRAS Packet Filter Configuration

Routing and Remote Access supports IP packet filtering, which specifies which type of traffic is allowed into and out of the router. The packet filtering feature is based on exceptions. You can set packet filters per interface and configure them to do one of the following: pass through all traffic except packets prohibited by filters or discard all traffic except packets allowed by filters.

RRAS PPP Initialization

During connection initializaiton, Point-to-Point Protocol (PPP) uses Link Control Protocol (LCP) to negotiate link parameters, such as the maximum PPP frame size, the use of Multilink, and the use of a specific PPP authentication protocol.

RRAS Registry Configuration

Successful remote access and routing connections require the correct configuration of registry settings.

 

RRAS Routing Interfaces

The server running Routing and Remote Access uses a routing interface to forward unicast IP and multicast IP packets. There are two types of routing interfaces: LAN interfaces and demand-dial interfaces. A LAN interface is a physical interface that typically represents a local area connection that uses local area networking technology such as Ethernet or token ring. A demand-dial interface is a logical interface that represents a point-to-point connection. The point-to-point connection is based on either a physical connection, such as two routers connected over an analog phone line that uses modems, or a logical connection, such as two routers connected over a virtual private network (VPN) connection that uses the Internet.

RRAS Secure Socket Tunneling Protocol

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate Point-to-Point (PPP) traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access.

RRAS Supporting Modules

To successfully load supporting modules, the dynamic-link library (DLL) must have the correct Windows system environment path and registry location.

Routing and Remote Access Service Infrastructure