Components of a Network Access Services
Infrastructure
You install Routing and Remote Access on one of your servers and name it VPN1. You decide to configure the server as a virtual private networking(VPN) server. You decide to configure the server to use (SSTP) Secure Socket Tunneling Protocol, to prevent any VPN connectivity problems when the users are behind firewalls, proxies. or network translation routers (NAT).
You install the Internet Information Services (IIS) and Active Directory Certificate Services (AD CS) roles on VPN1 to issue the required computer certificate for an SSTP-based VPN connection. You create and install the Server Authentication certificate on VPN1.
What is the next thing you should do to make sure clients are able to connect to the VPN1 using SSTP-based VPN connections?
Answer: Install the root CA certificate of the VPN Server's computer certificate on the client computers. SSTP VPN connections require a computer certificate issued by a CA trusted by the VPN server. Therefore, install the AD CS role in your network. When you want to ensure clients can obtain a certificate over the Internet from VPN1, you should install the IIS role. IIS is a required role for the Certificate Authority Web Enrollment Web Service. After installing AD CS and IIS, you should create and install the Server Authentication certificate on the VPN server. A VPN client must have the root CA certificate of the VPN server's computer certificate installed in order to use an SSTP connection.
TCP/IP Troubleshooting Tools
Best Practices for NPS
The Cable Guy: The New and Improved Network Policy Server
Configure Log File Properties
Troubleshooting Remote Access
In Windows Server 2008, Network Access Service includes the following:
- VPN Server
- Active Directory Domain services (AD DS)
- IEEE 802.1X Devices – provides port based authentication of users
- Dynamic Host Configuration Protocol (DHCP) Server – Responsible for leasing IP addresses
- NAP Health Policy Server – Provides authentication services for other network access components
- Health Registration Authority – Obtains health certificates for clients passing the health policy verification
- Remediation Servers – A new server for Windows Server 2008 on a limited network, designed to treat machines that do not have the latest antivirus or Windows updates, by pushing the updates down to the NAP client sitting in the restricted network before the client accesses the main network
Network Policy and Access Services Role
The Network Policy and Access Services
Role in Windows Server 2008 provides these components:
Component | Description |
Network Policy Server | Microsoft implementation of the RADIUS Server and proxy |
Routing and Remote Access |
Provides
VPNs, dial-up solutions for users, full-featured software routers,
and
shares Internet
connections across the intranet |
Health Registration Authority | Issues health certificates to clients that are using Ipsec NAP enforcement |
Host Credential Authorization Protocol | Integrates with Cisco network access control server |
RADIUS: Remote Authentication
Dial in User Service, is a networking protocol that provides
centralized Authentication, Authorization, and Accounting (AAA)
management for computers to connect to a network. RADIUS is a
client/server protocol. The RADIUS server usually runs as a background
process on a UNIX or Microsoft Windows server.
The Network Policy and Access Services
Role in Windows Server 2008 provides these network connectivity
solutions:
- NAP: enforce health policies
- Secure wireless and wired access: with a secure certificate or password-based authentication method
- Remote access solutions: VPN or dial-up
- Central network policy management with RADIUS server and proxy
What is Routing and Remote Access?
Routing and Remote Access is built into
Windows Server 2008 and can be used to:
- Provide remote users access to resources on a private network using Dial-up or VPN services
- Provide Network Address Translation NAT services: when you deploy VPN and NAT, computers on the Internet will not be able to determine the IP address of computers on the private network, even though VPN clients can connect to computers on the private network as if they are on the same network.
- Provide LAN and WAN routing services in order to connect the network segments
How to Install Routing and Remote Access Services
- Go to Server Manager
- Select Roles
- Select Add Roles
- Click Next
- On the Select Server Roles page, check Network and Policy Access Services
- Click Next
- On the Network Policy Access Services page, read the material and check out the links to Microsoft help, if desired, and click Next
- On Select Role Services page, check Network Policy Server, Routing and Remote Access Services
- Click Next
- Click Install
After the install is completed, click
Close to close Server Manager. You will see the Network
and Policy and Access Services role in Server Manager. You will
see a red arrow underneath to indicate
Routing and Remote Access is not yet configured.
Network Authentication and Authorization
To access the Windows Server 2008 network, you must go through the Authentication and Authorization process.
Authentication verifies your
credentials (user name and password) and uses an authentication
protocol to send the encrypted user name and password from the
remote access client to the remote access server.
Authorization verifies the
connection attempt is allowed which occurs after a successful
authentication.
Authentication Methods
Protocol | Description | Security |
PAP (Password Authentication Protocol) | Try to avoid because it passes the password over in plain text. | Least secure protocol. |
CHAP (Challenge Handshake Protocol) | A challenge-response authentication protocol that uses the industry-standard MD5 (message digest) hashing scheme to encrypt the response. |
An
improvement over PAP because the password is not sent over the PPP
link.
Requires a plain text
version of the password to validate the challenge response and does
not protect against remote server impersonation. |
MS-CHAPv2 | An upgrade to MS-CHAP and is known as mutual authentication. | Stronger security than CHAP. |
EAP (Extensible Authentication Protocol) | Uses an arbitrary authentication method of a remote access connection using authentication schemes, known as EAP types. | Strongest method of authenticating. |
Smart Cards | You must use EAP with the smart card or other certificate (TLS) EAP type, known as EAP-TLS. | Strongest form of authentication in the Windows Server 2008 family. |
Integrating DHCP Servers with Routing and Remote Access Service
DHCP servers can be integrated into the
Routing and Remote Access Service. To provide remote clients
with an IP address, you can use either:
- The RRAS (Routing and Remote Access) server starts with the Use DHCP to assign remote TCP/IP addresses option, to obtain a pool of ten IP addresses from the DHCP server. Ten IP addresses will be allocated with the RRAS server taking one of the IP addresses and the remaining nine IP addresses for the remote connections. When these ten IP addresses are used up, the RRAS server will acquire ten more from the DHCP server. The IP addresses are freed when remote clients disconnect, and are subsequently reused. When Routing and Remote Access service stops, all IP addresses are released.
- Use the corporate DHCP server located on the corporate LAN
DHCP servers running Windows Server
2008 have a predefined user class called the Default Routing and
Remote Access Class. This is used for assigning options to the
Routing and Remote Access clients.
Configure VPN Access
VPNs provide a point-to-point
connection between the components of a private network through a
public network, using tunneling protocols.
Components of a VPN Connection
VPN Client: the Client Operating System
has to be capable of communicating with a VPN, like Microsoft has all
the way back to Windows NT and Windows 95.
VPN Tunnel: a secure tunnel is created
over the Internet to the VPN server.
VPN Server: the VPN server is then
connected to our internal network, and the client has access to the
internal network through the VPN Server.
VPN Protocol: VPN Point-to-Point
Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), or if
the client is Windows Vista Svc Pk 1 or later, we can use Secure
Socket Tunneling Protocol (SSTP).
Tunneling Protocols
For a tunneling protocol for a VPN
connection into our network, we can use:
- PPTP (Point-to-Point Tunneling Protocol): Encrypts and encapsulates in an IP header multi-protocol traffic and sends it across an IP network or public IP network. PPTP can be used for remote access and site-to-site VPN connections. PPTP traffic is sent over port 1723, which may be blocked by default on company firewalls, web proxies, or NAT routers, preventing successful VPN connections.
- PPTP encapsulates PPP frames in IP datagrams.
- The PPP payload (IPV4 packet) frame is encrypted with Microsoft Point-to-Point Encryption (MPPE). The encryption keys are generated from the MS-CHAPv2 or EAP-TLS authentication protocol.
- L2TP (Layer 2 Tunneling Protocol): Encrypts multi-protocol traffic and sends over mediums supporting point-to-point-datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP presents the best features of PPTP and Layer2 Forwarding (L2F). L2TP uses Ipsec in Transport Mode for encryption, known as L2TP/IPSEC. L2TP/IPSEC-based VPN connections requires manually opening ports on firewalls to ensure a successful VPN connection. The VPN client and server must support L2TP and Ipsec. L2TP is built into Windows XP, Windows Vista, and Windows 7 remote access clients. VPN server support for L2TP is built into Windows Server 2008 and Windows Server 2003. L2TP traffic is sent over port 1701.
- Encapsulation for the L2TP/Ipsec packets consists of the two layers.
- The first layer encapsulates a PPP frame (IP datagram) wrapped with an L2TP header and a User Datagram Protocol (UDP) header.
- The second layer, the Ipsec encapsulation, wraps the resulting L2TP message with an Ipsec Authentication trailer that provides authentication, and a final IP header. The IP header contains the source and destination IP address corresponding to the VPN client and server.
- The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple DES (3DES) using encryption keys the IKE negotiation process generates.
- SSTP(Secure Socket Tunneling Protocol): Available if the clients are running at least Windows Vista Svc Pk1 or Windows Server 2008. It uses TCP port 443 to pass the point-to-point (PPP) data frames over the network through firewalls and web proxies that could block PPTP and L2TP/IPSEC traffic. TCP Port 443 is used for all secure websites. SSTP is only suitable for Vista Svc Pk1 or Windows Server 2008.
- SSTP encapsulates PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
- Encryption is performed by the SSL channel of the Secure Hypertext Transfer Protocol (HTTPS) protocol.
- SSTP VPN connections require a CA computer certificate issued by a CA trusted by the VPN server. The root CA certificate of the VPN server's computer certificate should be installed on the client computers.
- To ensure clients are able to obtain a certificate over the Internet from the VPN, you should install the AD CS and the IIS roles. After installing AD CS and IIS, you should install the Server Authentication certificate in the VPN server.
- IKEv2 (Internet Key Exchange version 2 (IKEv2): uses the Ipsec Tunnel Mode protocol over UDP port 500. IKEv2 is a good choice for mobile users because of its support for mobility (MOBIKE). IKEv2 is very resilient for changing network connectivity and for users what switch from a wired to a wireless connections and is required for VPN Reconnect. VPN Reconnect is a feature in Windows Server 2008 R2 and Windows 7 that maintains connectivity across the network, seamlessly. It automatically re-establishes VPN connections when connectivity is available, and maintains the connection even if users move between different networks, while making the connection status transparent to users. Public Key Infrastructure (PKI) is required because a computer certificate is required for a remote connection.
- Datagrams are encapsulated using Ipsec ESP or AH headers.
- Messages are encrypted with encryption keys generated in the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.
You install Routing and Remote Access on one of your servers and name it VPN1. You decide to configure the server as a virtual private networking(VPN) server. You decide to configure the server to use (SSTP) Secure Socket Tunneling Protocol, to prevent any VPN connectivity problems when the users are behind firewalls, proxies. or network translation routers (NAT).
You install the Internet Information Services (IIS) and Active Directory Certificate Services (AD CS) roles on VPN1 to issue the required computer certificate for an SSTP-based VPN connection. You create and install the Server Authentication certificate on VPN1.
What is the next thing you should do to make sure clients are able to connect to the VPN1 using SSTP-based VPN connections?
Answer: Install the root CA certificate of the VPN Server's computer certificate on the client computers. SSTP VPN connections require a computer certificate issued by a CA trusted by the VPN server. Therefore, install the AD CS role in your network. When you want to ensure clients can obtain a certificate over the Internet from VPN1, you should install the IIS role. IIS is a required role for the Certificate Authority Web Enrollment Web Service. After installing AD CS and IIS, you should create and install the Server Authentication certificate on the VPN server. A VPN client must have the root CA certificate of the VPN server's computer certificate installed in order to use an SSTP connection.
What are the VPN server configuration requirements?
- Two network interfaces (Configure one for the public Internet and one for the private network. Consider naming the network interfaces appropriately so your remote access VPN server will operate correctly.)
- IP Address allocation (use a static pool on the Routing and Remote Access Server or use DHCP. Note: if the DHCP server is not on the same subnet as your internal network, you might need DHCP relay (also called BOOTP forwarding) agents. If your router is running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent service on the router to forward DHCPINFORM messages between subnets.). DHCP Relay is defined RFC 1542 and must be enabled on the server running Routing and Remote Access.
- Authentication provide (NPS/Radius or the VPN server)
- Local Admin group membership or equivalent required
How to Configure VPN Access
Configure a VPN Client Connection on a Windows Vista client
- Start | Connect To
- Select Set up a connection or network
- On the Connect to a network page, select Connect to a workplace
- Click Next
- Select Use my Internet connection (VPN)
- On the page that displays, you can either use the IP address or the FQDN of the VPN server. On the same page, you can indicate:
- If you want to logon with a smart card
- If you want other people to use this connection
- Or, if you just want to set it up and connect later (we will choose this option, for now)
- Click Next
- Type your user name and password in the space provided
- Select Create
- Click Close
- Start | Connect To
- You can now see your VPN connection. Highlight and you will see the VPN Properties: the General tab, the Options tab, the Security tab, the Networking and Sharing tabs.
- Click OK
- Click Connect or Cancel
Configure a VPN Server
- Start | Administrative Tools | Routing and Remote Access
- Right click the server name and select Configure and Enable Routing and Remote Access
- The Wizard appears. Click Next.
- Select Remote access (dial-up or VPN)
- Click Next
- On the Remote Access display, the options are VPN or Dial-up, choose VPN
- Click Next
- Now, you can select the network interface adapter (best practice is to reconfigure the name on the adapter to indicate public and the external adapter and reconfigure the name on the internal adapter to indicate private network)
- You can enable security on the selected interface by marking the check box and click Next
- On the IP Address Assignment page, indicate How do you want IP addresses to be assigned to remote clients? Select Automatically or From a specified range of addresses.
- Click Next
- Indicate whether you want to use RADIUS to authenticate
- Click Next
- Click Finish to start the Routing and Remote Access service
- A message alert displays, “ Routing and Remote Access has created a default connection request policy called Microsoft Routing and Remote Access Service Policy. To ensure that this new policy does not conflict with the existing Network Policy Server (NPS) connection request policies, open the NPS console and verify that it is configured properly.
- Click OK.
- Another message alert displays, “To support the relaying of DHCP messages from remote access clients, you must configure the properties of the DHCP Relay Agent with the IP address of your DHCP server. Click Help for more information.”
- Click OK.
- The Routing and Remote Access Service starts.
- If you expand the server node, you will see the following nodes: Network Interfaces, Ports, Remote Access Clients (0), Remote Access Logging & Policies.
Complete Additional Tasks
- Configure static packet filters to create inbound and outbound rules for traffic, such as a packet filter for ICMP (this can be done through Windows Firewall), to protect your network.
- Configure services and ports you want to make available for remote access users.
- Adjust logging levels for routing protocols
- Configure number of available VPN ports (add or remove VPN ports)
- Create a Connection Manager profile for users to simply configuration and troubleshooting of client connections.
- Add Certificate Services for Active Directory. Configure and manage a certification authority (CA) on a server for use in a PKI. Make sure you install the root Certification Authority (CA) certificate of the VPN server's computer certificate on the client computers.
- Increase remote access security by enforcing use of secure authentication methods.
- Increase VPN security by requiring the use of secure tunneling protocols, account lockout, etc.
- Consider VPN Reconnect to provide seamless VPN connections.
What is a Network Policy?
A network policy is a set of
conditions, constraints, and settings. A network policy allows or
prevents a user from gaining access to a VPN or a remote access
solution. Examples of some of the conditions are:
- Does the user have dial-in permission?
- Is the user accessing with the correct type of protocol?
- Does the user belong to a group and is that group allowed remote access?
- Is the user connecting at the correct time?
- Is there any call back selected for this user?
Note: when you have NAP deployed,
health policy is added to the network policy configuration and NPS
performs client health checks during authorization.
What is the process for creating and configuring a network policy?
- Determine authorization by user or group
- Determine appropriate settings for the user account’s network access permissions
- Configure the New Network Policy Wizard:
- Network Policy conditions
- Network Policy constraints
- Network Policy settings
How are network policies processed?
- The server is checked to see if there are policies to process.
- If there are network policies, does the connection attempt match the policy conditions? If the answer is no, the next policy is checked.
- If the answer to the above is yes, is the remote access permission for the user account set to Deny Access?
- If the answer to the above is yes, the server rejects the connection attempt.
You can configure network policy in
the NPS MMC snap-in or the Routing and Remote Access Service MMC
snap-in.
Create and Configure a Network Policy
- START | Administrative Tools | Network Policy Server
- Select the Policies folder
- Select Network Policies and right-click
- Select New
- In the Policy Name: text box, type in a policy name
- Under the Type of network access server:, we will select Remote Access Server (VPN-Dial up)
- Under Vendor specific, enter any hardware settings the vendor might have provided
- Click Next
- On the Specify Conditions page, select the conditions. The list is huge. We will select User Groups.
- Click the Add button. On the Select Group page, enter Domain Admins (provides access to the VPN server to Domain Administrators)
- Click Check Names and OK (now the User Groups belongs to Domain Admins)
- Click Next
- On the Specify Access Permission page, we will select Access granted (Grant access if client connection attempts match the conditions of this policy.)
- Click Next
- On the Configure Authentication Methods page, we will select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)
- Click Next
- On the Configure Constraints page, the first constraint is Idle Timeout. We will specify 5 minutes as the maximum time the server can remain idle before the connection is disconnected.
- You also have Session Timeout, Called Station ID, Day and time restrictions, and NAS Port Type. Under Nas Port Type, we will check Virtual (VPN)
- Click Next
- On the Configure Settings page, under the Routing and Remote Access section, under Encryption, we will deselect No encryption and leave Basic, Strong, and Strongest encryption for our clients.
- Click Next
- Click Finish
Connection Manager Administration Kit
How do you control and configure the
client network connections?
Built into Windows Server 2008, is
CMAK, the Connection Manager Administrative Kit. CMAK
configures the client settings and distributes them as an .exe to the
client computers and allows them to connect to a remote network, such
as an Internet Service Provider (ISP) or a corporate network
protected by a VPN server. The client executes the .exe and their
computer is automatically configured to establish a network
connection that you have designed. This reduces the end user errors
and help desk calls.
CMAK is not installed by
default.
To install CMAK:
- Launch Server Manager.
- CMAK is configured as a Feature. Select Features. Select Add Features.
- The Add Features Wizard appears. Check off Connection Manager Administration Kit.
- Click Next.
- Select Install.
- Click Close.
- Click Next
- Select Features and F5 to refresh and you can see the Connection Manager Administration Kit in the Features Summary.
- Close Server Manager
- Go to the START | Administrative Tools | Connection Manager Administration Kit to create a connection profile.
How to Configure a Connection Profile
CMAK contains the Connection Profile
Wizard that will assist us in creating client connection profiles.
- START | Connection Manager Administrative Kit
- Click Next
- In the Select Target Operating System, we are will choose Windows Vista as the operating system on which this Connection Manager profile will run.
- Click Next
- Select New Profile
- Click Next
- On the Specify the Service Name and the File Name page, Type the name that will appear in Connection Manager and Type the file name that will identify the Connection Manager profile on disk. We will use Company VPN for the Service Name and company for the file name.
- Click Next
- On the Specify a Realm Name page, select Do not add a realm name to the user name for this example
- Click Next
- We can choose to Merge Information from Other Profiles on the next page.
- Click Next
- On the Add Support for VPN Connections page, we choose Phone book from this profile and enter the VPN server name or IP address.
- Then, we choose to Use the same user name and password for VPN and dial-up connections.
- Click Next
- We can Create or Modify a VPN Entry
- You can click on Edit to review and/or change the settings
- Click OK
- Click Next
- On the Add a Custom Phone Book (a collection of access numbers that users can dial to connect to a remote dial-up network) page, click Next because we are using a single VPN server.
- On the Configure Dial-up Networking Entries page, click Next
- On the Specify Routing Table Updates page, Click Next
- On the Configure Proxy Settings for Internet Explorer page, Click Next
- We can Add Custom Actions to perform additional configuration tasks on client computers, if desired.
- Click Next
- We can display custom graphics on the connection attempt, on the Display a Custom Logon Bitmap page.
- Click Next
- On the Display a Custom Phone Book Bitmap page, click Next
- On the Display Custom Icons page, Click Next
- You can Include a Custom Help File. Click Next
- You can Display Custom Support Information by entering a phone number for custom support help. Click Next
- Display a Custom License Agreement is where you enter the license agreement that is displayed on the client side when the .exe file is run. Click Next
- Install Additional Files with the Connection Manager profile. Click Next
- You can select Advanced customization on the Build the Connection Manager Profile and Its Installation Program page. Insert a check mark for this example.
- On the next page, we can choose the File name, Section name, Key name, and Value. Click Next
- Click Finish to create the profile. Note the profile path name. Copy it into Windows Explorer or the Run command and open. A text box appears asking “Do you wish to install Company VPN?” You can also browse to the file path to view it.
- After the .exe is installed on the client side, the user clicks Yes, a display box appears allowing them to connect to the Company VPN.
Troubleshooting Routing and Remote Access
TCP/IP Troubleshooting Tools
Command | Description |
Ipconfig | Displays current TCP/IP network configuration, updates and releases; DHCP allocated leases; displays, registers, and flushes DNS names |
Ping | Sends ICMP Echo Request msgs to verify TCP/IP is configured correctly and that a host is available |
Pathping | Displays the path of a TCP/IP host and packet losses at routers |
Tracert | Displays path of a TCP/IP host |
Example:
START | CMD
Ipconfig /all
Ipconfig /? For HELP menu for
ipconfig (up and down arrow lets you scroll through your previous
typed commands)
Ipconfig /flushdns (flushes
client machine resolver cache)
Ping computer name (verify
the host name is being resolved to its correct IP address. The ping
might not be successful due to packet filtering that prevents the
delivery of ICMP messages to and from the VPN server)
Ping /?
Ping –t computer name
(ping the host until stopped) (terminate the ping by using Control-C)
Cls to clear the screen
Pathping computer name (gives
percentage values for packet loss). If you have a huge loss, it could
indicate a damaged cable or other device or under-performing server.
Tracert computer name (to
trace how many hops on route to a server)
Authentication and Accounting Logging (3 types)
- Event logging for auditing and troubleshooting connection attempts
- Logging authentication and accounting requests to a local file
- Logging authentication and accounting requests to a SQL server database
Note: You should keep the log files on
a separate partition from the system partition, in order to prevent
loss of hard-drive space. NPS in Windows Server 2008 stops processing
connection requests if RADIUS accounting fails dues to a full
hard-disk drive or other causes. NPS in Windows Server 2008 R2 can be
configured to continue processing connections requests when logging
fails.
Best Practices for NPS
The Cable Guy: The New and Improved Network Policy Server
Configure Log File Properties
Applies To: Windows Server 2008 R2
You can configure Network Policy Server (NPS) to perform Remote Authentication Dial-In User Service (RADIUS) accounting for:
- user authentication requests
- Access-Accept messages
- Access-Reject messages
- accounting requests and responses
- periodic status updates
You can use this procedure to configure the log files in which you want to store the accounting data.
To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition. The following provides more information about configuring accounting for NPS:
- To send the log file data for collection by another process, you can configure NPS to write to a named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the Local file properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.
- The log file directory can be created by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).
- Switching log file formats does not cause a new log to be created. If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, and records at the end of the log will have the new format).
- If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources.
- NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file.
Configuring Remote Access Logging
Start | Administrative Tools |
Routing and Remote Access
Right-click servername | Properties
Click the Logging tab to view
available options for the tracing log:
- Log errors only
- Log errors and warnings
- Log all events
- Not log any events
- Log additional routing and remote access info (enables you to specify whether the events in the PPP connection-establishment process for remote access and demand-dial routing connections are written to the PPP.LOG file stored in systemroot\Tracing folder
How to use command line for configuring Routing and Remote Access Server
The Routing and Remote Access service
in Windows Server 2008 R2 has an extensive tracing capability.
To enable and disable tracing for a
specific component:
Netsh ras set tracing component
enabled | disabled
Where component is a component
in the list of Routing and Remote Access service components found in
the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
To enable tracing for all components:
Netsh ras set tracing * enabled
- Netsh
- Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS)
- Registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
You
can enable and disable tracing for components while the Routing and
Remote Access service is running. Each component is capable of
tracing and appears as a subkey under the preceding Registry key.
Note: Tracing consumes resources, so
you should disable it when finished troubleshooting
Configure NPS Log File Properties
- Open the NPS (Network Policy Server) MMC snap-in
- Click Accounting
- In the details pane, right-click Local File Logging, then click Configure Local File Logging
- In the dialog box, on the Log File tab, in Directory, type where you want to store NPS log files. The default location is systemroot\System32\LogFiles folder
- In Format, click Database-compatible. If you would like to keep your log files in IAS format, click IAS.
- To configure NPS to start new log files at specified intervals, click the interval you want to use:
- Daily: Heavy transaction volume and logging activity
- Weekly or Monthly: Less transaction volume and logging activity
- Never (unlimited file size): All transactions in one log file
- When log file reaches this size: To limit the size of each log file, type the file size. The default is 10 MB
- To delete log files automatically when the disk is full, click When disk is full delete older log files
Note: You must be a
member of the Domain Admins, Enterprise Admins, or Administrators
group on the local computer.
Check Logging in Event Viewer
- Start | Administrative Tools | Event Viewer
- Expand Windows Log
- Select System
- Review the entries in the detail pane for the source RemoteAccess to see the logged data
- Close Event Viewer
Common Troubleshooting Solutions
- Error 800: VPN unreachable
- Cause: PPTP/L2TP/SSTP packets cannot reach the VPN server.
- Solution: Could be the firewall on the client computer
- PPTP: Open TCP port 1723 forward IP protocol 47 for GRE traffic. Generic Route Encapsulation (GRE) protocol is used in conjunction with Point-to-Point Tunneling Protocol (PPTP) to create virtual private networks (VPNs) between clients or between clients and servers.
- L2TP: Open UDP port 1701 and allow IPsec ESP formatted packets (IP protocol 50)
- SSTP: enable TCP 443
- Error 721: Remote computer not responding
- Cause: Firewall does not permit GRE traffic (IP protocol 47). PPTP uses GRE for tunneled data.
- Solution: Configure network firewall to permit GRE and permit TCP traffic on port 1723.
- Error 741/742: Encryption mismatch
- Cause: VPN client requests an invalid encryption level or the VPN server does not support this type of encryption
- Solution: Check the Security tab properties of the VPN connection on the VPN client. If Require data encryption is selected, clear the selection and retry connection. If using NPS, check the encryption level in the network policy in the NPS console or policies on other RADIUS servers.
- L2TP/IPsec Authentication Issues
- No certificate: Check the Local computer certificate stores of the remote access client and remote access server to ensure a suitable certificate exists (required for L2TP/IPsec connections)
- Incorrect certificate:
- A NAT device exists between the remote access client and remote access server: Client and server must both support IPsec NAT-T, if NAT is present.
- A firewall exists between the remote access client and remote access server: verify the firewall allows forwarding of L2TP/IPsec traffic.
- EAP-TLS Authentication Issues
- Current date must be within the certificate validity dates.
- Certificate has been revoked.
- Certificate must have valid digital signature, with the exception of the root CA certificate.
Question: Your network is having intermittent problems. Some segments are lost during peak periods. It seems this problem occurs because of router congestion during these peak periods. What can you do about this?
Answer: You should enabled Explicit Congestion Notification (ECN) in your network. ECN was designed for just this type of problem. Routers that are having congestion problems will flag packets passing through the router. Hosts receiving these packets lower their transmission rate to the router's transmission rate. This lowers the congestion and helps to stop the packet loss in the network segment. This has minimal impact on network performance.
No comments:
Post a Comment
"Comment As:" anonymous if you would rather not sign into an account!