RAS遠(yuǎn)程訪問和VPN服務(wù)器架構(gòu)

配置遠(yuǎn)程訪問概述：介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)配置VPN連接配置撥號(hào)連接配置無線連接為DHCP集成配置路由和遠(yuǎn)程訪問利用遠(yuǎn)程訪問策略控制用戶的遠(yuǎn)程訪問介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)NetworkAccess

ServerIASServerDHCPServerDomainControllerDial-upClientWirelessAccessPointWirelessClientVPNClient建立遠(yuǎn)程訪問連接〔1〕LANProtocolsRemoteAccessProtocolsLocalAreaNetworkLANProtocolsRemoteAccessProtocolsInternetRemoteAccessClientRemoteAccess

Server遠(yuǎn)程訪問客戶端TypeofClientDescriptionVPNClientConnectstoanetworkacrossasharedorpublicnetworkEmulatesapoint-to-pointlinkonaprivatenetwork

Dial-upClientConnectstoanetworkbyusingacommunicationsnetwork

Createsaphysicalconnectiontoaportonaremoteaccessserveronaprivatenetwork

UsesamodemorISDNadaptertodialintotheremoteaccessserver

WirelessClientConnectstoanetworkbyinfraredlightandradiofrequencytechnologies

Includesmanydifferenttypesofdevices身份驗(yàn)證

AuthenticationVerifiesaremoteuser'sidentificationtothenetworkservicethattheremoteuserisattemptingtoaccess(interactivelogon)NetworkAccessServerNetworkAccessClientDomainController121

AuthorizationVerifiesthattheconnectionattemptisallowed;authorizationoccursafterasuccessfullogonattempt2概述：介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)配置VPN連接配置撥號(hào)連接配置無線連接為DHCP集成配置路由和遠(yuǎn)程訪問利用遠(yuǎn)程訪問策略控制用戶的遠(yuǎn)程訪問4配置VPN鏈接標(biāo)準(zhǔn)架構(gòu)模式Server版操作系統(tǒng)，兩塊網(wǎng)卡，客戶端另類架構(gòu)模式單網(wǎng)卡架構(gòu)VPN效勞器單網(wǎng)卡單公網(wǎng)IP單網(wǎng)卡雙IP〔公+私〕虛擬網(wǎng)卡架構(gòu)VPN效勞器利用MSLOOPBACK虛擬網(wǎng)卡配置方法如同標(biāo)準(zhǔn)架構(gòu)模式5VPN原理在公共網(wǎng)絡(luò)上通過建立起點(diǎn)到點(diǎn)鏈路從而在兩臺(tái)計(jì)算機(jī)之間發(fā)送加密數(shù)據(jù)。數(shù)據(jù)封裝的目的：建立點(diǎn)到點(diǎn)鏈路。數(shù)據(jù)加密的目的：建立私有的鏈路。5VPN原理VPN的優(yōu)點(diǎn)節(jié)約本錢；移動(dòng)通信費(fèi)用的節(jié)省；專線費(fèi)用得節(jié)??；設(shè)備投資的節(jié)??；支持費(fèi)用的節(jié)省。增強(qiáng)平安性：隧道技術(shù)Tunneling，加解密技術(shù)Encryption&Decryption，密鑰管理技術(shù)KeyManagement，身份認(rèn)證技術(shù)Authentication。網(wǎng)絡(luò)協(xié)議支持：IP，IPX，NetBEUI。Appletalk，DECNet，SNA等。容易擴(kuò)展?？呻S意與合作伙伴聯(lián)網(wǎng)。更好控制主動(dòng)權(quán)。平安的IP地址。支持新興應(yīng)用：IP語音，IP傳輸，RSIP，IPv6，MPLS，SNMPv3，以及支持ADSL、CableModem、光纖以太網(wǎng)、WLAN等網(wǎng)絡(luò)鏈接技術(shù)。DomainControllerVPNClientVPNServerVPN連接AVPNextendsthecapabilitiesofaprivatenetworktoencompasslinksacrosssharedorpublicnetworks,suchastheInternet,inamannerthatemulatesapoint-to-pointlink3VPNserverauthenticatesandauthorizestheclient2VPNserveranswersthecall4VPNservertransfersdataVPNclientcallstheVPNserver1VPN連接結(jié)構(gòu)VPNTunnelTunnelingProtocolsTunneledDataVPNClientVPNServerAddressandNameServerAllocationDHCPServerDomainControllerAuthenticationTransitNetworkRemoteUsertoCorpNetRemoteAccessServerBranchOfficetoBranchOfficeRemoteAccessServerVPN連接協(xié)議ExamplesofRemoteAccessServerUsingL2TP/IPSec

CategoryDescriptionPPTPEmploysuser-levelPoint-to-PointProtocol(PPP)authenticationmethodsandMicrosoftPoint-to-PointEncryption(MPPE)fordataencryptionL2TP/IPSecEmploysuser-levelPPPauthenticationmethodsoveraconnectionthatisencryptedwithIPSec

RecommendedauthenticationmethodforVPNnetworkaccessisL2TP/IPSecwithcertificates配置虛擬專用網(wǎng)端口路由和遠(yuǎn)程訪問操作(A)查看(V)路由和遠(yuǎn)程訪問服務(wù)器狀態(tài)SERVERX(本地)Ports遠(yuǎn)程訪問客戶端(0)IP路由遠(yuǎn)程訪問策略名稱設(shè)備注釋狀態(tài)端口WAN微型端口(PPTP)(VPN3-4)VPN不活動(dòng)WAN微型端口(PPTP)(VPN3-3)VPN不活動(dòng)WAN微型端口(PPTP)(VPN3-2)VPNInactiveWAN微型端口(PPTP)(VPN3-1)VPNInactiveWAN微型端口(PPTP)(VPN3-0)VPN不活動(dòng)WAN微型端口(L2TP)(VPN2-4)VPN不活動(dòng)WAN微型端口(L2TP)(VPN2-3)VPNInactiveWAN微型端口(L2TP)(VPN2-2)VPNInactiveWAN微型端口(L2TP)(VPN2-1)VPN不活動(dòng)WAN微型端口(L2TP)(VPN2-0)VPN不活動(dòng)DirectParallel(LPT1)PARALLELInactiveModem(COM3)MODEMInactivePPTP端口L2TP端口調(diào)制解調(diào)器和電纜端口7.2.2配置虛擬專用網(wǎng)端口配置用戶撥入設(shè)置權(quán)限呼叫方ID回?fù)躀P路由7.2.4配置用戶撥入設(shè)置驗(yàn)證ＶＰＮ效勞器概述：介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)配置VPN連接配置撥號(hào)連接配置無線連接為DHCP集成配置路由和遠(yuǎn)程訪問利用遠(yuǎn)程訪問策略控制用戶的遠(yuǎn)程訪問撥號(hào)連接DomainControllerDial-up

ClientDial-upnetworkingistheprocessofaremoteaccessclientmakingatemporarydial-upconnectiontoaphysicalportonaremoteaccessserverbyusingtheserviceofatelecommunicationsprovider3RAserverauthenticatesandauthorizestheclient2RAserveranswersthecall4RAservertransfersdataDial-upclientcallstheRAserver1RemoteAccess

Server配置撥號(hào)鏈接和無線鏈接StandardDescription802.11又稱為Wi-Fi。由IEEE的一個(gè)工作組為WLAN開發(fā)的一組規(guī)范。定義了OSI中物理層和數(shù)據(jù)鏈路層中的媒體訪問子層MAC部分內(nèi)容。所有的802.11標(biāo)準(zhǔn)的MAC子層均相同，但它們的物理實(shí)現(xiàn)方式有所不同。802.11b兩種速率：5.5Mbps和11Mbps，比802.11有更高的數(shù)據(jù)傳輸率，支持較大的工作距離，但易收到無線電信號(hào)干擾。適合于家庭和小型企業(yè)使用。802.11a傳輸速率高達(dá)54Mbps，工作距離小。使用12個(gè)互不重疊的信道，所以適合在高流量的場(chǎng)合中使用。由于使用的無線電頻譜喻802.11、802.11b、802.11g不同，所以它們之間不能實(shí)現(xiàn)互操作。802.11g是802.11b的增強(qiáng)版本，二者兼容。只需升級(jí)一個(gè)固件即可。速度達(dá)到54Mbps，但工作距離比802.11b反而短，且更易收到無線電信號(hào)的干擾。802.1x是802.11的擴(kuò)展。定義了在允許訪問網(wǎng)絡(luò)之前需要進(jìn)行身份驗(yàn)證的方式。同時(shí)，也可適用于有線網(wǎng)絡(luò)?？梢允褂肊AP-TLS、EAP-MS-CHAPv2、PEAP的密碼驗(yàn)證方式。PEAP可與TLS或MS-CHAPv2一起使用。PEAP-TLS是推薦驗(yàn)證方式，提供在嚴(yán)格的驗(yàn)證方式和確定密鑰方式撥號(hào)訪問連接結(jié)構(gòu)Dial-upClientAddressandNameServerAllocationDHCPServerDomainControllerAuthenticationRemoteAccessServerWANOptions:Telephone,ISDN,X.25,orATMLANandRemoteAccessProtocolsNetworkAccess

ServerIASServerDHCPServerDomainControllerWirelessAccessPointWirelessClient無線網(wǎng)絡(luò)訪問Awirelessnetworkusestechnologythatenablesdevicestocommunicatebyusingstandardnetworkprotocolsandelectromagneticwaves—notnetworkcabling—tocarrysignalsoverpartorallofthenetworkinfrastructureStandardDescriptionInfrastructureWLANClientsconnecttowirelessaccesspointsPeer-to-peerWLANNetworkwirelessclientscommunicatedirectlywitheachotherwithouttheuseofcables無線連接的結(jié)構(gòu)DHCPServerRemote

AccessServerDomainControllerWirelessClient(Station)WirelessAccessPointAddressandNameServerAllocationAuthenticationPorts配置身份驗(yàn)證協(xié)議標(biāo)準(zhǔn)的身份驗(yàn)證可擴(kuò)展的身份驗(yàn)證AvailableMethodsofAuthenticationRemoteandwirelessauthenticationmethodsinclude:CHAPPAPSPAPMS-CHAPMS-CHAPv2EAP-TLSPEAPMD-5ChallengeRecommendedmethodforuserauthenticationisbyusingsmartcardcertificates身份驗(yàn)證協(xié)議PAP(密碼身份驗(yàn)證協(xié)議)使用簡(jiǎn)單文字組成的密碼,它是最簡(jiǎn)單的身份驗(yàn)證協(xié)議SPAP(shiva密碼身份驗(yàn)證協(xié)議)一種簡(jiǎn)單的加密密碼的身份驗(yàn)證協(xié)議被shive遠(yuǎn)程訪問效勞器支持CHAP(質(zhì)詢握手身份驗(yàn)證協(xié)議)被各種類型的遠(yuǎn)程訪問效勞器和客戶端使用Microsoft路由和遠(yuǎn)程訪問效勞支持CHAP身份驗(yàn)證協(xié)議MS-CHAP(microsoft質(zhì)詢握手身份驗(yàn)證協(xié)議)被microsoftwindows95客戶端使用只支持microsoft客戶端MS-CHAPV2(Microsoft質(zhì)詢握手身份驗(yàn)證協(xié)議)執(zhí)行交互的身份驗(yàn)證作為windows2000和更新版本操作系統(tǒng)的默認(rèn)遠(yuǎn)程訪問協(xié)議EAP-TLS(可擴(kuò)展身份驗(yàn)證協(xié)議-傳輸層平安)PEAP(受保護(hù)的可擴(kuò)展身份驗(yàn)證協(xié)議)標(biāo)準(zhǔn)的身份驗(yàn)證

ProtocolSecurity密碼身分驗(yàn)證協(xié)議LowShiva密碼身份驗(yàn)證協(xié)議MediumHighUsewhen客戶機(jī)和效勞器不能利用更平安的驗(yàn)證形式進(jìn)行協(xié)商時(shí)。連接到ShivaLANRover時(shí)，或者當(dāng)Shiva客戶機(jī)連接到基于Windows2000的遠(yuǎn)程訪問效勞器時(shí)。某些客戶機(jī)運(yùn)行的不是Microsoft操作系統(tǒng)時(shí)盤問溝通身份驗(yàn)證協(xié)議HighMS-CHAPMS-CHAPv2High你的客戶機(jī)運(yùn)行WindowsNTversion4.0andlateror,MicrosoftWindows95或以后的版本有些運(yùn)行Windows2000的撥號(hào)客戶機(jī),運(yùn)行WindowsNT4.0或Windows98的VPN客戶機(jī)時(shí)可擴(kuò)展的身份驗(yàn)證允許客戶機(jī)和效勞器協(xié)商他們將使用的身份驗(yàn)證方法支持所使用的身份驗(yàn)證1、MD5-CHAP2、傳輸層平安性3、附加的第三方的身份驗(yàn)證方法確保支持通過API進(jìn)行身份驗(yàn)證的方法概述：介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)配置VPN連接配置撥號(hào)連接配置無線連接為DHCP集成配置路由和遠(yuǎn)程訪問利用遠(yuǎn)程訪問策略控制用戶的遠(yuǎn)程訪問利用DHCP將IP地址分配給遠(yuǎn)程訪問客戶機(jī)如果DHCP效勞器是有效的遠(yuǎn)程效勞器在最初從DHCP效勞器獲取10個(gè)IP地址如果DHCP效勞器是無效的遠(yuǎn)程效勞器使用“自動(dòng)專用IP尋址”地址確保DHCP效勞器總是可用為使用DHCP而配置路由和遠(yuǎn)程訪問GeneralSecurityIPPPPEventLoggingEnableIProutingAllowIP-basedremoteaccessanddemand-dialconnectionsIPaddressassignmentThisservercanassignIPaddressesbyusing:DynamicHostConfigurationProtocol(DHCP)StaticaddresspoolFromToNumberIPAdd…MaskAdd…Edit…RemoveUsethefollowingadaptertoobtainDHCP,DNS,andWINSaddressesfordial-upclients.Adapter:OKCancelApplyLONDON(local)PropertiesCorpnet:概述：介紹遠(yuǎn)程訪問的根底結(jié)構(gòu)配置VPN連接配置撥號(hào)連接配置無線連接為DHCP集成配置路由和遠(yuǎn)程訪問利用遠(yuǎn)程訪問策略控制用戶的遠(yuǎn)程訪問WhatIsaRemoteAccessPolicy?Aremoteaccesspolicyisanamedrulethat

consistsofthefollowingelements:Conditions.遠(yuǎn)程訪問策略的條件是一系列參數(shù)，例如一天中的時(shí)間，用戶組，主叫ID或者ip地址。這些參數(shù)與連接到效勞器的客戶機(jī)的參數(shù)項(xiàng)匹配。Remoteaccesspermission.對(duì)用戶帳號(hào)的撥入屬性和遠(yuǎn)程訪問策略加以組合，在此根底上才允許遠(yuǎn)程訪問連接。Profile.每個(gè)策略包括一個(gè)配置文件，里面有一些設(shè)置值〔例如身份驗(yàn)證和加密協(xié)議〕，這個(gè)配置文件被應(yīng)用于相應(yīng)的連接。配子文件中的設(shè)置值立即應(yīng)用于連接，并且可能會(huì)導(dǎo)致該連接拒絕。WhatIsaRemoteAccessPolicyProfile?Dial-inConstraintsIPPropertiesIPAddressAssignmentIPFiltersMultilinkAuthenticationEncryptionAdvancedSettingsRemote

AccessUser檢測(cè)遠(yuǎn)程訪問策略ARemoteAccessPolicy:存儲(chǔ)在本地，而不在活動(dòng)目錄策略組件條件權(quán)限配置文件檢測(cè)遠(yuǎn)程訪問策略評(píng)估遵循策略評(píng)估的邏輯檢測(cè)默認(rèn)策略和檢測(cè)多個(gè)策略遵循策略評(píng)估的邏輯ConnectionNoDenyAllowProfile

EvaluationConditionsPermissionsProfileAllowDenyUseRemoteAccessPolicyConnectionYesNoConnectionNoDenyAllowProfile

EvaluationConnectionConditionsPermissionsProfileYesAllowDenyUseRemoteAccessPolicyNoYes實(shí)驗(yàn)7-1如何架設(shè)windows2003遠(yuǎn)程訪問效勞器遠(yuǎn)程訪問的集中身份驗(yàn)證IAS概述介紹IAS(InternetAuthenticationService)安裝和配置IASIntroductiontoIASWindows2003網(wǎng)絡(luò)中的IASandRADIUSIAS的用途和用法RADIUS(RemoteAuthenticationDial-InUserService)HowCentralizedAuthenticationWorksRADIUSServerRADIUSClientClientDialsintoalocalRADIUSclienttogainnetworkconnectivity1ForwardsrequeststoaRADIUSserver2Authenticatesrequestsandstoresaccountinginformation3DomainControllerCommunicatestotheRADIUSclienttograntordenyaccess4Remote

AccessServer

InstallingandConfiguringIAS安裝IASServer配置IASServer為利用RADIUS的身份驗(yàn)證功能配置遠(yuǎn)程訪問效勞器為利用RADIUS的記帳功能配置遠(yuǎn)程訪問效勞器為記帳信息配置日志InstallinganIASServerWindowsComponentsWizardWindowsComponentsYoucanaddorremovecomponentsofWindows2000.Toaddorremoveacomponent,clickthecheckbox.Ashadedboxmeansthatonlypartofthecomponentwillbeinstalled.Toseewhat'sincludedinacomponent,clickDetails.Components:ManagementandMonitoringToolsMessageQueuingServicesOtherNetworkFileandPrintServicesNetworkingServices3.5MB0.0MB5.0MB2.6MBDescription:Containsavarietyofspecialized,network-relatedservicesandprotocols.Totaldiskspacerequired:Spaceavailableondisk:0.8MB5962.6MBDetails…<BackNext>CancelNetworkingServicesToaddorremoveacomponent,clickthecheckbox.Ashadedboxmeansthatonlypartofthecomponentwillbeinstalled.Toseewhat'sincludedinacomponent,clickDetails.Totaldiskspacerequired:Spaceavailableondisk:0.8MB5962.6MBDetails…CancelOKDescription:Enablesauthentication,authorizationandaccountingofdial-upandPNusers.IASsupportstheRADIUSprotocolSubcomponentsofNetworkingServices:COMInternetServicesProxyDomainNameSystem(DNS)DynamicHostConfigurationProtocol(DHCP)InternetAuthenticationServiceQoSAdmissionControlServiceSimpleTCP/IPServices0.0MB1.1MB0.0MB0.0MB0.0MB0.0MBConfiguringanIASServerAddRADIUSClientClientInformationSpecifyinformationregardingtheclient.Clientaddress(IPorDNS):192.168.1.200Client-VendorMicrosoftClientmustalwayssendthesignatureattributeintherequestSharedsecret:Confirmsharedsecret:<BackFinishCancelVerify…Usean

IPaddress,ifpossibleSelectMicrosoftifusingRoutingandRemoteAccessConfiguringaRemoteAccess

ServertoUseRADIUSAuthentication

PHOENIX(local)PropertiesGeneralSecurityIPPPPEventLoggingTheauthenticationprovidervalidatecredentialsforremoteaccessclientsanddemand-dialrouters.Authenticationprovider:RADIUSAuthenticationAuthenticationMethods…Configure…Configure…WindowsAccountingAccountingprovider:Theaccountingprovidermaintainsalogofconnectionrequestsandsessions.OKCancelApplyChangetoRADIUSAut