RAS远程访问和VPN服务器架构.ppt

Slide Title,Body Text,Second level,Third level,Fourth level,Fifth level,配置远程访问,概述：,介绍远程访问的基础结构,配置,VPN,连接,配置拨号连接,配置无线连接,为,DHCP,集成配置路由和远程访问,利用远程访问策略控制用户的远程访问,介绍远程访问的基础结构,Network Access Server,IAS,Server,DHCP Server,Domain,Controller,Dial-up Client,Wireless Access Point,Wireless Client,VPN Client,建立远程访问连接（,1,）,LAN Protocols,Remote Access Protocols,Local Area Network,LAN Protocols,Remote Access,Protocols,Internet,Remote Access Client,Remote Access Server,远程访问客户端,Type of Client,Description,VPN Client,Connects to a network across a shared or public network,Emulates a point-to-point link on a private network,Dial-up,Client,Connects to a network by using a communications network,Creates a physical connection to a port on a remote access server on a private network,Uses a modem or ISDN adapter to dial in to the remote access server,Wireless,Client,Connects to a network by infrared light and radio frequency technologies,Includes many different types of devices,身份验证,Authentication,Verifies a remote users identification to the network service that the remote user is attempting to access(interactive logon),Network Access,Server,Network Access,Client,Domain,Controller,1,2,1,Authorization,Verifies that the connection attempt is allowed;authorization occurs after a successful logon attempt,2,概述：,介绍远程访问的基础结构,配置,VPN,连接,配置拨号连接,配置无线连接,为,DHCP,集成配置路由和远程访问,利用远程访问策略控制用户的远程访问,4,配置,VPN,链接,标准架构模式,Server,版操作系统，两块网卡，客户端,另类架构模式,单网卡架构,VPN,服务器,单网卡单公网,IP,单网卡双,IP,（公,+,私）,虚拟网卡架构,VPN,服务器,利用,MS LOOPBACK,虚拟网卡,配置方法如同标准架构模式,5 VPN,原理,在公共网络上通过建立起点到点链路从而在两台计算机之间发送加密数据。,数据封装的目的：建立点到点链路。,数据加密的目的：建立私有的链路。,5 VPN,原理,VPN,的优点,节约成本；移动通信费用的节省；专线费用得节省；设备投资的节省；支持费用的节省。,增强安全性：隧道技术,Tunneling,，加解密技术,Encryption&Decryption,，密钥管理技术,Key Management,，身份认证技术,Authentication,。,网络协议支持：,IP,，,IPX,，,NetBEUI,。,Appletalk,，,DECNet,，,SNA,等。,容易扩展。,可随意与合作伙伴联网。,更好控制主动权。,安全的,IP,地址。,支持新兴应用：,IP,语音，,IP,传输，,RSIP,，,IPv6,，,MPLS,，,SNMPv3,，以及支持,ADSL,、,Cable Modem,、光纤以太网、,WLAN,等网络链接技术。,Domain,Controller,VPN Client,VPN Server,VPN,连接,A,VPN,extends the capabilities of a private network to encompass links across shared or public networks,such as the Internet,in a manner that emulates a point-to-point link,3,VPN server authenticates,and authorizes the client,2,VPN server,answers the call,4,VPN server transfers,data,VPN client calls the,VPN server,1,VPN,连接结构,VPN Tunnel,Tunneling Protocols,Tunneled Data,VPN Client,VPN Server,Address and Name Server Allocation,DHCP,Server,Domain,Controller,Authentication,Transit Network,Remote User to Corp Net,Remote,Access Server,Branch Office to Branch Office,Remote,Access Server,VPN,连接协议,Examples of Remote Access Server Using L2TP/IPSec,Category,Description,PPTP,Employs user-level Point-to-Point Protocol(PPP)authentication methods and Microsoft Point-to-Point Encryption(MPPE)for data encryption,L2TP/IPSec,Employs user-level PPP authentication methods over a connection that is encrypted with IPSec,Recommended authentication method for VPN network access is L2TP/IPSec with certificates,配置虚拟专用网端口,路由和远程访问,操作,(A),查看,(V),路由和远程访问,服务器状态,SERVERX(,本地,),Ports,远程访问客户端,(0),IP,路由,远程访问策略,名称,设备,注释,状态,端口,WAN,微型端口,(PPTP)(VPN3-4)VPN,不活动,WAN,微型端口,(PPTP)(VPN3-3)VPN,不活动,WAN,微型端口,(PPTP)(VPN3-2)VPN Inactive,WAN,微型端口,(PPTP)(VPN3-1)VPN Inactive,WAN,微型端口,(PPTP)(VPN3-0)VPN,不活动,WAN,微型端口,(L2TP)(VPN2-4)VPN,不活动,WAN,微型端口,(L2TP)(VPN2-3)VPN Inactive,WAN,微型端口,(L2TP)(VPN2-2)VPN Inactive,WAN,微型端口,(L2TP)(VPN2-1)VPN,不活动,WAN,微型端口,(L2TP)(VPN2-0)VPN,不活动,Direct Parallel(LPT1)PARALLEL Inactive,Modem(COM 3)MODEM Inactive,PPTP,端口,L2TP,端口,调制解调器和电缆端口,7.2.2,配置虚拟专用网端口,配置用户拨入设置,权限,呼叫方,ID,回拨,IP,路由,7.2.4,配置用户拨入设置,验证服务器,概述：,介绍远程访问的基础结构,配置,VPN,连接,配置拨号连接,配置无线连接,为,DHCP,集成配置路由和远程访问,利用远程访问策略控制用户的远程访问,拨号连接,Domain,Controller,Dial-up,Client,Dial-up networking,is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider,3,RA server authenticates,and authorizes the client,2,RA server,answers the call,4,RA server transfers,data,Dial-up client calls,the RA server,1,Remote Access Server,配置拨号链接和无线链接,Standard,Description,802.11,又称为,Wi-Fi,。由,IEEE,的一个工作组为,WLAN,开发的一组规范。定义了,OSI,中物理层和数据链路层中的媒体访问子层,MAC,部分内容。所有的,802.11,标准的,MAC,子层均相同，但它们的物理实现方式有所不同。,802.11b,两种速率：,5.5Mbps,和,11Mbps,，比,802.11,有更高的数据传输率，支持较大的工作距离，但易收到无线电信号干扰。适合于家庭和小型企业使用。,802.11a,传输速率高达,54Mbps,，工作距离小。使用,12,个互不重叠的信道，所以适合在高流量的场合中使用。由于使用的无线电频谱喻,802.11,、,802.11b,、,802.11g,不同，所以它们之间不能实现互操作。,802.11g,是,802.11b,的增强版本，二者兼容。只需升级一个固件即可。速度达到,54Mbps,，但工作距离比,802.11b,反而短，且更易收到无线电信号的干扰。,802.1x,是,802.11,的扩展。定义了在允许访问网络之前需要进行身份验证的方式。同时，也可适用于有线网络。可以使用,EAP-TLS,、,EAP-MS-CHAP v2,、,PEAP,的密码验证方式。,PEAP,可与,TLS,或,MS-CHAP v2,一起使用。,PEAP-TLS,是推荐验证方式，提供在严格的验证方式和确定密钥方式,拨号访问连接结构,Dial-up Client,Address and Name Server Allocation,DHCP,Server,Domain,Controller,Authentication,Remote Access,Server,WAN Options:,Telephone,ISDN,X.25,or ATM,LAN and Remote Access,Protocols,Network Access Server,IAS,Server,DHCP Server,Domain,Controller,Wireless Access Point,Wireless Client,无线网络访问,A,wireless network,uses technology that enables devices to communicate by using standard network protocols and electromagnetic wavesnot network cablingto carry signals over part or all of the network infrastructure,Standard,Description,Infrastructure WLAN,Clients connect to wireless access points,Peer-to-peer WLAN,Network wireless clients communicate directly with each other without the use of cables,无线连接的结构,DHCP,Server,Remote Access Server,Domain,Controller,Wireless Client,(Station),Wireless Access Point,Address and Name Server Allocation,Authentication,Ports,配置身份验证协议,标准的身份验证,可扩展的身份验证,Available Methods of Authentication,Remote and wireless authentication methods include:,CHAP,PAP,SPAP,MS-CHAP,MS-CHAP v2,EAP-TLS,PEAP,MD-5 Challenge,Recommended method for user,authentication is by using smart card certificates,身份验证协议,PAP(,密码身份验证协议,),使用简单文字组成的密码,它是最简单的身份验证协议,SPAP(shiva,密码身份验证协议,),一种简单的加密密码的身份验证协议,被,shive,远程访问服务器支持,CHAP(,质询握手身份验证协议,),被各种类型的远程访问服务器和客户端使用,Microsoft,路由和远程访问服务支持,CHAP,身份验证协议,MS-CHAP(microsoft,质询握手身份验证协议,),被,microsoft windows95,客户端使用,只支持,microsoft,客户端,MS-CHAP V2(Microsoft,质询握手身份验证协议,),执行交互的身份验证,作为,windows2000,和更新版本操作系统的默认远程访,问协议,EAP-TLS(,可扩展身份验证协议,-,传输层安全,),PEAP(,受保护的可扩展身份验证协议,),标准的身份验证,Protocol,Security,密码身分验,证协议,Low,Shiva,密码,身份验证,协议,Medium,High,Use when,客户机和服务器不能利用更安全的验证形式进行协商时。,连接到,Shiva LANRover,时，或者当,Shiva,客户机连接到基于,Windows 2000,的远程访问服务器时。,某些客户机运行的不是,Microsoft,操作系统时,盘问沟通,身份验,证协议,High,MS-CHAP,MS-CHAP,v2,High,你的客户机运行,Windows NT version 4.0 and later or,Microsoft Windows 95,或以后的版本,有些运行,Windows 2000,的拨号客户机,运行,Windows NT 4.0,或,Windows 98,的,VPN,客户机时,可扩展的身份验证,允许客户机和服务器协商他们将使用的身份验证方法,支持所使用的身份验证,1,、,MD5-CHAP,2,、传输层安全性,3,、附加的第三方的身份验证方法,确保支持通过,API,进行身份验证的方法,概述：,介绍远程访问的基础结构,配置,VPN,连接,配置拨号连接,配置无线连接,为,DHCP,集成配置路由和远程访问,利用远程访问策略控制用户的远程访问,利用,DHCP,将,IP,地址分配给远程访问客户机,如果,DHCP,服务器是有效的,远程服务器在最初从,DHCP,服务器获取,10,个,IP,地址,如果,DHCP,服务器是无效的,远程服务器使用“自动专用,IP,寻址”地址确保,DHCP,服务器总是可用,为使用,DHCP,而配置路由和远程访问,General,Security,IP,PPP,Event Logging,Enable IP routing,Allow IP-based remote access and demand-dial connections,IP address assignment,This server can assign IP addresses by using:,Dynamic Host Configuration Protocol(DHCP),Static address pool,From,To,Number,IP Add,Mask,A,dd,E,dit,R,emove,Use the following adapter to obtain DHCP,DNS,and WINS addresses for dial-up clients.,Ada,p,ter:,OK,Cancel,A,pply,LONDON(local)Properties,Corpnet:,概述：,介绍远程访问的基础结构,配置,VPN,连接,配置拨号连接,配置无线连接,为,DHCP,集成配置路由和远程访问,利用远程访问策略控制用户的远程访问,What Is a Remote Access Policy?,A,remote access policy,is a named rule that consists of the following elements:,Conditions,.,远程访问策略的条件是一系列参数，例如一天中的时间，用户组，主叫,ID,或者,ip,地址。这些参数与连接到服务器的客户机的参数项匹配。,Remote access permission.,对用户帐号的拨入属性和远程访问策略加以组合，在此基础上才允许远程访问连接。,Profile.,每个策略包括一个配置文件，里面有一些设置值（例如身份验证和加密协议），这个配置文件被应用于相应的连接。配子文件中的设置值立即应用于连接，并且可能会导致该连接拒绝,。,What Is a Remote Access Policy Profile?,Dial-in Constraints,IP Properties,IP Address Assignment,IP Filters,Multilink,Authentication,Encryption,Advanced Settings,Remote Access User,检测远程访问策略,A Remote Access Policy:,存储在本地，而不在活动目录,策略组件,条件,权限,配置,文件,检测远程访问策略评估,遵循策略评估的逻辑,检测默认策略和检测多个策略,遵循策略评估的逻辑,Connection,No,Deny,Allow,Profile Evaluation,Conditions,Permissions,Profile,Allow,Deny,Use Remote,Access Policy,Connection,Yes,No,Connection,No,Deny,Allow,Profile Evaluation,Connection,Conditions,Permissions,Profile,Yes,Allow,Deny,Use Remote,Access Policy,No,Yes,实验,7-1,如何架设,windows2003,远程访问服务器,远程访问的集中身份验证,IAS,概述,介绍,IAS(Internet Authentication Service),安装和配置,IAS,Introduction to IAS,Windows 2003,网络 中的,IAS and RADIUS,IAS,的用途和用法,RADIUS(Remote Authentication Dial-In User Service),How Centralized Authentication Works,RADIUS Server,RADIUS Client,Client,Dials in to a local RADIUS client to gain network connectivity,1,Forwards requests to a RADIUS server,2,Authenticates requests and stores accounting information,3,Domain Controller,Communicates to the RADIUS client to grant or deny access,4,Remote Access Server,Installing and Configuring IAS,安装,IAS Server,配置,IAS Server,为利用,RADIUS,的身份验证功能配置远程访问服务器,为利用,RADIUS,的记帐功能配置远程访问服务器,为记帐信息配置日志,Installing an IAS Server,Windows Components Wizard,Windows Components,You can add or remove components of Windows 2000.,To add or remove a component,click the check box.A shaded box means that only part of the component will be installed.To see whats included in a component,click Details.,Components:,Management and Monitoring Tools,Message Queuing Services,Other Network File and Print Services,Networking Services,3.5 MB,0.0 MB,5.0 MB,2.6 MB,Description:,Contains a variety of specialized,network-related services and protocols.,Total disk space required:,Space available on disk:,0.8 MB,5962.6 MB,Details,Cancel,Networking Services,To add or remove a component,click the check box.A shaded box means that only part of the component will be installed.To see whats included in a component,click Details.,Total disk space required:,Space available on disk:,0.8 MB,5962.6 MB,Details,Cancel,OK,Description:,Enables authentication,authorization and accounting of dial-up and PN users.IAS supports the RADIUS protocol,Subcomponents of Networking Services:,COM Internet Services Proxy,Domain Name System(DNS),Dynamic Host Configuration Protocol(DHCP),Internet Authentication Service,QoS Admission Control Service,Simple TCP/IP Services,0.0 MB,1.1 MB,0.0 MB,0.0 MB,0.0 MB,0.0 MB,Configuring an IAS Server,Add RADIUS Client,Client Information,Specify information regarding the client.,Client a,d,dress(IP or DNS):,192.168.1.200,C,l,ient-Vendor,Microsoft,C,lient must always send the signature attribute in the request,S,hared secret:,Con,f,irm shared secret:,B,ack,Finish,Cancel,V,erify,Use an IP address,if possible,Select Microsoft if using Routing and Remote Access,Configuring a Remote Access Server to Use RADIUS Authentication,PHOENIX(local)Properties,General,Security,IP,PPP,Event Logging,The authentication provider validate credentials for remote access clients and demand-dial routers.,Authentication provider:,RADIUS Authentication,Authentication Methods,Configure,Configure,Windows Accounting,Accounting provider:,The accounting provider maintains a log of connection requests and sessions.,OK,Cancel,Apply,Change to RADIUS Authentication,Add RADIUS Server,Server name:,Secret:,Time-out(seconds):,Port:,Always use digital signatures,Change,OK,Cancel,Initial score:,Radius Server,5,30,1812,Enter the Server Name,Configuring a Remote Access Server to Use RADIUS Accounting,PHOENIX(local)Properties,General,Security,IP,PPP,Event Logging,The authentication provider validate credentials for remote access clients and demand-dial routers.,Authentication provider:,RADIUS Authentication,Authentication Methods,Configure,Configure,RADIUS Accounting,Accounting provider:,The accounting provider maintains a log of connection requests and sessions.,OK,Cancel,Apply,Add RADIUS Server,Server name:,Secret:,Time-out(seconds):,Port:,Send RADIUS Accounting On and Accounting Off messages,Change,OK,Cancel,Initial score:,Radius Server,5,30,1812,Enter the Server Name,Change to RADIUS Accounting,Configuring Logs for Accounting Information,Configure Settings for Accounting Logs:,Select Events to Log,Log accounting requests,Log authentication requests,Log periodic status,Select Log File Format,Database-compatible format,IAS format,New Log Time Period,Log File Directory,总结,:,介绍,IAS(Internet Authentication Service),安装和配置,IAS,实验,7-2,配置,VPN,拨入控制及,IAS,