WindowsNetworking.com Newsletter of February 2008

WindowsNetworking.com Monthly Newsletter of February 2008 Sponsored by: Tippit

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

Donít Get Stuck with Old Technology!

Learn what IP-PBX Can Do for Your Organization.

Download our Buyers & Comparison Guide Now!

1. What's New with RRAS in Windows Server 2008?

The routing and remote access service has been around since Windows NT. Over the years, there seemed to be very little in terms of change for the RRAS service. While RRAS has always been pretty reliable and stable, there have not been too many changes over the years. With this history, you would expect that there are not too many changes with the Windows Server 2008 version of RRAS. Well, if you thought that, you would be wrong!

With Windows Server 2008 you will see the following improvements in RRAS:

  • Installation of RRAS is done through the Server Manager
  • The introduction of the SSTP (SSL VPN) VPN protocol
  • VPN enforcement for Network Access Protection (NAP)
  • IPv6 support
  • New cryptographic support

Server Manager replaces previous methods for installing system services on Windows Server 2008. With Windows Server 2008, RRAS is included as part of the Network Policy and Access Services. There are two role services that are part of the Network Policy and Access Services: the Network Policy Server (which is the Windows Server 2008 version of IAS) and the Routing and Remote Access Service. This is how you enable RRAS on a Windows Server 2008 computer.

SSTP is a new VPN protocol that allows you to tunnel PPP over SSL. Since it encapsulates the VPN protocol in an SSL secured HTTP header, it can easily traverse firewalls and Web proxies that allow outbound and inbound SSL connections. SSTP is a major and welcome advance to the RRAS suite of networking features.

Another major improvement is that Network Access Protocol (NAP) policies can be applied to VPN clients. NAP is a collection of Windows Server 2008 technologies that are used to confirm that a client computer has met minimal security configuration requirements before it is allowed to connect to the network. If the client meets the requirements, it will be allowed network connectivity. If the client does not meet your requirements, limited network access is allowed so that the client can remediate and try to connect again. NAP enforcement on VPN clients allows you to make sure that your VPN clients meet your security requirements before allowing them to connect to your network. This is a major improvement over the Windows Server 2003 Remote Access Quarantine solution, which had no user interface and you had to essentially program your own solution. NAP has a nicely polished user interface that allows you to actually get a working configuration right out of the box.

Although IPv6 is not in wide use at this time, the truth is the time will come where IPv6 will be the protocol of choice for private networks and then the Internet. I figure this will happen in about ten years, but it is never too early to get on board. RRAS will be ready for the changes and introduces the following IPv6 improvements:

Protocol Support:

  • PPPv6. Native IPv6 traffic can now be sent over PPP-based connections. (RFC 2472). For example, PPPv6 support allows you to connect with an IPv6-based Internet service provider (ISP) through dial-up or PPP over Ethernet (PPPoE)-based connections that might be used for broadband Internet access.
  • PPPv6 over dial-up/Ethernet as well as VPN tunnels
  • L2TP over IPv6
  • DHCPv6 Relay Agent

Stateless filtering (packet filtering):

  • Source IPv6 address/prefix
  • Destination IPv6 address/prefix
  • Next hop type (IP protocol type)
  • Source Port number (TCP/UDP)
  • Destination Port number (TCP/UDP)

There is also RADIUS over IPv6 transport support:

The RRAS router can now be configured as an IPv6 router. However, the user interface is very weak, as it only allows you to configure the IPv6 prefix that is advertised by the router. There are many, MANY IPv6 router related settings that need to be set in addition to prefix advertisement. I have written to the RRAS team about this, as adoption of IPv6 will be related to ease of use, and long, complex netsh commands definitely do not translate to ease of use (or accurate use either, the number of typos you can make with IPv6 is astounding).

New cryptographic support for VPN connections brings the RRAS server in line with current industry standards. PPTP now supports only 128-bit RC4 encryption, and L2TP/IPSec now supports 128- 192- and 256-bit AES encryption. Diffie-Hellman groups 19 and 20 are now supported for main mode IPsec negotiation.

Sadly, when you get new things, old things are removed. Technologies removed from RRAS include:

  • Bandwidth Allocation Protocol (BAP). Removed from Windows Vista. Disabled in Windows Server 2008.
  • X.25.
  • Serial Line Interface Protocol (SLIP). SLIP-based connections will automatically be updated to PPP-based connections.
  • Asynchronous Transfer Mode (ATM).
  • IP over IEEE 1394.
  • NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.
  • Services for Macintosh.
  • Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access.
  • Basic Firewall in Routing and Remote Access (replaced with Windows Firewall).
  • Static IP filter application programming interfaces (APIs) for Routing and Remote Access (replaced with Windows Filtering Platform APIs).
  • The SPAP, EAP-MD5-CHAP, and MS-CHAP authentication protocols for PPP-based connections

I do not think I will miss support for any of these protocols and features, although I am not sure why they removed support for OSPF. Not that I have ever used it, but I know other people who have used it.

In all, I think Windows 2008 RRAS brings in some very exciting new features and hope to write about more of them in the future on WindowsNetworking.com and on my WindowSecurity.com blog. I want to thank all of you who wrote to me with ideas of what you would like to see on the WindowsNetworking.com Web site and in this newsletter. You can be sure I will cover all the topics you mentioned in the upcoming weeks and months.

If you have Windows networking questions or ideas for articles or issues to cover in the newsletter, please feel free to write to me at tshinder@windowsnetworking.com

Thanks!

Tom

Quote of the Month - "Quote of the Month - "Never confuse movement with action"

Ernest Hemingway

2. ISA Server 2006 Migration Guide - Order Today!

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.


   Click here to Order
   your copy today

Donít Get Stuck with Old Technology!

Learn what IP-PBX Can Do for Your Organization.

Download our Buyers & Comparison Guide Now!

3. WindowsNetworking.com Articles of Interest

4. KB Articles of the Month

5. Windows Networking Tip of the Month

A major problem with L2TP/IPsec VPN networking is when the VPN server or VPN client is behind is behind a NAT device. This can be a real troubleshooting nightmare if you are not aware of the problem, since it looks like everything is set right but the L2TP/IPsec connection just fails to work. The problem is related to a bug that was introduced with Windows XP SP2 and carried over to Vista and Windows Server 2008. You need to create a Registry fix to handle this problem. You can find more information about this problem here.

Donít Get Stuck with Old Technology!

Learn what IP-PBX Can Do for Your Organization.

Download our Buyers & Comparison Guide Now!

6. Helpful Links

7. Ask Dr. Tom

QUESTION: I am curious about IPv6. From the material I have seen, it looks very complex! I don't know if I will ever be able to learn this stuff. Can you give me a hundred mile view of how IPv6 IP addressing works? Thanks! -- Charlie

ANSWER: IPv6 is indeed a major departure from IPv4. There is a lot of new information to take in and at first look, it might seem impossible to take in all the numbers, the new addressing system, the dependence on router configuration and more. However, to get you started, here is some useful information.

There are three types of addresses used in IPv6:

  • Link-Local
  • Unique Local
  • Global
Link-local addresses are similar to the APIPA addresses used by Windows hosts that cannot find a DHCP server. They begin with 169.254.0.0/16. These are truly non-routable addresses (in contrast to the misuse of the term "non-routable" when some people refer to private IP addresses). Link-Local addresses can only be used between hosts on the same network segment. Link-Local addresses are not registered in DNS, since local name resolution mechanisms are used to allow hosts on the same network segment to find the address of a host with a specific name. Link-Local addresses always begin with FE80:

Unique Local addresses are like private IP addresses in IPv4. While they cannot be used on the Internet, they can be used on multiple network IDs on a private network and thus they are routable. Unique Local addresses are a replacement for what were called Site-Local addresses. The problem with Site-Local addresses was that they had some built in ambiguities that made management of them too complex and inconsistent. Unique Local addresses always begin with FD00:

Global addresses are the same as public IP addresses and are routable over the Internet. All addresses that begin with 2000: to E000: are public addresses.

IPv6 is a bit easier than IPv4, in that there are no subnet masks. Instead, for all IPv6 addresses, the first 64 bits of the 128bit IPv6 address are always the network ID. Some parts of the network ID are predefined, so that you cannot change them; these will always be the higher order bits. You can use the lower order bits to set your custom network IDs. The lower 64 bits are always going to be the host ID.

That's a very high level overview of IPv6 addressing. I will be doing a series on IPv6 on WindowsNetworking.com in the near future, so make sure to check it out.

For now you can take a look at this overview written by Brien Posey, A Crash Course on in IPv6.

QUESTION: I would like to make things as secure as possible for my Exchange Server remote access users. Many of them still use IMAP4 and POP3, but I know those are not secure protocols. Do you know of any guidance that shows you how to configure things to work from end to end? I'm using Exchange 2003, as Exchange 2007 doesn't look like it's quite ready for prime time (not obvious IMAP4 or POP3 support). Thanks! Juan

ANSWER: I have the perfect answer for you! I did a couple of articles on this subject over at MSExchange.org. Check out Secure Exchange 2000 IMAP4 Service Publishing with ISA Server 2000 - Part 1: Securing Publishing of the IMAP4 Service and Secure Exchange Server 2003 POP3 Publishing. That should get your started. If you are not using an ISA Firewall, you can ignore the ISA Firewall configuration part.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.

Donít Get Stuck with Old Technology!

Learn what IP-PBX Can Do for Your Organization.

Download our Buyers & Comparison Guide Now!