WindowsNetworking.com Monthly Newsletter of February 2008 Sponsored by: Tippit
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
The routing and remote access service has been around since Windows NT. Over the years, there seemed to be very little in terms of change for the RRAS service. While RRAS has always been pretty reliable and stable, there have not been too many changes over the years. With this history, you would expect that there are not too many changes with the Windows Server 2008 version of RRAS. Well, if you thought that, you would be wrong!
With Windows Server 2008 you will see the following improvements in RRAS:
Server Manager replaces previous methods for installing system services on Windows Server 2008. With Windows Server 2008, RRAS is included as part of the Network Policy and Access Services. There are two role services that are part of the Network Policy and Access Services: the Network Policy Server (which is the Windows Server 2008 version of IAS) and the Routing and Remote Access Service. This is how you enable RRAS on a Windows Server 2008 computer.
SSTP is a new VPN protocol that allows you to tunnel PPP over SSL. Since it encapsulates the VPN protocol in an SSL secured HTTP header, it can easily traverse firewalls and Web proxies that allow outbound and inbound SSL connections. SSTP is a major and welcome advance to the RRAS suite of networking features.
Another major improvement is that Network Access Protocol (NAP) policies can be applied to VPN clients. NAP is a collection of Windows Server 2008 technologies that are used to confirm that a client computer has met minimal security configuration requirements before it is allowed to connect to the network. If the client meets the requirements, it will be allowed network connectivity. If the client does not meet your requirements, limited network access is allowed so that the client can remediate and try to connect again. NAP enforcement on VPN clients allows you to make sure that your VPN clients meet your security requirements before allowing them to connect to your network. This is a major improvement over the Windows Server 2003 Remote Access Quarantine solution, which had no user interface and you had to essentially program your own solution. NAP has a nicely polished user interface that allows you to actually get a working configuration right out of the box.
Although IPv6 is not in wide use at this time, the truth is the time will come where IPv6 will be the protocol of choice for private networks and then the Internet. I figure this will happen in about ten years, but it is never too early to get on board. RRAS will be ready for the changes and introduces the following IPv6 improvements:
Stateless filtering (packet filtering):
There is also RADIUS over IPv6 transport support:
The RRAS router can now be configured as an IPv6 router. However, the user interface is very weak, as it only allows you to configure the IPv6 prefix that is advertised by the router. There are many, MANY IPv6 router related settings that need to be set in addition to prefix advertisement. I have written to the RRAS team about this, as adoption of IPv6 will be related to ease of use, and long, complex netsh commands definitely do not translate to ease of use (or accurate use either, the number of typos you can make with IPv6 is astounding).
New cryptographic support for VPN connections brings the RRAS server in line with current industry standards. PPTP now supports only 128-bit RC4 encryption, and L2TP/IPSec now supports 128- 192- and 256-bit AES encryption. Diffie-Hellman groups 19 and 20 are now supported for main mode IPsec negotiation.
Sadly, when you get new things, old things are removed. Technologies removed from RRAS include:
I do not think I will miss support for any of these protocols and features, although I am not sure why they removed support for OSPF. Not that I have ever used it, but I know other people who have used it.
In all, I think Windows 2008 RRAS brings in some very exciting new features and hope to write about more of them in the future on WindowsNetworking.com and on my WindowSecurity.com blog. I want to thank all of you who wrote to me with ideas of what you would like to see on the WindowsNetworking.com Web site and in this newsletter. You can be sure I will cover all the topics you mentioned in the upcoming weeks and months.
If you have Windows networking questions or ideas for articles or issues to cover in the newsletter, please feel free to write to me at email@example.com
Quote of the Month - "Quote of the Month - "Never confuse movement with action"
A major problem with L2TP/IPsec VPN networking is when the VPN server or VPN client is behind is behind a NAT device. This can be a real troubleshooting nightmare if you are not aware of the problem, since it looks like everything is set right but the L2TP/IPsec connection just fails to work. The problem is related to a bug that was introduced with Windows XP SP2 and carried over to Vista and Windows Server 2008. You need to create a Registry fix to handle this problem. You can find more information about this problem here.
QUESTION: I am curious about IPv6. From the material I have seen, it looks very complex! I don't know if I will ever be able to learn this stuff. Can you give me a hundred mile view of how IPv6 IP addressing works? Thanks! -- Charlie
ANSWER: IPv6 is indeed a major departure from IPv4. There is a lot of new information to take in and at first look, it might seem impossible to take in all the numbers, the new addressing system, the dependence on router configuration and more. However, to get you started, here is some useful information.
Unique Local addresses are like private IP addresses in IPv4. While they cannot be used on the Internet, they can be used on multiple network IDs on a private network and thus they are routable. Unique Local addresses are a replacement for what were called Site-Local addresses. The problem with Site-Local addresses was that they had some built in ambiguities that made management of them too complex and inconsistent. Unique Local addresses always begin with FD00:
Global addresses are the same as public IP addresses and are routable over the Internet. All addresses that begin with 2000: to E000: are public addresses.
IPv6 is a bit easier than IPv4, in that there are no subnet masks. Instead, for all IPv6 addresses, the first 64 bits of the 128bit IPv6 address are always the network ID. Some parts of the network ID are predefined, so that you cannot change them; these will always be the higher order bits. You can use the lower order bits to set your custom network IDs. The lower 64 bits are always going to be the host ID.
That's a very high level overview of IPv6 addressing. I will be doing a series on IPv6 on WindowsNetworking.com in the near future, so make sure to check it out.
For now you can take a look at this overview written by Brien Posey, A Crash Course on in IPv6.
QUESTION: I would like to make things as secure as possible for my Exchange Server remote access users. Many of them still use IMAP4 and POP3, but I know those are not secure protocols. Do you know of any guidance that shows you how to configure things to work from end to end? I'm using Exchange 2003, as Exchange 2007 doesn't look like it's quite ready for prime time (not obvious IMAP4 or POP3 support). Thanks! Juan
ANSWER: I have the perfect answer for you! I did a couple of articles on this subject over at MSExchange.org. Check out Secure Exchange 2000 IMAP4 Service Publishing with ISA Server 2000 - Part 1: Securing Publishing of the IMAP4 Service and Secure Exchange Server 2003 POP3 Publishing. That should get your started. If you are not using an ISA Firewall, you can ignore the ISA Firewall configuration part.
Got a question for Dr. Tom? Send it to firstname.lastname@example.org.