WindowsNetworking.com Monthly Newsletter of October 2008 Sponsored by: UniPrint

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

1. The Internet (ICMP) Router Discovery Protocol (IRDP)

Most of us like to use DHCP to assign IP addressing information to our network nodes. This is especially the case in larger network environments. But even on small networks, it is hard to beat the ease of configuration and address management that is available using DHCP. Just configure the scope to include a range of IP addresses, a subnet mask, the DNS address, the WINS address and the default gateway, and you are good to go.

However, there is one thing that DHCP is not good at, and that is awareness of the network infrastructure. If a WINS or DNS server is not available or changes its IP address, the DHCP server is blissfully unaware of the situation and continues to assign inaccurate address information to DHCP clients. While you might be able to get around this problem by assigning several WINS and DNS server addresses to the clients, but things get more tense when dealing with the default gateway.

It might happen that the default gateway setting becomes incorrect because the existing gateway is down or the IP address of the gateway changes. In this situation, nodes will only be able to reach other nodes on the same segment. While DHCP is a good option for assigning IP address, subnet mask, and DNS/WINS address, you might want a more dynamic solution for gateway address assignment.

If you think dynamic gateway assignment would be a good thing, then the Internet Routing Discovery Protocol (IRDP) is for you. IRDP allows hosts without a configured gateway address to send out requests for gateway information. These messages are called ICMP Router Solicitation requests. Router solicitation requests are ICMP messages aimed at finding a router on the local network. When a router configured to listen for these solicitation packets hears the request, it will broadcast its own message, called an "ICMP Router Advertisement". Therefore, router solicitation messages elicit router advertisement messages.

These messages can be broadcast in one of two ways: via the "all-routers" multicast address or via a limited subnet broadcast. The all-routers multicast address is 224.0.0.2 and is the default method. The limited subnet broadcast is sent to 255.255.255.255.

What happens if there are multiple gateways on the same network ID? If all routers are configured to answer router solicitation requests, then all routers will send router advertisements in response. Depending on the implementation of IRDP, the host sending the solicitation will either select the gateway from the router that responded first, or from the gateway that has a higher "preference level'. The Windows 2000 RRAS supports configuring preference levels.

All versions of Windows after Windows 95 support IRDP. When these hosts start up they will automatically assign themselves to the "all hosts' multicast group, which listens on IP address 224.0.0.1. These operating systems can send router solicitation packets to 224.0.0.2 and listen for router advertisements on 224.0.0.1. Windows 2000 and Windows XP clients send a maximum three solicitations at 600ms apart. If there is no response, the client will wait for the router to send advertisement messages via mechanisms other than in response to its router solicitation.

The configuration interface and implementation varies with each vendor. If you are using a Windows RRAS server, you can configure IRDP in the RRAS console. Open the RRAS console from the Administrative Tools menu and then expand the server name. Expand the IP Routing node and click on the General node. You'll see a list of interfaces in the right pane of the console. Right click on the interface you want to make a gateway and click the Properties command. You will see what appears here.

The Advertisement lifetime value is the number of minutes a router discovery advertisement is valid. The default value is 30. For example, suppose a Windows XP clients starts up and sends out a router solicitation message. The Windows RRAS router sends back a router advertisement message that includes the IP address of its gateway interface. After 30 minutes the value will time out and the client will send another router solicitation message if it has not heard a router advertisement before the end of the advertisement lifetime. Note that the client listens to the broadcast responses the router makes to solicitations made by other hosts and uses that broadcast to reset the advertisement lifetime clock. The client can also take advantage of unsolicited advertisements sent out by the router.

You can also configure a level of preference. The higher the value, the more preferred the gateway. If you have multiple gateways that are using IRDP, then the router with the higher preference level is used by the IRDP clients. If you configure all routers with the same preference value, the first router to answer the solicitation will be used as the preferred gateway.

Nodes do not have to depend on other nodes sending out solicitation messages. The router can be configured to send out advertisements at predetermined intervals. In the case of the Windows RRAS, you can set a Minimum and Maximum time. Router advertisement messages are then sent at a random interval between the Minimum and Maximum values you set in RRAS.

There are a couple of important Registry entries you need to know about:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip\
Value Name: PerformRouterDiscovery
Value Type: REG_DWORD - Number
Valid Range: 0,1
Default: 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip\
Value Name:SolicitationAddressBcast
Value Type: REG_DWORD - Number
Valid Range: 0,1
Default: 0

The PerformRouterDiscovery entry allows the client to send out discovery messages. The SolicitationAddressBcast entry allows the hosts to send packets to the limited broadcast address (255.255.255.255) instead of the multicast address. Note that while the Windows 2000 Resource Kit states that the PerformRouterDiscovery entry is there by default, its not. You will have to add this to NT, Windows 2000 and Windows XP host. We'll wait and see what happens with Windows 2003.

While you do not hear too much about this useful protocol, we've been able to use IRDP in a variety of environments over the years. The protocol is quite handy in more complex or fluid environments, and is even helpful in smaller environments where IP configuration changes on gateways can lead to support calls and possibly hours of troubleshooting. When you use IRDP, you do not have to worry about someone changing the address of the gateway, because the router will advertise the new IP address.

Thanks!
Tom 
tshinder@windowsnetworking.com

=======================

Quote of the Month - "Don't you wish there was a knob on the TV to turn up the intelligence? There's one marked 'Brightness,' but it doesn't work.". - Gallagher

======================

2. ISA Server 2006 Migration Guide - Order Today!

3. WindowsNetworking.com Articles of Interest

• OSI Reference Model: Layer 7 Hardware
  
• Network Access Protection, Revisited (Part 2)
  
• Deploying Vista - Part 13: Performing Image-Based Deployment
  
• Network Access Protection, Revisited (Part 1)
  
• How to Get the Most Out of the Windows 2008 and Vista Networking & Sharing Center
  
• Troubleshooting Connectivity Problems on Windows Networks (Part 6)
  
• Deploying Vista - Part 12: Understanding Image-Based Deployment
  

4. KB Articles of the Month

• Information about Network Monitor 3.2 in Windows Vista
  
• After you start or stop the Network Access Protection Agent service on a Windows XP Service Pack 3-based client computer, the value of the IKEFlags registry entry may change
  
• The "Slow network connection time-out for user profiles" Group Policy setting does not work for a Windows Vista Service Pack 1-based or a Windows Server 2008-based client computer
  
• Copy process is very slow when you copy large files from one computer to another computer in a high-bandwidth network environment if both computers are running either Windows Vista or Windows Sever 2008
  
• New drive or mapped network drive not available in Windows Explorer
  
• Outlook 2007 prompts you repeatedly for a password under certain network conditions
  
• Error message every time that you restart the computer after you install Windows XP Service Pack 3
  

5. Windows Networking Tip of the Month

Did you know that you can use the SET command from the command line to get interesting information about your computer and it's connection to the network? Check it out. Open a command prompt and type set and then press ENTER.

You'll see something like this:

C:\Documents and Settings\tshinder.TACTEAM>set
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bob.TACTEAM\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DUALCORE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\tshinder.TACTEAM
LOGONSERVER=\\DC1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Symantec\pcAnywhere\;c:\Program Files\Support Tools\;C:\Program Files\Diskeeper Corporation\Diskeeper\;C:\Program Files\Intel\DMIX;C:\Program Files\Microsoft Network Monitor 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=c:\TEMP
TMP=c:\TEMP
USERDNSDOMAIN=TACTEAM.NET
USERDOMAIN=TACTEAM
USERNAME=bob
USERPROFILE=C:\Documents and Settings\bob.TACTEAM
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

I find the most useful entry is the log on server. There is also interesting information about your temp folder location, your user domain and your processor architecture.

6. WindowsNetworking Links of the Month

• Enabling Wireless Networking In Windows Server 2008
  
• Windows Server 2008 and Windows Vista VPN issue with accessing shares
• Publishing SSTP based VPN server using ISA2006 Firewall
  
• SSTP Remote Access Virtual Lab Available @ TechNet
  
• Using Netmon 3.2 to Identify Unexpected Traffic
  

7. Ask Dr. Tom

QUESTION:

Dear Dr. Tom,

I'm having a hard time figuring out a good VPN solution. I have extra Windows Server 2008 licenses that I can use, but I'm wondering if Windows Server 2008 would make a good VPN server. Some people are telling me that I should get a "hardware" VPN server for my network. What do you think? Thanks! Georgi

ANSWER:

Hi Georgi!

You ask a good question. There are advantages and disadvantages of both the Windows Server 2008 VPN server solution and the "hardware" VPN server solution. Here are some questions you need to ask yourself when making the decision:

• Do you want to use a VPN client component that comes with your operating systems, or do you want to spend time figuring out a non-OS VPN client and deploying that VPN client to your VPN client operating systems?
• Do you want to leverage your existing Windows Server skills to create a Windows VPN server solution? Or would you prefer to take the time and expense to learn a new solution that your staff might not be familiar with?
• What VPN protocols do you want to support? Windows Server based VPN server support PPTP, L2TP/IPsec and SSTP. "Hardware" VPN servers might support IPsec tunnel mode, but that is a less secure VPN protocol than both L2TP/IPsec and SSTP
• Check out the security development lifecycle process each vendor you're considering uses. Microsoft has published comprehensive documentation on their SDL, which assures that the software is secure out of the box, and will continue to be secure with regular support updates, at no addition cost. Does the "hardware" VPN server publish comprehensive information about their SDL? Do they update their software on a regular basis, at no cost to you?
• How comprehensive are the monitoring and troubleshooting tools available in the VPN server solution? Windows allows you to use a wide range of performance monitoring and troubleshooting tools, including Network Monitor 3.2. Most "hardware" VPN server solution have a limited subset of troubleshooting tools and provide no entrance into the operating system to install your own
• How easy will it be to scale your VPN server solution as your needs grow? With Windows Server 2008, you can add faster processors, more processors, and more memory as required, without requiring a new machine. And if you need a new machine, you can easily image your previous server and restore the imagine to a new machine. With a "hardware" solution you will need to obtain a new box, which may be more expensive than what it would cost for you to upgrade the hardware on your servers
• Do you want a solution that has widespread community support on the Internet and an exceptional knowledge base on the vendor Web site? If so, Windows Server 2008 VPN servers would be the way to go. "Hardware" VPN server vendors often play their cards close to their chests and do not make it easy to find information about configuring and troubleshooting their devices

As you can see, there are a lot of advantages to using a Windows Server 2008 based VPN server solution. However, one advantage that the "hardware" solution might have is that it can be a plug and play solution for organizations that have little Windows Sever or networking expertise. In general, the Windows Server 2008 will be the better solution, in that it provides your more flexibility and security at a comparable cost to "hardware" VPN servers.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.