Routing and RAS (Remote Access Service) in Windows 2003 Server
Routing and RAS is like a sleeping giant. What I mean by that is, while in Windows Server 2003, you no longer need to install RAS, it remains inactive until you configure the Icon. I have a special bet for you. My bet is that Microsoft’s RRAS will have at least one feature that will surprise you.
Introduction to RRAS in Windows Server 2003
It’s hard to be rude about Windows Server 2003’s RAS especially when you remember how flaky RAS was in NT 4.0. What has happened in Windows 2003 is that the new version of the RAS service is much more robust, but equally the RAS icon is tricky to configure because there are so many more options. The advertising blurb says that RRAS has zillions of wonderful new features. This is true, but finding them can be frustrating and that is why I have prepared a series of mini-tutorials.
Routing and RAS Topics
Windows Server can act as a Router; what a novel idea. My guess is that most people will buy a dedicated hardware router. However, if you are stuck, don’t have the money, or just want to practice some routing ideas, then Window Server 2003 provides genuine but slow software routing capabilities. (Unlike specialist routers, which provide much faster hardware inter-network connections.)
Surely no surprise in the RAS core? Well not really; the only brain teaser is in the very first decision, do you need a dedicated Windows RAS server at all. What I am thinking is that there are viable alternatives to a Windows 2003 RAS server with digiboards of modems, for example VPN, RPC over HTTP and internet email. In my mind RAS was a good solution for roaming users in the 1990’s, but in the 21st century other technologies have improved while RAS has stayed where it is.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
There is an initial shock in that you no longer install the DHCP Relay Agent from the Add or Remove programs. As soon as you navigate to the RRAS interface, it hits you that this is the obvious place for the DHCP Relay Agent. It makes sense to link to the Routing Component of Windows Server 2003 with listening and routing component of DHCP. If there is a frustration it is how well Microsoft hide the DHCP Relay Agent interface in the Routing Interfaces.
Not so much a surprise, more a bonus to find two Routing Protocols under the IP Routing folder. The trick to installing many of these extra features is to right-click the General Folder. In this instance, select the ‘New Routing Protocol’. On the diagram you can see that RIP is already installed, so we assume that the screen shot was taken from an OSPF installation.
No surprise that Microsoft provide Policies to control RAS users. However it is confusing that the Remote Access Polices are not in Active Directory. Microsoft’s justification for this arrangement is that for security reasons, RAS servers may be positioned in a DMZ without connectivity to Active Directory. Just to be clear, RRAS can operate happily in a Domain, it’s just you have the option of making it a complete stand alone server.
If you have the time to investigate the RAS Policies, you will be rewarded as there is a rich variety of settings for any eventually that you could dream up. For example, you can filter on phone number, group membership or Vendor properties. The bombshell in RAS Policies is that by default, no one can dial-in. The stated reason for this setting is for security. My view is that finding the Deny / Grant radio buttons is a hidden test for you. If you don’t know what you’re doing then nobody can dial in. However if you are skilful then you find the setting and switch the radio button from Deny to Grant.
NAT (Network Address Translation) solved an intellectual puzzle for me. 10 years ago, when I first saw multiple workstations browse the internet through one connection, it bamboozled me how the proxy server knew which web page to return to which workstation, given they only had one IP address on the Internet connection. The answer of course is assigning a unique port number to each client. In effect NAT keeps a database of which internet requests map to which local machine. Incidentally, you may have seen NAT’s baby brother called ICS, (Internet Connection Sharing) on XP. In fact, you have to make sure that you disable the Windows Firewall / ICS service before you configure Windows Server 2003.
To configure NAT, navigate in the RRAS interface to the IP Routing folder. Unlike ICS where you must use 192.168.0.1, with NAT you can use any valid IP address on the internal network, for example 10.0.100.1. The key decision with NAT tabs is what to do about DNS? I would recommend keeping DNS resolution in house (don’t tick the box). See more on DNS root hints here
Kiwi CatTools is a free program for backing up configuration settings on hardware devices. Here is Guy’s challenge. If you download CatTools, then it will not only take care of backups, but also it will show you something new about the hardware on you network. I could give you a money back guarantee – but CatTools is already free! Thus, I just make a techie to techie challenge, you will learn more about your network if you:
I stand by my challenge, which is, if you investigate the RRAS menus, you will find at least one surprise. It could be in the Remote Access Policies, or possibly in the Routing Interfaces, if not there, then certainly in the NAT configuration.