RRAS on Windows 2000 for VPN and NAT
Microsoft Corp. first shipped its Routing and Remote Access Services (RRAS) in 1997. Since that time the product has grown in both complexity and features. Windows 2000 ships with a revamped RRAS implementation that builds on the capabilities of Windows NT 4.0's RRAS by introducing several new features.
One of the most significant new features is a Network Address Translation (NAT) implementation that allows a single Windows 2000 RRAS server to provide Internet access for any number of client machines.
NAT lets a Windows 2000 RRAS box route Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets to and from internal client machines and the Internet. In this schema, several internal client machines can share a single IP address to access the Internet.
For this review, we configured Windows 2000’s RRAS to serve as both a NAT and a virtual private network (VPN) router. RRAS can also be configured as a network router and customized to support several configuration options, but we chose this functionality after determining that in most enterprise deployments, RRAS will be leveraged for its NAT and VPN routing services.
Setting Up NAT
We installed RRAS on an AMD Athlon 750-MHz system with 512 MB of RAM running Windows 2000 Advanced Server. Our Athlon test system is outfitted with two 3C980B-TX network interface cards (NICs) from 3Com Corp. (www.3com.com), a 36-GB Atlas 10 K Ultra160 SCSI fixed disk from Quantum Corp. (www.quantum.com), and a 3950U2 Ultra2 SCSI controller from Adaptec Corp. (www.adaptec.com).
After we brought up the Routing and Remote Access administrative console from the Windows 2000 Administrative Tools context menu, we chose the Configure and Enable Routing and Remote Access option from the Action menu. This invoked an installation wizard that prompted us to configure RRAS as an Internet Connection Sharing router, as a VPN server, as a network router, or as a custom-configured environment.
When choosing RRAS’s Internet Connection Sharing option, select the Set Up A Router With The Network Address Translation Routing protocol option instead of RRAS’s Set Up Internet Connection Sharing (ICS). ICS is the same low-level technology that ships with both Windows 98 and Windows 2000 Professional: It’s simply not suited for enterprise or medium-sized remote office environments.
To configure RRAS as a NAT router, you’ll need two network interfaces that you will configure as either public or private network connections. When configuring the public interface -- which can be a NIC, a standard analog modem, an ISDN router, or a DSL modem, among others -- check the Translate TCP/UDP Headers item box.
NAT works by mapping internal IP addresses to one or more external IP addresses. Because it leverages a many-to-one technology that ultimately depends on IP masquerading, it’s not 100 percent trouble-free. In particular, many communications-oriented applications that use exotic TCP or UDP ports and rely upon the forwarding of TCP and UDP packets don’t interoperate well with NAT. To help patch NAT for these applications, Windows 2000’s NAT implementation can be configured to forward UDP or TCP packets to specific internal IP addresses. NAT-on-Windows 2000 also lets you reserve specific external-to-internal IP address mappings.
There wasn’t much more to it than that. Depending on the degree of customization that you desire, setting up NAT on Windows 2000 shouldn’t be a labor-intensive task.
Configuring RRAS and Windows 2000 to function as a VPN Server also is a snap. RRAS’s handy installation wizard walked us through the necessary steps, such as selecting which protocols we’d use for a VPN -- TCP/IP is enabled as the sole default; defining which interface, if any, we’d use to provide our VPN clients with Internet access; asking us to specify which method -- either by means of DHCP or by virtue of static address pools -- we’d use to provide IP addresses to authenticated clients; and prompting us to determine whether or not we wanted to use RADIUS to coordinate authentication services between multiple RRAS VPNs.
Windows 2000 RRAS provides you with a variety of VPN authentication schemes, all of which can be specified under the Authentication Methods tab that is displayed under the Security context menu for your RRAS VPN Server.
We used only Windows 2000 clients to connect to our Windows 2000 RRAS VPN server. In this regard, we enabled MS-CHAP v2 (Microsoft Encrypted Authentication version 2) and MS-CHAP (Microsoft Encrypted Authentication) as our default encryption schemes. Through the course of testing, our Windows 2000 clients experienced no difficulty in connecting to our RRAS VPN, and once authenticated, we were able to transparently browse our internal network.
Windows 2000 RRAS is a good solution for enterprises that want to establish virtual private networks between office locations, provide a base-level software routing solution, or enable Internet access for client workstations by virtue of Microsoft’s NAT implementation. Moreover, for all-Windows shops or companies deploying Windows 2000 RRAS in an all-Windows environment, Windows 2000 RRAS is a sound choice. It is a reliable performer that provides essentially transparent VPN services and quick, efficient NAT routing.
Windows 2000’s RRAS services are easily configurable and offer a completely GUI-based setup. As far as minimum hardware requirements are concerned, RRAS-on-Windows 2000 isn’t the resource hog you might expect: We ran RRAS in-house on another Windows 2000 Advanced Server box, this one outfitted with a meager Pentium 233 microprocessor and 128 MB of RAM. RRAS doesn’t appear to be finicky about its resource requirements, Microsoft’s Windows 2000 Server minimum recommended requirements notwithstanding, our little RRAS box reliably provides NAT services to 14 internal client machines.
Windows 2000 RRAS
+ Easy to configure and manage as either a NAT, VPN, or dial-up remote access server
+ An effective solution for Windows-only shops
+ Scalable solution as a dedicated NAT, VPN, or dial-up platform
- Default out-of-box configuration is not secure and must be hardened
- Questionable interoperability with heterogeneous platforms and clients in VPN or dial-up server implementations