Components and Features Provided by an ISP

Component

Used for

Standard-based network access servers (NASs)

Providing access from various geographical access points that will integrate with Windows Server 2003

RADIUS proxy servers

Routing of access requests to the enterprise

Authentication services

Sending authentication requests to a RADIUS server when used with a RADIUS proxy

Phone book support

Delivering the latest access numbers either to the enterprise or directly to the client

ILLEGAL FOR NON-TRAINER USE

Introduction

Outsourcing considerations

Components and features

Outsourcing part or all of a remote access solution through a wholesale contract with an Internet service provider (ISP) can provide some organizations significant cost savings, minimizing both setup and operations costs.

Providing dial-up and VPN connectivity across a wide geographical area can be expensive for an organization. For example, having a nationwide sales force dial in to a local number will result in expensive long distance charges. An ISP can provide access to an extensive network of connections across a wide geographical area for a fixed cost.

If you are deploying a VPN solution, an ISP can provide many of the components required to support VPN access. The following table lists components that an ISP can provide and the purpose of each component.

Component

Used for

Network Access Servers (NASs)

RADIUS proxy servers Authentication services

Phone book support

Providing access from various geographical access points that will integrate with Windows Server 2003, such as RADIUS.

Routing of access requests to the enterprise.

Sending authentication requests to a RADIUS server when used with a RADIUS proxy.

Delivering the latest access numbers either to the enterprise or directly to the client.

Guidelines for Deploying Remote Access Servers

***************************** ILLEGAL FOR NON~TRAINER USE ******************************

Introduction In deciding where to place remote access servers on your network, consider firewall placement and the placement of other network resources that remote access clients will need access to. These resources might include a certification authority (CA), a RADIUS server, a domain controller, or file and application servers.

Dial-up remote access In a dial-up remote access design, RAS servers are usually placed behind the firewall. Because a VPN design involves Internet connectivity, server placement relative to the firewall is a greater issue.

VPN remote access If you are designing a VPN remote access solution, choose between two options for server placement, each with different design requirements:

■ VPN server behind the firewall. The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This placement is used in a perimeter network configuration, in which one firewall is positioned between the VPN server and the intranet, and another is placed between the VPN server and the Internet.

■ VPN server in front of the firewall. The VPN server is connected to the Internet, with the firewall between the VPN server and the intranet.

NAT server A NAT server translates the IP addresses and the Transmission Control considerations Protocol/User Datagram Protocol (TCP/UDP) port numbers of packets that are routed between a private network and the Internet. If you are using a NAT with your VPN remote access server solution, your security plan for remote access must include the required setup for placing VPN clients behind a NAT. Consider the following when using a NAT server:

■ Using NA T with PPTP connections. If a VPN client that uses a PPTP connection is behind a NAT, the NAT must include a NAT editor that can translate PPTP traffic. The NAT editor is required because PPTP tunneled data has a Generic Routing Encapsulation (GRE) header rather than a TCP header or a UDP header. The NAT editor uses the Call ID field in the GRE header to identify the PPTP data stream and translate IP addresses and call IDs for PPTP data packets that are forwarded between a private network and the Internet.

Note The NAT/Basic Firewall routing protocol component of the Routing and Remote Access Service and ISA Server 2000 include a NAT editor for PPTP traffic.

■ Using NA T with L2TP/IPSec connections. IPsec NAT Traversal (NAT-T) enables computers with an IPSec association to communicate when behind a NAT. IPSec NAT-T provides UDP encapsulation of IPSec packets to enable IKE and ESP-protected traffic to pass through a NAT device without corrupting the packet contents. Internet Key Exchange (IKE) automatically detects that a NAT is present and uses User Datagram Protocol -Encapsulating Security Payload (UDP-ESP) encapsulation to enable ESP-protected IPSec traffic to pass through the NAT.

Note To use NAT-T, both the remote access VPN client and the remote access server must support IPSec NAT-T. IPSec NAT-T is supported by Windows Server 2003 and Microsoft L2TP/IPSec VPN Client.

Was this article helpful?

0 0
Understanding Outsourcing

Understanding Outsourcing

If you can answer yes to the following questions you'll want to get your hands on the Understanding Outsourcing Crash Course Package! Have you been looking for a great way to get more subscribers? Do you constantly seek quality information to provide to your readers? Have you been looking for a way to quickly increase awareness, traffic and profits for your business?

Get My Free Ebook


Post a comment