Configuring Remote Access Servers

Configuring Remote Access Servers
Installing and Configuring RRAS as a VPN Server

How to install the Routing and Remote Access Services
(RRAS)
1. Click Start, and then click Manage Your Server.
2. Select the Add or remove a role option.
3. The Configure Your Server Wizard starts.
4. On the Preliminary Steps page, click Next.
5. A message appears, informing you that the Configure Your Server Wizard is detecting
network settings and server information.
6. When the Server Role page appears, select the Remote Access/VPN Serveroption and
then click Next.
7. On the Summary of Selections page, click Next.
8. The Welcome to the Routing and RemoteAccess Server Setup Wizard page is displayed
How to configure RRAS as a VPN Server

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the
Routing And Remote Access management console.
2. In the console tree, select the server that you want to configure.
3. Right-click the server, and then click Configure And Enable Routing And Remote Access
from the shortcut menu.
4. The Routing and Remote Access Server Setup Wizard starts.
5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option.
Click Next.
7. On the Remote Access page, select the VPN server checkbox and the Dial-up server
checkbox (optional) and then click Next.
8. On the Macintosh Guest Authentication page, select the Allow Unauthenticated Access
For All Remote Clients option if you have Macintosh File and Print services installed and
you want the remote access server to allow anonymous remote access.
9. On the IP Address Assignment page, select the Automatically option if you want use a
DHCP server for IP address assignment for remote clients; or select the From A Specified
Range Of Addresses option if you want to specify your own address range.
10. If you chose the From A Specified Range Of Addresses option, proceed to specify the
address range for remote clients. Click Next.
11. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And
Remote Access To Authenticate Connection Requests option. Click Next.
12. Click Finish when the Completing the Routing and Remote Access Server Setup Wizard
page appears.
13. You will be notified that the DHCP Relay Agent has to be configured with the IP address
of the DHCP server so that DHCP messages can be allowed from your remote clients.
14. Click OK to acknowledge this notification.
How to configure VPN ports for the remote access server

You can increase the number of clients that are allowed to concurrently connect to the VPN
server, and you can enable and disable the use of PPTP or L2TP. You add more L2TP ports
or PPTP ports in the Routing And Remote Access management console, through the Ports
Properties dialog box for the remote access server.
To configure additional PPTP ports or L2TP ports,
2. In the console tree, expand the node for the server that you want to configure.
3. Right-click Ports and then select Properties from the shortcut menu to open the Ports
Properties dialog box.
4. Select WAN Miniport (PPTP) or select WAN Miniport (L2TP).
5. Click the Configure button.
6. The Configure Device dialog box opens.
7. In the Maximum Ports box, specify the number of connections that the port type which
you have selected can support. The default configuration setting when the RRAS is
installed is 5 PPTP ports and 5 L2TP ports.
8. If you want to specify the IP address of the public interface to which VPN clients connect,
use the Phone Number For This Device box on the Configure Device dialog box.
9. If you want to disable connections for the port type, select the Use the Remote Access
Connections (Inbound Only) checkbox on the Configure Device dialog box.
10. If you do not want to allow the specific VPN type to be used for demand-dial connections,
deselect the Demand-Dial Routing Connections (Inbound And Outbound) checkbox.
11. Click OK to close the Configure Device dialog box.
12. Click OK to close the Ports Properties dialog box.
How to configure the VPN client computer

1. On the client computer open Control Panel.
2. Right-click Network Connections and then select open from the shortcut menu.
3. Click New Connection Wizard to start the New Connection Wizard.
4. Click Next on the Welcome to the New Connection Wizard page.
5. On the Network Connection Type page, select Connect to the network at my workplace,
and then click Next.
6. Click Virtual Private Network Connection, and click Next.
7. Enter a name for the connection and click Next.
8. Specify the external IP address of the VPN server, or the FQDN of the VPN server, and
then click Next.
9. Select the Anyones use If you want the connection to be available to everyone who
uses the computer and then click Next.
10. When the Completing the New Connection Wizard page appears, click Finish.
11. The logon dialog box is displayed after you click the Finish button to complete the New
Connection Wizard.
How to grant dial-in permission for user accounts

1. Click Start, Administrative Tools, and then click Computer Management to open the
Computer Management console.
2. Double-click Local Users and Groups.
3. Double-click Users.
4. Double-click the specific user account that you want to grant access for to open the
Properties dialog box of the user.
5. Click the Dial-in tab.
6. Click Allow access, and then click OK.
7. On the client computer, access the Network Connections folder, and then double-click
the VPNconnection that you want to configure.
8. Specify the user account credentials, and then click Connect.
How to manually install the DHCP Relay Agent

The DHCP Relay Agent is automatically installed when you install the Windows Server 2003
Routing And Remote Access Service (RRAS).
You can though manually install the DHCP Relay Agent,
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, expand the Server node of the server that you want to install the
DHCP Relay Agent for.
3. Expand the IP Routing node.
4. Right-click the General node, and then select New Routing Protocol from the shortcut
menu.
5. The New Routing Protocol dialog box opens.
6. Select DHCP Relay Agent.
7. Click OK.
8. The DHCP Relay Agent node appears beneath the IP Routing node in the console tree of
the Routing And Remote Access management console.
How to add the DHCP server that DHCP requests should

be forwarded to
1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access
to open the Routing And Remote Access management console.
2. Expand the IP Routing node and in the console tree.
3. Right-click the DHCP Relay Agent node, and then select Properties from the shortcut
menu to access the DHCP Relay Agent Properties dialog box.
4. On the General tab, enter the IP address of the DHCP server that DHCP requests should
be forwarded to in the Server Address text box, and click Add.
5. Repeat the above process for each DHCP server that you want DHCP requests forwarded
to.
6. Click OK.
How to configure the DHCP Relay Agent on a network

interface
1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access
to open the Routing And Remote Access console.
2. Expand the IP Routing node in the console tree.
3. Right-click the DHCP Relay Agent node and then select NewInterface from the shortcut
menu.
4. The New Interface For DHCP Relay Agent dialog box opens, showing the interfaces that
the DHCP Relay Agent can be attached to.
5. Select the interface that is on the same subnet as the DHCP clients.
6. Click OK.
7. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox
is selected on the General tab.
8. You can change the Hop-Count Threshold and Boot Threshold values.
9. Click OK.
How to configure a VPN Gateway/Router

A VPN gateway or VPN router is simply a router that connects to another VPN gateway, or
to multiple VPN gateways. VPN routers are usually created to provide an extension to the
LAN.
To configure a VPN router to enable connectivity between LANs,

3. Right-click the server, and then click Configure And Enable Routing And Remote Access
5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option.
Click Next.
7. On the Remote Access page, select the VPN server checkbox and then click Next.
8. On the VPN Connection page select the network interface for connecting the server to the
Internet.
9. Leave the default setting that enables security on the selected interface unchanged, and
then click Next.
10. On the Address Assignment page, select the From A Specified Range Of Addresses option
and click Next.
11. On the Address Range Assignment page click New and then proceed to specify an
address range for the remote VPN gateway. Click Next.
Remote Access To Authenticate Connection Requests option. Click Next.
13. Click Finish when the Completing the Routing and Remote Access Server Setup Wizard
page appears.
14. You will be notified that the DHCP Relay Agent has to be configured with the IP address
of the DHCP server so that DHCP relay messages can be allowed from your remote
clients.
15. Click OK to acknowledge this notification.
16. To configure the demand-dial interface, in the console tree of the Routing and Remote
Access console, select Network Interfaces.
17. From the Action menu, click New Demand-dial Interface.
18. The Demand-dial Interface Wizard starts.
19. Click Next on the Demand-dial Interface Wizard Welcome page.
20. Enter a name for the demand-dial VPN interface and then click Next.
21. On the Connection Type page, choose the Connect using virtual private networking (VPN)
option and click Next.
22. On the VPN Type page, select the VPN protocol which you want to use and then click
Next. You can leave the Automatic selection default option unchanged.
23. On the Destination Address page, provide the IP address that corresponds to the public
interface of the remote gateway and then click Next.
24. On the Protocols And Security Page, select the Route IP packets on this interface
checkbox, and click Next.
25. On the Static Routes For Remote Networks page, click the Add button and then enter the
LAN subnet address for the remote LAN on the Static Route dialog box.
26. Click OK and then click Next.
27. Specify the username, password and domain for authentication purposes and click Next.
28. Click Finish on the Completing the Demand-dial Interface Wizard page.
29. You now have to configure the interface for a persistent connection.
30. In the console tree of the Routing and Remote Access console, select the demand-dial
interface that you want to configure, and then select the Action menu. Click the Options
command on the Action menu.
31. lick Persistent Connection and click OK.
32. In the console tree of the Routing and Remote Access console, expand the IP Routing
node.
33. Select Static Routes to verify that the static route to the remote LAN subnet is
configured. The static route should be displayed in the Details pane.
34. To configure packet filtering properties, select the demand-dial interface and select
Properties from the shortcut menu.
35. On the General tab, select Inbound Filters and then select New.
36. Specify the appropriate LAN subnet information. Click OK.
37. Select the Drop all packets except those that meet the criteria below option and then
click OK.
38. Select the demand-dial interface and select Properties from the shortcut menu.
39. On the General tab, select Outbound Filters and then select New.
40. Specify the appropriate LAN subnet information. Click OK.
41. Select the Drop all packets except those that meet the criteria below option and then
click OK.
42. Click OK again.
43. In the console tree of the Routing and Remote Access console, select the demand-dial
circuit from Network Interfaces, and then select the Connect command from the Action
menu.
44. Examine the information in the Status column and Connection State column to verify the
status and state of the tunnel.
How to specify server log file properties for the remote

access server
2. In the console tree right-click the server that you want to configure and then select
3. Click the Logging tab.
4. The logging options logging options which you can set are:
o
Log errors only
Log errors and warnings
Log all events
Do not log any events
5. Click OK.
Configuring RRAS LAN Routing and Packet Filters

How to configure RRAS LAN Routing
3. From the Action menu, select Configure And Enable Routing And Remote Access.
4. The Routing And Remote Access Server Setup Wizard starts.
5. Click Next on the initial page of the Routing And Remote Access Server Setup Wizard.
6. On the Configuration page, select the Custom Configuration option and then click Next.
7. On the Custom Configuration page, select the LAN Routing checkbox and then click Next.
8. On the Completing The Routing And Remote Access Server Setup Wizard page, click
Finish.
9. Click Yes in the message box that appears, asking whether the Routing and Remote
Access service should be started.
10. To configure the routing protocol, in the console tree of the Routing And Remote Access
console, expand the IP Routing node.
11. Select the General subnode.

12. From the Action menu, click the New Routing Protocol command.
13. The New Routing Protocol dialog box opens.
14. Select RIP Version 2 For Internet Protocol from the Routing Protocols list. Click OK.
15. A RIP node is added beneath the IP Routing node in the console tree of the Routing And
Remote Access console
16. Select the RIP node in the console tree of the Routing And Remote Access server.
17. From the Action menu, click the New Interface command.
18. The New Interface For RIP Version 2 For Internet Protocol dialog box opens.
19. Using the Interfaces list, select the interface which connects the computer to the LAN
and then click OK.
20. The RIP Properties dialog box for the interface which you have selected is displayed next.
21. On the General tab, specify whether the RIP version 1 or RIP version 2 packet format
must be used for outgoing messages.
22. Specify whether broadcasts or multicasts should be used.
Specify whether incoming messages using the RIP version 1 format; or RIP version 2
format; or whether both of these formats should be processed.
23. Click the Advanced tab.
24. Set the value in the Periodic Announcement Interval (Seconds) setting to 300 seconds.
This is the frequency at which the router transmits RIP messages.
25. Set the value in the Time Before Routes Expire (Seconds) setting to 1800 seconds.
26. Set the value in the Time Before Route Is Removed (Seconds) setting to 1200 seconds.
27. Click OK.
How to configure RRAS packet filters

2. Right-click the server in the console tree, and then select Configure And Enable Routing
And Remote Access from the shortcut menu.
4. Click Next on the initial page of the Routing and Remote Access Server Setup Wizard.
5. Select the Custom Configuration option. Click Next
6. Click LAN routing and then click Next.
7. Click Finish.
8. Click Yes to enable LAN routing.
9. Proceed to enable the RIP Version 2 for Internet Protocol.

10. Once RIP Version 2 is enabled, right-click RIP in the console tree, and then select New
Interface from the shortcut menu.
11. Select the interface.
12. The default setting for RIP if you are running Windows Server 2003 is:
o
Outgoing packet protocol: dropdown list = RIP version 2 broadcast
Incoming packet protocol: dropdown list = RIP version 1 and 2
13. The following configuration is recommended if you are using RIP version 2;
and Ethernet as the transport medium:
o
Outgoing packet protocol: dropdown list = RIP version 2 multicast
Incoming packet protocol: dropdown list = RIP version 2 only
14. Click OK
Configuring a Remote Access Dial-Up Server

How to configure a RRAS Dial-Up server
3. From the Action menu, select Configure And Enable Routing And Remote Access.
7. On the Custom Configuration page, select the Dial-Up Access checkbox and then click
Next.
Finish
10. To configure modem ports, in the console tree of the Routing And Remote Access
console, expand the node for the server that you want to configure.
11. Right-click Ports and then select Properties from the shortcut menu to open the Ports
Properties dialog box.
12. Select the specific device and then click the Configure button.
13. To enable remote access, select the Use the Remote Access Connections (Inbound Only)
checkbox and click OK.
How to configure properties for the RRAS Dial-Up server

2. In the console tree, select the server that you want to configure, and then select
Properties from the Action menu.
3. Verify that the Remote access server checkbox is enabled on the General tab.
4. Click the Security tab.
5. In the Authentication Provider list, select the Windows Authentication option.
6. Choose the authentication protocol for you clients./li>
7. In the Accounting Provider list, select the Windows Accounting option.
8. Click the IP tab.
9. Select the Enable IP Routing checkbox.
10. Select the Allow IP-Based Remote Access And Demand Dial Connections checkbox.
11. The IP Address Assignment section of the IP tab is used to configure the manner in which
the IP addresses are assigned to remote access clients.
12. If you are using a DHCP server, then you can select the Dynamic Host Configuration
Protocol (DHCP) option.
13. In the Adapter list, choose the adapter for providing DNS, DHCP and WINS services for
dial-in clients.
14. Click OK.
How to configure a Dial-Up Gateway

You configure a Dial-Up Gateway by completing the following process:
Configure the user account, with the correct dial-in permissions, that the remote access
server would use to connect to the remote LAN.
Configure a demand dial interface to the remote network.
Configure a static route to point non-LAN traffic to the dial-up connection.
1. Click Start, Administrative Tools, and then select Active Directory Users and Computers
to open the Active Directory Users and Computers management console.
2. In the console tree, right-click the Users container and then select New and then User
3. In the New Object User dialog box, enter the correct account name information and
then click Next.
4. Enter the password information for the new user account in the Password and Confirm
Password textboxes.
5. Ensure that the User must change password at next logon checkbox is not selected and
then click Next to complete the creation of new user account.
6. In the console tree, select the Users container, right-click the user account which you
created and then select Properties from the shortcut menu.
7. When the Properties dialog box for the user account appears, click the Dial-in tab.
8. Click the Allow access option.
9. Click OK.
10. To configure the demand dial interface, click Start, Administrative Tools, and then select
Routing And Remote Access to open the Routing And Remote Access console.
11. In the console tree, right-click the server that you want to configure, and then select
Configure And Enable Routing And Remote Access.
15. On the Custom Configuration page, select the Demand-dial connections (used for branch
office routing) checkbox and then click Next.
Finish
18. In the console tree of the Routing And Remote Access management console, right-click
Network Interfaces and then select New Demand-dial Interface from the shortcut menu.
19. The Demand-dial Interface Wizard starts.
20. Click Next on the Demand-dial Interface Wizard Welcome page.
21. Enter a name for the new demand-dial interface and then click Next.
22. On the Connection Type page, choose the Connect using a modem, ISDN adapter, or
other physical device option and click Next.
23. On the Protocols And Security Page, select the Route IP packets on this interface
checkbox, and click Next.
24. On the Static Routes For Remote Networks page, click the Add button to configure the
static route.
25. Click OK in the Static Route dialog box. Click Next.
26. Specify the username, password and domain for authentication purposes on the Dial Out
Credentials page. Click Next
27. Click Finish on the Completing the Demand-dial Interface Wizard page.
28. This process has to be completed for the remote LAN as well.
Configuring the Remote Access Server to use

Multilink with Bandwidth Allocation Protocol (BAP)
How to enable BAP
2. In the console tree, right-click the server that you want to configure and then click
3. Click the PPP tab on the Server Properties dialog box.
4. Click the Dynamic bandwidth control using BAP and BACP to activate it.
How to enable Multilink

2. In the console tree, expand the server node to display the Remote Access Policies node.
3. Select Remote Access Policies.
4. In the details pane, double-click the remote access policy that should be configured.
5. Click Edit Profile.
6. Use the Multilink tab to configure properties for the Multilink policy.
7. Click OK.
How to enable multiple device dialing on the client

system
1. Open Control Panel.
2. Click Network and Dial-up Connections.
3. Right-click the connection for multilink and then select Properties from the shortcut
menu.
4. Select Options and then Multiple devices.
5. If you want to dynamically dial and hang up devices click Dial devices only as needed
and then click Configure.
6. If you want to use all devices, click Dial all devices.
7. If you want to use only the first available device, click Dial only first available device.
8. Click OK.
Configuring Remote Access Policies for Remote

Access Servers
You can configure remote access policies to control the access rights of remote users.
Remote access policies allow you to authenticate remote connections and enforce any
specific connection restrictions.
The following connection settings can be administered by configuring standard remote
access policy settings.
Authentication methods: The different authentication methods that can be configured are
listed below:
o
EAP
CHAP
MS-CHAP
MS-CHAP version 2
PAP
PEAP
Unauthenticated access
Remote access permissions
Group membership
Time of day
Type of connection
The following connection settings can be administered by configuring advanced remote

access policy settings.
Access server identity
Access client phone number or MAC address
Specify to use user account dial-in properties
Specify that unauthenticated access be allowed
After a remote access policy authorizes a connection, you can also configure that certain
constraints be enforced. Constraints are based on the following:
Encryption strength
IP packet filters
Idle timeout
Maximum session time
How to configure a remote access policy for a remote

access server
1. Click Start, Administrative Tools, and then select Active Directory Users and Computers
to open the Active Directory Users and Computers management console.
2. In the console tree, select the Users container, right-click the user account which you
want to configure and then select Properties from the shortcut menu.
3. The Properties dialog box for the user account appears.
5. Ensure that the Remote Access Permission (Dial-in or VPN) option is specified as Control
Access Through Remote Access Policy.
6. To configure the remote access policy for the remote access server, click Start,
Administrative Tools, and then select Routing And Remote Access to open the Routing
And Remote Access console.
7. In the console tree, expand the servers node and then right-click Remote Access Policies
and select New Remote Access Policy from the shortcut menu.
8. Select the desired policy configuration settings through the various pages of the New
Remote Access Policy Wizard.
9. The different policy conditions that you can specify are listed below:
o
Authentication Type; the authentication type, for instance PAP or CHAP.
Called Station ID; the network access servers (NAS) phone number.
Calling Station ID; the phone number used by the caller.
Client-Friendly Name; the name of the RADIUS client requiring authentication.
Client IP Address; the IP address of the RADIUS client.
Client Vendor; the network access servers (NAS) vendor.
Day and Time Restrictions; when a connection can be established.
Framed Protocol; IAS uses this to determine the frame type of the incoming packets.
MS RAS Vendor; the RADIUS client machines vendor.
NAS Identifier; the network access servers (NAS) name.
NAS IP Address; IP address of the NAS.
NAS Port Type; the media used by the client.
Service Type; the type of service requested.
Tunnel Type; the type of tunnel (PPTP, L2TP).
Windows Groups; the groups to which the user establishing a connection belongs.
How to configure a remote access policy to authorize

access by user
3. The New Remote Access Policy Wizard starts.
4. Click Next on the New Remote Access Policy Wizard Welcome page.
5. On the Policy Configuration Method page, click the Use the wizard to set up a typical
policy option.
6. Enter a name in the Policy name box, and then click Next.
7. On the Access Method page, select between the following options and then click Next:
o
Dial-up
VPN
Wireless
Ethernet
8. On the User or Group Access page, click the User option and then click Next.
9. On the Authentication Methods page, specify the authentication methods which the policy
will accept and then click Next.
10. On the Policy Encryption Level page, specify the encryption types and then click Next.
11. Click Finish to create the new remote access policy.
How to configure a remote access policy to authorize

access by group
2. In the console tree, right-click Remote Access Policies and then select New Remote
Access Policy from the shortcut menu.
5. When the Policy Configuration Method page appears, select the Use the wizard to set up
a typical policy option.
7. On the Access Method page, select between the following options and then click Next:
o
Dial-up
VPN
Wireless
Ethernet
8. On the User or Group Access page, select the Group option and then click Add to specify
the group name.
9. Using the Enter the object names to select box, specify the group and then click OK.
10. Click Next on the User or Group Access page.
11. On the Authentication Methods page, specify the authentication methods which the policy
will accept and then click Next.
12. On the Policy Encryption Level page, specify the encryption types and then click Next.
How to restrict remote access by connection type

Routing And Rmote Access console.
5. On the Policy Configuration Method page, click the Set up a custom policy option.
7. On the Policy Conditions page, click the add button to add a condition.
8. When the Select Attribute dialog box opens, specify the desired attribute and then click
the Add button.
9. Click Next on the Policy Conditions page.
10. On the Permissions page, click the Deny remote access permission option and then click
Next.
11. When the Profile page appears, use the Edit button if you want to change the profile.
Click Next.
Using Connection Manager

Connection Manager Overview
If you want to configure clients to connect to a RRAS server, you can use the Connection
Manager to do this. Using the network connection properties to configure clients to connect
to a RRAS server works well in situations where you need to configure a small number of
clients, and when the default security settings are being utilized.
Connection Manager is a Windows application and client dialer included in Windows 2000,
Windows XP Professional, and Windows Server 2003 that you can use to allow a client to
establish virtual private network (VPN) connections and dial-up connections to a RRAS
server. The advanced features of Connection Manager enable you to pass preconfigured
connections to network users. These advanced features are evident in the Connection
Manager Administration Kit (CMAK) and Connection Point Services (CPS). Both local
connections and remote connections to the service provider through a network of access
points are supported by Connection Manager. As mentioned, for secure connections over the
Internet, VPN connections can be established using Connection Manager.
With the Connection Manager Administration Kit (CMAK), you can perform the following
functions:
Configure a large numbers of clients by creating an executable file which can be deployed
to your users by means of a distribution package.
Manage dial-up and VPN Connection

Manager service profiles.
Customize Connection Manager to suit the

requirements of your organization.
Configure system policies for connections.
Configure restrictions for connections.
Configure executable files that run

automatically when a user attempts to
establish a connection.
Import existing connection settings so that
they can be modified, and then distribute these modifications.

When users run the distribution package, or executable file, a dial-up connection or VPN
connection using the required authentication methods and security settings is established. It
is even possible to automatically distribute the executable file by using a Group
Policy object. Any modifies to security settings can be done at a later stage by running the
Connection Manager Administration Kit (CMAK) once more, and then simply distributing the
executable file for users to run.
The main advantages and features of Connection Manager are listed here:
Users can run more than one Connection Manager service profile at the same time.
Connection Manager can also be used when users share computers. A user does not need
to provideuser credentials for each connection.
You can customize the following components within Connection Manager so that it
reflects the identity of the organization:
o
Icons and graphics
Help
Phone book information
Messages
Users can run more than one Connection Manager service profile at the same time.
The Connection Manager Administration Kit (CMAK) Wizard can be used to automatically
create a service profile so that users can run Connection Manager to establish VPN and
dial-up connections. The service profile takes the form of an executable file which can be
distributed using either of the following methods:
Download to the client.
Distributed via compact disc.
You can include custom functionality or programs that execute during the connections
process. For instance, you can run a program when the user logs on, and when the user
logs off.
You can configure monitored applications to automatically disconnect once the

application is closed.
Connection logging, terminal window support and enhanced ISDN support are a few
additional features of Connection Manager.
Access points can be used to save commonly utilized connection settings. Connection
Manager includes help for Access Points and Dialing Rules.
Planning for Creating New Connection Manager

Service Profiles
The Connection Manager Administration Kit (CMAK) Wizard consists of a number of steps or
pages that need to be completed to create a new Connection Manager service profile. You
therefore need to plan upfront which items are going to be specified when you run the
CMAK Wizard.
The online CMAK Guide specifies six phases for creating a new Connection Manager service
profile. This process is detailed here:
Planning phase: Typical issues that should be determined in the planning phase are:
o
Determine the connection which should be established.
Determine which customizations you want graphics, Phone book information, and so
forth.
Determine which programs should be applied at the connection establishment

process.
Developing custom elements phase: This is when you should create all custom graphics,
icons, and all other elements which you want to include for the new Connection Manager
service profile.
Running the CMAK Wizard phase: The Connection Manager Administration Kit (CMAK)
Wizard is initiated and run to create the new Connection Manager service profile for the
connection.
Preparing for delivery phase: The new Connection Manager service profile can be
distributed via CDROM, floppy disk, Web site, or a network share. It can also be
downloaded to the client.
Testing phase: It is important to test all new packages before users are allowed to
download these packages.
Providing support phase: It is recommended that you define a support strategy once the
new Connection Manager service profile is distributed to users.
Addressing Connection Manager Security

Concerns
Because the Connection Manager Administration Kit (CMAK) Wizard enables Administrators
to configure connection properties for creating connections to the network, a few a security
loopholes can be accidentally created as well.
A few common Connection Manager security concerns are listed here:
There is the risk of an unauthorized user establishing a connection and using it. This can
basically occur when a computer can be accessed by multiple users.
For users to run the existing installation of CMAK, they have to belong to the Power
Users group. The service profiles created by the CMAK Wizard are text files. Because of
this, a user that has access to the text files can simply use a text editor to change the
text files created by the CMAK Wizard.
When a Connection Manager service profile includes confidential information, there is a

threat that an unauthorized user can intercept this information and exploit it.
A few strategies that can be used to address Connection Manager security concerns are
listed below:
You can require that users utilize the more current Windows operating systems that
support the user certificates feature of Connection Manager.
Ensure that only those users who are authorized can download and obtain the
Connection Manager service profile.
For a computer that is utilized by more than one user, ensure that users cannot utilize
the Remember Password feature to store the password for the connection. To disable the
Remember Password feature, configure the HideRememberPassword option. The
HideRememberPassword option can be accessed in the last page of the CMAK Wizard by
clicking Edit Advanced Options.
Using the Connection Manager Administration Kit

(CMAK) Wizard
The Connection Manager Administration Kit (CMAK) is implemented through the CMAK
Wizard. The CMAK Wizard is used to create an executable file which can be distributed to
users so that they can establish virtualprivate network (VPN) connections and dial-up
connections to a RRAS server. When a user runs the executable file, the security settings
and other settings specified when the CMAK Wizard was run is used to establish the
connection.
The information that you need to supply when you run the CMAK Wizard is summarized
here:
Service Profile Source; indicate either of the following actions:

o
Create a new Connection Manager service profile
Modify an existing Connection Manager service profile
Service And File Names; provide the following details:

o
A name for the service profile.
A file name for the profile folder and files.
Realm Name; if required, provide a realm name. With Microsoft

Internet Authentication ServiceCommercial Edition, realm names can be utilized for
authentication.
Merging Profile Information; you can merge the settings of an existing service profile(s)
into the new Connection Manager service profile which you are creating, or in the service
profile which you are editing.
VPN Support; enables you to specify a VPN connection for the service profile which you
are configuring. For client IP address assignment, the following methods exist:
Define a DNS server.
Define a WINS server.
Define that the server assigns IP addresses when the connection is established.
Phone Book; set whether a phone book is to be created with the service profile being
created or edited.
Phone Book Updates; define the method which will be used to pass phone book updates
to clients. You can specify a Connection Point Services server by means of a URL. The
Windows Server 2003 Connection Point Services (CPS) feature can be used to create and
update phone books.
Dial-Up Networking Entries; define the dial-up networking entries for the phone numbers
in the address book.
Routing Table Update; to update the Routing Table. A file containing routing table
information is then included.
Automatic Proxy Information; enables you to specify options which will be used to
configure proxy settings.
Custom Actions; define actions to occur at the following events:

o
Prior to the connection being established.
Once the connection is established.
Before the connection is terminated.
Logon Bitmap; set the bitmap that should appear in the Logon dialog box.
Phone Book Bitmap; set the bitmap that should appear in the Phone Book dialog box.
Icons; set the icons which should be displayed for Connection Manager on your clients.
Notification Area Shortcut Menu; define the shortcut menu which is displayed when the
status area icon is right-clicked by users.
Help file; define the Help file for users by:

o
Creating a custom Help file.
Using the default Help file.
Support Information; define the support information for the service profile being created
or edited.
Connection Manager Software; for users to utilize the service profile they must have
Connection Manager installed. For users that do not have the Connection Manager
installed, you can specify that Connection Manager software be added with the service
profile you are creating or editing. Here, the user will perform the following actions:
Download the package.
Install the Connection Manager.
Run the Connection Manager service profile.
License Agreement; you can require users to accept a license agreement by including it
in a text file.
Additional Files; for adding any other files with the Connection Manager service profile
being created or edited.
With the CMAK, custom actions are supported. Through custom actions, you can configure
that certain programs should automatically run when the Connection Manager process
occurs.
The different actions which you can specify to run during the Connection Manager process
are summarized here:
Pre-init actions; run when the Connection Manager initiates.
Pre-connect actions; run prior to the connection being established.
Pre-dial actions; run prior to the connection being established.
Pre-tunnel actions; run prior to the connection being established.
Post-connect actions; run after the connection is successfully established.
On cancel actions; run when the user cancels a connection.
On error actions; run when there is an error during the connection establishment
process.
How to install the CMAK

2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
3. The Windows Components Wizard starts.
4. Click Management and Monitoring Tools, and then click Details.
5. In the Management and Monitoring Tools dialog box, select the checkbox for Connection
Manager Administration Kit.
6. Click OK. Click Next. Click Finish.
To start the Connection Manager Administration Kit (CMAK) Wizard,
1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to
initiate the CMAK Wizard.
How to create a new Connection Manager service

profile
1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to
initiate the CMAK Wizard.
2. The CMAK Wizard starts.
3. Click Next on the CMAK Wizard Welcome screen.
4. On the Service Profile Selection page, click the New profile option. Click Next.
5. On the Service And File Names page, enter a name for the service in the Service Name
text box, and enter a file name in the File name text box. This name will be used for the
connection and it will also be displayed in the various installation dialog boxes of
Connection Manager. Click Next.
6. On the Realm Name page, leave the default setting of Do Not Add A Realm Name To The
User Name enabled. Click Next.
7. On the Merging Profile Information page, you can merge information from other existing
profiles to add to this profile. Click Next.
8. On the VPN Support page, you can set that a VPN connection be established. Click the
Phone Book From This Profile checkbox. In the Enter the VPN Server Name or IP
Address section of the page, select one of the following options:
1.
Always Use the Same VPN Server option OR
Allow The User To Choose A VPN Server Before Connecting option.
9. Click Next.
10. On the VPN Entries page, perform either of these actions:
o
Create a new VPN entry.
Specify an existing VPN connection for the profile
11. Click Next.

12. On the Phone Book page, disable the Automatically Download Phone Book Updates
checkbox, and then click Next.
13. On the Dial-Up Networking Entries page, perform either of these actions
o
Create a new dial-up networking entry.
Specify an existing dial-up networking entry for the profile.
13. Click Next.

14. On the Routing Table Update page, click Next.
15. On the Automatic Proxy Configuration, set any settings for a proxy server that should
be utilized with the connection, and then click Next.
16. On the Custom Actions page, click Next.
17. On the Logon Bitmap page, specify your own graphics or accept the default graphic
18. On the Phone Bok Bitmap page, specify your own graphic or select a default graphic,
19. On the Icons page, select your icons for the connection or use the default settings.
Click Next.
20. On the Notification Area Shortcut Menu page, specify the items which should be
displayed on the shortcut menu, and then click Next.
21. On the Help File page, specify your custom Help file. Click Next.
22. On the Support Information page, provide your support details in the Support
Information text box, and then click Next.
23. On the Connection Manager Software page, you can select the Install Connection
Manager option if users do not have the Connection Manager installed. Click Next.
24. On the License Agreement page, specify the text file that includes the license
agreement, and then click Next.
25. On the Additional Files page include all other files which should be added with the new
service profile. Click Next.
26. On the Ready To Build The Service Profile page, click Next to start the creation of the
new service profile.
27. The CMAK Wizard creates the new customized Connection Manager service profile.
28. Click Finish.
How to deploy CMAK packages

When you have completed all the necessary pages of the CMAK Wizard, the Connection
Manager service profile is created. The connection package is compressed as well. The final
screen of the CMAK Wizard displays the location of your newly Connection Manager service
profile.
The service profile is by default stored in the following directory:
C:Program FilesCMAKProfiles directory. The directory is automatically created for the

service profile by CMAK.
To distribute the new service profile package files, use either of these methods:
Copy the files in the CMAK directory to a:

o
CDROM
Floppy disk.
Web site
Share the CMAK directory and provide users with the path information.
Configuring Remote Access Clients

Remote Access Overview
The Routing and Remote Access service (RRAS) is integrated in Windows 2000 and Windows
Server 2003 and provides connectivity for remote users and remote offices to the corporate
network. RRAS make it possible for remote users to perform their tasks as though they are
actually physically connected to the corporate network. A remote access connection enables
services such as file and print sharing to be available to remote users. To access network
resources, remote access clients can use standard Windows tools.
Dial-up networking allows a remote access client to establish a dial-up connection to a port
on a remote access server. The configuration of the dial-up networking server determines
what resources the remote user can access. Users that connect through a dial-up
networking server, connect to the network much like a standard LAN user accessing
resources.
Remote access VPNs provides a common
environment where many different sources
such as intermediaries, clients and off-site
employees can access information via web
browsers or email. Many companies supply
their own VPN connections via the Internet.
Through their ISPs, remote users running
VPN client software are assured private
access in a publicly shared environment. By
using analog, ISDN, DSL, cable technology,
dial and mobile IP; VPNs are implemented
over extensive shared infrastructures. Email, database and office applications use these
secure remote VPN connections.
The different remote access client types are listed below:
Dial-up client: A dial-up client uses a physical connection to the remote access server to
establish a connection to it. A dial-up client can access resources in much the same
manner as if they are actually physically connected to the network. Dial-up clients can:
o
Access network resources and services.
Share files.
Map network drives, and perform other operations, based on the access that is
allowed.
You should utilize a dial-up client when the following conditions are present:
o
The Internet cannot be used to access resources on the corporate network because of
security issues.
The throughput provide by a dial-up connection adequately meets the requirements of

remote access clients they are able to perform the various functions which they
need to.
The expense of phone lines and modems are affordable.
VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish
a connection to the network.
Wireless client: These clients connect to the network through radio frequencies such as
infrared frequencies.
When determining user requirements for remote access, a few issues that need to be
initially addressed are:
Determine what operating systems are being used by clients.
Determine the computers which are being used by clients.
Determine what the bandwidth needs of users are.
Determine what connections can be supported.
Determine whether clients current Internet connections can be used for VPN
connections.
Determine how often users will need to connect to the network.
Configuring Dial-up RAS clients and VPN clients

The process for configuring a dial-up remote access client and a VPN client are almost
similar. The primary difference between configuring a dial-up remote access client and a
VPN client are explained below:
When configuring a dial-up remote access client, you specify the phone number of the
remote access server.
When configuring a VPN client, you specify the IP address of the server.
After a connection is established, you can change the connections properties through the
connections Properties dialog box. The configuration settings that you can configure
through the various tabs on the Dial-Up Connection Properties dialog box are:
General tab: The configuration settings that you can configure on the General tab are:
o
Configure the VPN servers IP address or hostname
Specify the phone number to use with the specific connection.
Specify the connection which should be established prior to the VPN connection being
established.
Modify the settings of the existing modem that the connection uses
Modify the modem that the connection uses.
Specify whether the dialing rules apply for RAS connections.
Specify whether the connection shows a status icon when the connection is active. For
dial-up connections, the Show Icon In Taskbar When Connected checkbox is enabled
by default.
Options tab: The configuration settings that you can configure on the Options tab pertain
to the dialing and redialing of the connection. The settings on the Options tab are
organized into two sections, namely the Dialing Options section and the Redialing
Options:
o
Dialing Options: The dialing options that you can set are listed below. These settings
control the dial-up networkings interface actions:
Display Progress While Connecting checkbox; tracks the progress of the attempted
connection. This option is enabled by default.
Prompt For Name And Password, Certificate, Etc. checkbox; prompts for any
credentials needed to authenticate the connection to the server. The option is
enabled by default.
Include Windows Logon Domain checkbox; the domain name of the domain
currently logged on to is included with the authentication credentials. The option is
disabled by default.
Prompt For Phone Number checkbox; shows the phone number in the connection
dialog box so that it can be edited prior to dialing.
Redialing Options: These settings control the activities that occur when the remote
end is busy. The redialing options that you can set are:
Redial Attempts box; for specifying the number of attempts that occur to establish
the connection before abandoning it. The default value for the Redial Attempts
setting is 3.
Time Between Redial Attempts setting; for indicating the wait period before
reattempting the connection.
Idle Time Before Hanging Up setting; for specifying the idle time for the connection
before the call is terminated.
Redial If Line Is Dropped checkbox; when enabled, the number is automatically

redialed when you are disconnected.
Security tab: The configuration settings that you can configure on the Security tab
control the security of the connection. This includes options for authentication protocols
and encryption. The settings on the Security tab are also organized into two sections,
namely the Security Options section and the Advanced Security Settings:
o
Security Options: The settings that you can configure when you select the Typical
(Recommended Settings) option are:
Validate My Identity As Follows; used to specify whether secured passwords,

unsecured passwords, or smart card authentication is used. The default setting is
unsecured passwords.
Automatically Use My Windows Logon Name And Password checkbox; for secured
passwords, provides the remote end with the logon credentials used to log on to
the domain/computer.
Require Data Encryption checkbox; for secured passwords and smart card
authentication, specifies whether an encryption method should be negotiated
between the remote server and the client.
Advanced Security Settings: The settings that you can configure when you select the
Advanced (Custom Settings) option are listed below. The Advanced Security Settings
dialog box is accessed by clicking the Settings button after you have selected the
Advanced (Custom Settings) option:
Data Encryption drop down list; includes options that specify whether to encrypt
either end of network connections through IPSec. The options are No Encryption
Allowed the server will drop the connection if the client cannot provide
encryption; Optional Encryption the call continues if encryption cannot be
provided; Require Encryption the client has to request encryption, and is not
allowed to connect if the remote server cannot provide it; Maximum Strength
Encryption a connection can only be established if the client and server support
the same level of encryption.
Logon Security setting; specifies the authentication protocols which the client
utilizes. The available options are Use Extensible Authentication Protocol (EAP)
and Smart Card Or Other Certificate.
Allow These Protocols setting; specifies the authentication protocols that the client
can use. Authentication protocols options include CHAP, MS-CHAPv1, MS-CHAPv2,
PAP and SPAP. The authentication protocols that are by default selected when the
Allow These Protocols option is enabled are CHAP, MS-CHAPv1 and MS-CHAPv2.
Networking tab: The configuration settings that you can configure on the Networking
tab are explained below:
Type Of Dial-Up Server I Am Calling setting; specifies the type of server being
called. The options are PPP and SLIP, with PPP being the default setting.
You can select the Install, Uninstall, and Properties buttons to control the protocols
installed on the machine, and to control the settings of the protocols. The typically
selected options are Internet Protocol (TCP/IP) and Client For Microsoft Networks.
Sharing tab: The configuration settings that you can configure on the Sharing tab are
for RAS clients only:
Enable Internet Connection Sharing For This Connection
Enable On-Demand Dialing
How to install the Routing and Remote Access

Services (RRAS)
2. In the console tree, select the remote access server that you want to configure. Select
the Action menu, and then select the Configure and Enable Routing and Remote Access.
Alternatively, you can right-click the server that you want to configure, and then select
Configure and Enable Routing and Remote Access from the shortcut menu.
3. The Routing and Remote Access Server Setup Wizard initiates.
4. On the initial page of the Routing and Remote Access Server Setup Wizard, click Next.
5. On the Configuration page, select the Remote Access (Dial-Up Or VPN) option and then
click Next.
6. On the Remote Access page, select either the VPN server checkbox, or the dial-up server
checkbox, or both of these checkboxes. Click Next.
7. When the Macintosh Guest Authentication page is displayed, click the Allow
Unauthenticated Access For All Remote Clients option if you want the RRAS server to
accept anonymous remote access. Click Next.
8. On the IP Address Assignment page, accept the default setting of Automatically, or select
the From A Specified Range Of Addresses button. Click Next.
Remote Access To Authenticate Connection Requests option, and then click Next.
10. On the Summary page, click Finish.
11. The RRAS service starts.
How to configure the VPN client

1. On the client computer open Control Panel.
2. Right-click Network Connections and then select open from the shortcut menu.
3. Click New Connection Wizard to start the New Connection Wizard.
4. Click Next on the Welcome to the New Connection Wizard page.
5. On the Network Connection Type page, select Connect to the network at my workplace,
6. Click Virtual Private Network Connection, and click Next.
7. Enter a name for the connection and click Next.
8. Specify the external IP address of the VPN server, or the FQDN of the VPN server, and
then click Next.
9. Select the Anyones use If you want the connection to be available to everyone who
uses the computer and then click Next.
10. When the Completing the New Connection Wizard page appears, click Finish.
11. The logon dialog box is displayed after you click the Finish button to complete the New
Connection Wizard.
How to allow multilink connections from remote

access clients
2. In the console tree, right-click the server that you want to work with, and then click
3. The server Properties dialog box opens.
4. Switch to the PPP tab.
5. Select the Multilink Connections checkbox to allow multilink connections from remote
access clients.
6. If you do not want to allow multilink connections, simply disable the Multilink
Connections checkbox.
7. If you select the Multilink Connections checkbox, it is recommended that you enable the
Dynamic Bandwidth Control Using BAP Or BACP checkbox. This allows the server to add
or drop PPP connections based on the rise and fall in available bandwidth.
8. Click OK.
How to grant dial-in permission for user accounts

1. Click Start, Administrative Tools, and then click Computer Management to open the
Computer Management console.
2. Double-click Local Users and Groups.
3. Double-click Users.
4. Double-click the specific user account that you want to grant access for to open the
Properties dialog box of the user.
6. Click Allow access, and then click OK.
7. On the client computer, access the Network Connections folder, and then double-click the
VPN connection that you want to configure.
8. Specify the user account credentials, and then click Connect.
How to enable remote access for specific user

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to
open the Active Directory Users and Computers management console.
2. In the console tree, expand the domain that contains the user account that you want to
enable remote access for.
3. Select the Users container.
4. In the right pane, locate the user account that you want to configure.
5. Right-click the specific user account and then select Properties from the shortcut menu.
6. The Properties dialog box of the user opens.
8. In the Remote Access Permission area, click the Allow Access option.
9. Click OK.
How to enable remote access based on remote

access policy
8. In the Remote Access Permission area, click the Control Access Through Remote Access
Policy option.
9. Click OK.
How to configure inbound dial-up connections on a

computer running Windows 2000 Professional
1. Click Start, Settings and then click Network And Dial-Up Connections.
2. When the Network And Dial-Up Connections dialog box opens, double-click Make New
Connection.
3. The Network Connection Wizard starts.
4. Click Next on the Welcome to the Network Connection Wizard page.
5. On the Network Connection Type page, click the Accept Incoming Connections option and
then click Next.
6. On the Devices For Incoming Connections page, in the Connection Devices list, choose
the modem device for the computer. Click Next./li>
7. On the Incoming Virtual Private Connection page, click the Allow Virtual Private
Connections option and then click Next.
8. On the Allowed Users page, select the Administrator option and then proceed to click the
Properties button.
9. The Administrator Properties dialog box opens.
10. Switch to the Callback tab.
11. Verify that the correct settings are specified on the tab. Click OK and click Next.
12. On the Networking Components page, select the Internet Protocol TCP/IP option and
then click the Properties button.
13. When the Incoming TCP/IP Properties dialog box opens, select Specify TCP/IP addresses.
14. Specify the appropriate address in the From box and in the To box, and then click OK and
click Next.
15. Click Finish.
How to configure outbound connections on a

computer running Windows 2000 Professional
1. Click Start, Settings and then click Network And Dial-Up Connections.
2. When the Network And Dial-Up Connections dialog box opens, double-click Make New
Connection.
3. The Network Connection Wizard starts.
4. Click Next on the Welcome to the Network Connection Wizard page.
5. On the Network Connection Type page, click the Connect To A Private Network Through
The Internet option. Click Next.
6. On the Destination Address page, enter the appropriate address and then click Next.
7. On the Connection Availability page, click the Only For Myself option and then click Next.
8. Click Finish to complete the Network Connection Wizard.
9. The Connect Virtual Private Connection dialog box automatically opens.
10. Provide the proper use name and password details.
11. Click the Connect button.
How to manage remote access clients

You can use the Routing And Remote Access console to both examine and manage remote
access clients that have established connections to the remote access server. The various
activities that you can perform are:
View and examine the status of connected remote access clients.
Send a message to one or multiple remote access clients.
Disconnect remote access clients.
How to view the status of connected remote access clients

2. In the console tree, select Remote Access Clients.
3. All currently connected remote access clients are displayed in the details pane of the
4. Right-click the user name that you want to examine, and then select Status from the
shortcut menu to view the status of the connection.
How to send a message to a remote access client
3. In the details pane, right-click the user name that you want to send the message to, and
then select Send Message from the shortcut menu.
4. The Send Message dialog box opens.
5. Type the message that you want to send to the user name that you have selected.
6. Click OK.
How to send a message to all remote access clients
2. In the console tree, right-click Remote Access Clients and then select Send To All from
the shortcut menu.
3. When the Send Message dialog box opens, type up the message that you want to send to
all connected remote access clients.
4. Click OK.
How to disconnect remote access clients
3. In the details pane, right-click the user name that you want to disconnect, and then
select Disconnect from the shortcut menu.
Troubleshooting Dial-Up Remote Access

Connections
A few guidelines for troubleshooting dial-up remote access connections are listed below:
For a dial-up remote access connection to be established between a remote access

server and remote access clients, the Remote Access Server option should be enabled on
the General tab of the Properties dialog box of the remote access server. You can use the
Routing And Remote Access management console to verify that the Remote Access
Server option is enabled.
Ensure that the settings of the remote access policy and the settings configured in the
properties of the remote access server are not conflicting.
The remote access server, the remote access policy, and the dial-up remote client should
all be configured to minimally use one common authentication protocol. You can view
this information on the Security tab of the Dial-Up Connection Properties dialog box.
If MS-CHAP v1 is the authentication protocol being used, ensure that the user password
is not more than 14 characters.
The remote access server, the remote access policy, and the dial-up remote client should
all be configured to minimally use one common encryption strength. You can verify this
information on the Security tab of the Dial-Up Connection Properties dialog box.
Ensure that the number of modem devices specified in the Ports node of the Routing And
Remote Access management console can cope with the specified number of concurrent
remote access connections.
The remote access server either assigns addresses to clients from a predefined static
address pool or through a DHCP server on the network.
o
For address assignment from the static address pool, ensure that the address pool can
handle the required concurrent client connections.
For address assignment through the DHCP server, ensure that the DHCP servers
scope can handle the blocks of 10 addresses needed by your remote access server.
The dial-up remote access connection must have the correct permissions for the
connection to be established. You can verify the permissions specified for the connection
by examining the remote access policies and the dial-in properties of the specific user
account.
A few guidelines for troubleshooting modems that are not operating:

o
Ensure that the modem cable is not faulty.
Check whether the modem is compatible.
Verify that the modem is connected correctly to the computers port. Verify that the
power is turned on.
Check that the correct number was dialed.
Check whether the phone lines support the speed of the modem. Try using a lower
bps rate.
The issue might be that the modem cannot work with the modem of the remote
access server. Here, you might need to use the same modem type being used by
Verify that you have the necessary remote access permission, and that your user
account is valid.
Check whether the remote access server is running.
If you continuously receive an error message, indicating that the remote access server is
not responding, a few guidelines to solve this issue are listed below:
o
Check whether you can connect to the server from a different workstation to ascertain
whether the issue is specific to one workstation.
Check whether the remote access server is running and operating correctly.
Verify whether the modem vendor has released new software updates. There might be
an issue with the version of the modem software that you are using.
If the modem and telephone line appear to not be operating as they should be, use
modem diagnostics to verify that the modem is operating as it should. There might
also be excessive static on the phone line.
There could be a switching mechanism between the remote access client and server
which is preventing the connection from being established. You should attempt using
a lower bps rate.
The issue might be that the modem you are using is conflicting with the modem of the
server. You should attempt using a lower bps rate.
If the modem is experiencing a problem connecting and there is quite some static on
the telephone line, attempt using a lower bps rate. The issue might be that the
modem cannot connect at a higher data rate.
You can verify the quality of your phone line with the telephone company.
If you receive a no answer message when attempting to connect via ISDN, try the
following strategies. A few possible causes for this type of issue is also listed:
o
Try dialing later. The line might be too busy or an existing poor line condition could be
hindering the connection.
Check that the ISDN adapters are installed and that they are set up correctly.
Check whether the phone number is configured correctly. You can contact the
telephone company to determine the numbers that the ISDN line owns.
Verify that the remote access server is up and running, and verify that the modem is
connected.
Verify that your DigiBoard adapter is current.
Verify that the Service Profile Identifier (SPID) is configured correctly.
You should enable line-type negotiation.
If remote access client connections to the remote access server are continuously being
dropped, try the following strategies:
o
Check whether the modem cable is connected correctly. It could have been
disconnected.
Verify that the modem settings are correct.
Verify whether the modem vendor has released new software updates. There might be
an issue with the version of the modem software that you are using.
It could be that the phone has call waiting, and this is hindering the connection.
Disable call waiting and then try again.
You could have been disconnected because of an inactivity period. Try once more.
If somebody picked up the phone, you would have been automatically disconnected.
Try calling once more.
How to Setup a Remote Desktop Web Connection

The Remote Desktop Web Connection is a Win32-based ActiveX control (COM object) that
can be used to run Remote Desktop sessions from within a browser like Internet Explorer. It
is a useful alternative to the regular Remote Desktopbecause it can be used without
installing any software on the client machine. Remote Desktopdemands the user to install
software on the clients machine, which can be sometimes infeasible.
Remote Desktop Web Connection is able to do this because the Remote Desktop runs within
a web browser such as Internet Explorer. The web browser on the host computer must
supportActive-X controls to implement Remote Desktop Web Connection.
Configuring the Host Computer

Enabling the Remote Desktop Web Connection on the host computer is the foremost step.
Follow the steps listed below carefully:
Open Control Panel, click on the Add or

Remove Programs icon, and then click
on Add/Remove Windows
Components option.
Click on Internet Information Services,

and then click on the Details option.
In the Subcomponents of Internet

Information Services list, click on World Wide Web Service, and then click on
the Details option.
In the Subcomponents of World Wide Web Service list, select the Remote Desktop Web
Connectioncheck box, and then click OK.
In the Windows Components Wizard, click on Next.
Click Finish when the wizard has completed.
Configuring IIS (Internet Information Services)

TCP port number 80 acts as the default port number to identify Internet Information
Services (IIS). In order to avoid external harmful attacks, these steps change the default
port number. The steps listed below are optional but implementing them will highly improve
your machines security.
Note: TCP port number should not be changed if you are already using the machine as a
web server.
Open Control Panel, click on the Performance and Maintenance icon, and then click
onAdministrative Tools. Double-click on the Internet Information Services.
In the ISS snap-in, expand your computer name, expand Web Sites, right-click on
the Default Web Site, and then click on Properties.
On the Web Site tab, change the TCP Port value. Enter a number between 1000 and
65535 that you remember well. This port number will be used for future connections.
Click OK, and close the Internet Information Services snap-in.
Configuring Remote Desktop

A user account with a password is necessary to connect using Remote Desktop. Create an
account if you do not have one. Follow the listed steps carefully to activate Remote Desktop
Right-click on My Computer from the desktop, and select the Properties option.
Select the Remote tab, and then click on the Allow users to connect remotely to
this computercheck box.
Click Select Remote Users, and then click Add.
In the Select Users dialog box, type the name of the user and then click on OK. Click
on OK again to return to the System Properties dialog box, and then click on OK to close
it.
Connect to the Remote Computer

Finally, you can now connect to the remote configured computer via the Internet. In order
to connect, the IP address of the target computer should be known (you could use What Is
My IP or What Is My IP.com to identify the IP address). Now, simply follow the listed steps
carefully in order to connect:
Open Internet Explorer browser, and enter the URL http://ipaddress:port/tsweb/

Example: http://192.168.1.120:1374/tsweb/
Your browser may not be installed with the Remote Desktop ActiveX control, hence if it
prompts you to install it, click Yes.
On the Remote Desktop Web Connection page, click on Connect. You dont need to fill in
the Server field. If you leave the Size field set to Full-screen, the remote desktop will
take over your local desktop.
Enter your user name and password at the Windows logon prompt, and then click OK.
Youll see your desktop completely.
Routing and Remote Access Service

Routing and Remote Access Service Overview
The Routing and Remote Access service (RRAS) is a multi-protocol software router
integrated in Windows 2000 and Windows Server 2003 that provides connectivity for remote
users and remote offices to the corporate network. RRAS make it possible for remote users
to perform their tasks as though they are actually physically connected to the corporate
network. A remote access connection enables services such as file and print sharing to be
available to remote users. To access network resources, remote access clients can use
standard Windows tools.
The Routing and Remote Access service (RRAS) includes integrated support for the following
dynamic routing protocols:
Routing Information Protocol (RIP) version 2
Open Shortest Path First (OSPF)
Routing and Remote Access service can be configured for:
LAN-to-LAN routing
LAN-to-WAN routing
Virtual private network (VPN) routing
Network Address Translation (NAT) routing
Routing features, including

o
IP multicasting
Packet filtering
Demand-dial routing
DHCP relay
A computer running Windows 2000

Server or Windows Server 2003 with
Routing and Remote Access service
enabled and configured is called a
A remote access server provides the
following two types of remote access
connectivity:
Dial-up networking (DUN)
Virtual private networking
The Routing and Remote Access features are summarized below:
Router discovery, defined in RFC 1256 provides the means for configuring and
discovering default gateways. Router discovery makes it possible for clients to:
o
Dynamically discover routers.
Use alternate or backup routers when necessary, for instance when a network failure
occurs.
Router discovery consists of the following types of packets

o
Router solicitations: A router solicitation is sent by a host on the network when it needs
to be configured with a default gateway. When a router solicitation is sent on the
network, each router responds with a router advertisement. The host then selects a
router as its default gateway. This is the router that has the highest preference. A host
can send a router solicitation to the following addresses:
Local IP broadcast address
Limited broadcast address
Internet Protocol (IP) multicast address (all routers)
Router advertisements: Routers on the network send a router advertisement in respond

to a router solicitation packet, indicating that the router can be configured as the host's
default gateway. To send a router advertisement, the router uses an ICMP message. A
router advertisement can be sent to the following addresses:
Local IP broadcast address (all hosts)
Limited broadcast address
Multicast routing through a multicast proxyprovides multicast for remote access users,
thereby extending multicast support further than the true multicast router.
Network Address Translation (NAT), defined in RFC 1631 translates private addresses to
Internet IP addresses that can be routed on the Internet.
Remote Access Policies (RAPs): RAPs are used to grant remote access permissions. You
can configure RAPs from:
Routing and Remote Access console
Internet Authentication Service Manager
Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of Cisco with
Point-to-Point Tunneling Protocol (PPTP) of Microsoft. L2TP is a Data-link protocol that
can be used to establis Virtual Private Networks (VPNs).
Internet Authentication Service (IAS), a Remote Authentication Dial-In User Service

(RADIUS) server, provides remote authentication, authorization and accounting for users
that are connecting to the network through a network access server (NAS) such as
Windows Routing and Remote Access.
The Windows Server 2003 Routing and Remote Access service console, the graphical
interface for managing RRAS, can be used to configure remote access server-end
configuration options, including the following:
Remote access connectivity, through

o
Dial-Up Networking (DUN)
Virtual private networking
Network address translation (NAT)
Virtual Private Network (VPN) access
Secure connectivity between two private networks
Routing protocol configuration
DHCP Relay configuration
Remote access policy (RAP) options
Remote access logging
Custom configuration options
Understanding Dial-Up Networking (DUN)

Dial-up networking (DUN) allows a remote access client to establish a dial-up connection to
a port on a remote access server. The configuration of the DUN server determines what
resources the remote user can access. Users that connect through a DUN server, connect to
the network much like a standard LAN user accessing resources.
The dial-up networking (DUN) connection methods are summarized below:
Plain old telephone service (POTS): In the initial days of dial-up networking, phone lines
were used to establish the dial-up connection. With POTS, the amount of data that was
passed was initially limited because analog components caused signal loss. This has since
improved with the connections between phone offices becoming all digital connections
paths.
Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and
includes features such as caller ID, call forwarding, and fast call setup times.
Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP
negotiation process to enable devices to establish a TCP/IP connection over a serial
connection. The device that initiates the establishment of the TCP/IP connection is called
the client. The device that obtains the request to establish the connection is referred to
as the server. The following protocols operate above the PPP to enable the PPP
negotiation process:
o
Link Control Protocol (LCP); LCP deals with the establishment of the lower PPP
connection. LCP is used for two devices to initially come to agreement on establishing
a PPP link.
Challenge Handshake Authentication Protocol (CHAP); used to enable the client to

authenticate the server.
Callback Control Protocol (CBCP); used to negotiate callback specific operations, such
as whether callback is permitted, and if and when it should occur.
Compression Control Protocol (CCP); used to negotiate and determine whether

compression is required, and the type of compression that should be used.
IP Control Protocol (IPCP); used to negotiate the IP parameters that should be used
for the PPP connection.
Internet Protocol (IP); IP makes it possible for IP datagrams to be exchanged over the
connection.
Understanding Virtual Private Networking

Virtual Private Networks (VPN's) provide secure and advanced connections through a nonsecure network by providing data privacy. Private data is secure in a public environment.
VPNs fall into the following categories:
Remote access
Intranet access
Extranet access
Remote access VPNs provides a common environment where many different sources such
as intermediaries, cients and off-site employees can access information via web browsers or
email. Many companies supply their own VPN connections via the Internet. Through their
ISPs, remote users runningVPN client software are assured private access in a publicly
shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP;
VPN's are implemented over extensive shared infrastructures. Email, database and office
applications use these secure remote VPN connections.
Remote access VPNs offer a number of advantages, including:
Third parties oversee the dial up to the network.
New users can be added with hardly any costs and with no extra expense to the
infrastructure.
Wan circuit and modem costs are eliminated.
Remote access VPN's call to local ISP numbers. VPN's can be established from anywhere
via the Internet.
Cable modems enable fast connectivity and are relatively cost efficient.
Information is easily and speedily accessible to off-site users in public places via Internet
availability and connectivity.
Tunneling is the concept used to describe a method of using an internetwork infrastructure

to transfer a payload. IPSec tunnel mode enables IP payloads to be encrypted and
encapsulated in an IP header so that it can be sent over the corporate IP internetwork or
Internet. IPSec protects, secures and authenticates data between IPSec peer devices by
providing per packet data authentication. IPSec peers can be teams of hosts, or teams of
security gateways. Data flows between IPSec peers are confidential and protected. Tunnel
mode is used when a host wants to connect or gain access to a network controlled by a
gateway. The source and destination addresses are encrypted. The original IP datagram is
left in tact. The original IP header is copied and moved to the left and becomes a new IP
header. The IPSec header is inserted between these two headers. The original IP datagram
can be authenticated and encrypted.
IPSec supports the following:
Unicast IP datagrams
High-Level Data-Link Control (HDLC)
ATM
Point-to-Point Protocol (PPP)
Frame Relay serial encapsulation
Generic Routing Encapsulation (GRE)
IP-in-IP (IPinIP)
Encapsulation Layer 3 tunneling protocols.
The process that occurs to establish a VPN connection is outlined below:

1. The VPN client accesses the Internet, and then sends a VPN connection request to the
VPN server to establish a secure connection.
2. Based on the VPN protocol used, the client authenticates itself to the VPN server. If
authentication fails, the connection is terminated.
3. If the client is authenticated, the client and server start a negotiation process. During
negotiation, the client and server agree on the encryption algorithm, and parameters
that should be used for the VPN connection.
4. The VPN session or connection is established.
The process that occurs to convert an IP datagram to a Point-to-Point Tunneling Protocol
(PPTP) packet is outlined below:
1. Data is created by an application for a specific remote host.
2. At the client end, the data then becomes an IP datagram. This is done by adding a TCP
header and IP header to the data. At this point the packet contains all the information
needed to be transmitted by IP.
3. The client then establishes a connection through PPP to add the PPP header to the IP
datagram. At this stage the packet becomes a PPP frame.
4. The following step in the process is for the VPN to encrypt the PPP frame. This ensures
that the data is sent over the Internet in an undecipherable format.
5. A Generic Routing Encapsulation (GRE) header is added to the encrypted payload, to
indicate that the packet is an encapsulated PPTP packet.
6. The PPTP stack adds an IP header to indicate the destination address of the VPN server.
7. The packet is then routed to the VPN server.
A better method than using PPTP tunneling is L2TP/IPSec tunneling:
1. A secure encrypted session is established between the client and server.
2. At this stage the client establishes a L2TP tunnel to the server.
3. The server then sends the client an authentication challenge.
4. The client responds to the server's challenge, and uses encryption when it sends its
challenge response.
5. The server then verifies that the challenge response received by the client is valid. If the
response is valid, the connection is accepted.
Installing the Routing and Remote Access Service
How to enable Routing and Remote Access using the Manage Your Server Wizard
1. Click Start, and then click Manage Your Server.
2. Select the Add or remove a role option.
3. The Configure Your Server Wizard starts.
4. On the Preliminary Steps page, click Next.
5. A message appears, informing you that the Configure Your Server Wizard is detecting
network settings and server information.
6. When the Server Role page appears, select the Remote Access/VPN Server option and
then click Next.
7. On the Summary of Selections page, click Next.
8. The Welcome to the Routing and Remote Access Server Setup Wizard page is displayed.
How to install the Routing and Remote Access Services
2. In the console tree, select the remote access server that you want to configure. Select
the Action menu, and then select the Configure and Enable Routing and Remote Access.
Alternatively, you can right-click the server that you want to configure, and then select
Configure and Enable Routing and Remote Access from the shortcut menu.
3. The Routing and Remote Access Server Setup Wizard initiates.
4. On the initial page of the Routing and Remote Access Server Setup Wizard, click Next.
5. On the Configuration page, select the Remote Access (Dial-Up Or VPN) option and then
click Next.
6. On the Remote Access page, select either the VPN server checkbox, or the dial-up server
checkbox, or both of these checkboxes. Click Next.
7. When the Macintosh Guest Authentication page is displayed, click the Allow
Unauthenticated Access For All Remote Clients option if you want the RRAS server to
accept anonymous remote access. Click Next.
8. On the IP Address Assignment page, accept the default setting of Automatically, or select
the From A Specified Range Of Addresses button. Click Next.
Remote Access To Authenticate Connection Requests option, and then click Next.
10. On the Summary page, click Finish.
11. The RRAS service starts.
The Routing And Remote Access console is the graphical user interface used to manage and
configure routing properties.
To access the Routing And Remote Access console,
1. Click Start, Administrative Tools, and then click Routing And Remote Access.
If Routing And Remote Access is only configured for LAN routing, then the following primary
nodes are present in the console tree of the RRAS console:
Network Interfaces node
IP Routing node
If you want to add a dial-up connection, VPN connection or PPPoE connection to the Routing
And Remote Access console, you have to manually add it to the Network Interfaces node. If
you have already enabled the Routing And Remote Access Service, and you add a new
network adapter, then you have to manually add the new network adapter to the IP Routing
node.
How to manually add a dial-up connection, VPN connection or PPPoE connection
2. In the console tree, select the Network Interfaces node.
3. Right-click the Network Interfaces node and then select New Demand-Dial Interface from
the shortcut menu.
4. The Demand Dial Interface Wizard starts.
5. Follow the prompts of the Demand Dial Interface Wizard to manually add the dial-up
connection, VPN connection or PPPoE connection.
How to manually add a new network adapter
2. In the console tree, select General, right-click General, and then select New Interface
3. Select the Interface that you want to add. Click OK.
Configuring the Routing And Remote Access Service Properties
Routing And Remote Access Service properties are configured in the Routing And Remote
Access console, using the RRAS server's Properties dialog box.
The configuration settings that you can configure through the properties sheet of the remote
access server include:
Configure the server to allow remote connections
Routing
Demand-dial
Point-to-Point Protocol (PPP) options
Authentication settings
Client address assignment
Logging options
To access the Properties dialog box of the remote access server to configure RRAS
properties
2. In the console tree, select the remote access server that you want to configure, and then
select Properties from the Action menu; OR right-click the server in the console tree and
then select Properties from the shortcut menu.
The remote access server's Properties dialog box contains the tabs listed below. The
configuration settings that you can configure on each of these tabs for the remote access
server are explained as well.
General tab: The settings on the General tab enable you to configure the Routing And
Remote Access Service as a:
LAN router
Demand-dial router
Remote access server
Security tab: The configuration security settings that you can configure on the Security
tab are:
Authentication methods
Preshared keys for Internet Protocol Security (IPSec)
Connection request logging
IP tab: The IP tab is used to configure routing properties to route IP packets over LAN
connections, remote access connections, or demand-dial connections. The options
available are the Enable IP Routing checkbox, and the Allow IP-Based Remote Access
And Demand Dial Connections checkbox. The IP Address Assignment section of the IP tab
is used to configure the manner in which the IP addresses are assigned to remote access
clients. The available options are the Dynamic Host Configuration Protocol (DHCP) option
and the Static Address Pool option. If you select the Static Address Pool option, you have
to specify the address range that the Routing And Remote Access service will use to
assign addresses to remote access clients. The last setting on the IP tab is the Enable
Broadcast Name Resolution checkbox, which is enabled by default.
PPP tab: The options available on the PPP tab are used to configure PPP specific options.
Each option on the tab is by default enabled:
Multilink Connections; when enabled multilink connections are allowed from remote
access clients.
Dynamic Bandwidth Control Using BAP Or BACP; when enabled multilink connections
either add or drop PPP connections based on the available bandwidth.
Link Control Protocol (LCP) Extensions; when enabled advanced PPP features are
supported.
Software Compression; when enabled the RRAS can perform compression of the PPP
data.
i>Logging tab: On this tab, you can configure Routing And Remote Access logging
options:
o
Log errors only
Log errors and warnings
Log all events
Do not log any events
You can also enable the option to log additional information for debugging purposes.
Configuring General IP Routing Properties
There are a few Routing And Remote Access service features that apply to IP routing on the
whole. These IP routing features are configured using the Properties dialog box of the
General sub in the Routing And Remote Access console. The General node can be found
within the IP Routing node in the console tree.
To open the Properties dialog box of the General node
2. In the console tree, expand the IP Routing node.
3. Right-click the General node, and then select Properties from the shortcut menu.
4. The General Properties dialog box contains three tabs: Logging tab, Preference Levels
tab, and Multicast Scopes tab.
5. The General Properties dialog box contains three tabs: Logging tab, Preference Levels
tab, and Multicast Scopes tab.
o
Logging tab: The options available on the Logging tab pertain to IP routing events
that are recorded in the Event log. The options available on the Logging tab are:
Log Errors Only
Log Errors And Warnings
Log The Maximum Amount Of Information
Disable Event Logging
Preference Levels tab: The options available on the Preference Levels tab are used to
position the priority of routes which were obtained from a number of sources.
Multicast Scopes tab: The tab is used to configure multicasting.
How to control multilink for incoming connections

4. Switch to the PPP tab.
5. Select the Multilink Connections checkbox to allow multilink connections from remote
access clients.
6. If you do not want to allow multilink connections, simply disable the Multilink
Connections checkbox.
7. If you select the Multilink Connections checkbox, it is recommended that you enable the
Dynamic Bandwidth Control Using BAP Or BACP checkbox. This allows the server to add
or drop PPP connections based on the rise and fall in available bandwidth.
8. Click OK.
How to configure incoming connections that use the IP protocol
4. Click the IP tab.
5. Verify that the Enable IP Routing checkbox is selected or enabled.
6. Next, verify that the Allow IP-Based Remote Access And Demand Dial Connections
checkbox is selected.
7. If the server Properties dialog box has an IPX tab, click the IPX tab. Clear the Allow IPXBased Remote Access And Demand-Dial Connections checkbox.
8. If the server Properties dialog box has an AppleTalk tab, click the AppleTalk tab. Clear
the Enable AppleTalk Remote Access checkbox.
9. If the server Properties dialog box has a NetBEUI tab, click the NetBEUI tab. Clear the
Allow NetBEUI-Based Remote Access Clients To Access checkbox.
10. Click OK.
Remote Access Security

Remote Access Security Overview
To protect your corporate data from attacks from intruders and from being accessed by
unauthorized users, you need to plan for and implement remote access security. You should
authenticate remote access clients attempting to establish a remote connection with the
remote access server. To secure connections to the corporate network, you can configure
properties that either allow remote access or deny remote access. You can also specify
authorization using the source number or destination phone number as the basis.
There are a number of strategies that you can use to secure remote access connections:
Control access through the Dial-in Properties of an individual user account. This is the
account that remote access clients utilize to connect to the network.
Create and configure remote access policies.
Create and configure remote access profiles.
Configure remote access authentication and encryption.
You can use Remote Authentication Dial-In User Service (RADIUS) to provide
authentication, authorization, and accounting for your remote access implementation.
Configure advanced security features such as smart cards, callback security.
Raise the domain functional level to

provide additional security features for
your remote access implementation.
Planning Remote
Access Security
You should include planning of remote
access security when planning your overall remote access solution. A few issues
that need to be clarified are listed below:
Not all users in an organization require remote access. You should therefore identify
those users that need remote access and configure only these users to have remote
access. Authentication can be used to restrict remote access to only those users that are
specified for remote access. You can use remote access policies to define the
requirements (conditions) that users must match to obtain remote access.
In addition, not all users need to access the entire network. You should restrict access to
the remote access server for those users that only need to access the remote access
server to complete their tasks.
Because all users do not need to have access to all resources, you can use permissions
to allow different users, different levels of remote access.
Users can also be restricted to specific applications only. You do this by configuring
packet filters to allow traffic that uses specific protocols and port numbers only.
For dial-in access, you would want to control which users are able to remotely access the
network:
You can allow or disallow remote access for individual users. You can configure individual
user access through the Properties dialog box of a specific user, on the Dial-in tab.
The Active Directory Users and Computers management console is the tool used to
access the Properties dialog box of a specific user account.
You can allow or disallow remote access by configuring remote access policies. This
method allows you to specify remote access rights based on various criteria, such as
users, group, and time of day. The settings specified on the Properties dialog box of a
specific user, on the Dial-in tab dictates whether a user is affected by remote access
policies. The different settings on the Dial-in tab of the Properties dialog box of a
particular user are:
o
Allow Access; the user is allowed to remotely access the network. The remote access
policies are not included in the decision.
Deny Access: the user is denied permission to remotely access the network.
Control Access Through Remote Access Policy; the remote access policies dictate
whether or not the user is allowed remote access.
Remote access policies can also be used to further restrict remote connections after they
have been authorized by the Routing and Remote Access Service (RRAS), based on the
following:
o
Idle timeout time setting
Maximum session time setting
IP packet filters
Encryption strength
IP addresses for PPP connections and static routes
When planning a VPN remote access strategy, the security specific requirements that you
need to clarify are discussed next. The placement of the VPN servers could dictate that you
implement additional security measures.
If you place VPN server on the private internal network, the firewall has to allow traffic to
the VPN server.
If you place the VPN server on the perimeter network, you need to do the following:
o
On the VPN server, configure inbound and outbound filters that allow VPN traffic to
and from the Internet interface of the VPN server.
On the firewall, configure it to allow traffic from the VPN server.
You would also need to determine which VPN protocols to utilize. You can support the use of
one or both of the VPN protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer Two Transport Protocol (L2TP).
The factors to consider when deciding on which VPN protocol to use are:
The requirements of the remote access clients:
Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP
and Windows Server 2003 support PPTP
Only Windows 2000, Windows XP and Windows Server 2003 support L2TP.
Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed
for the mutual authentication of the VPN server and the client. Certificates need to be
installed on the VPN server andVPN clients. In addition to this, user authentication needs
protocols such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and

Extensible Authentication Protocol Transport LayerSecurity (EAP-TLS).
IPSec requirement: L2TP can be used with IPSec to provide encryption. If you need
authentication for the VPN server and the client, then you need to be able to support
L2TP. Only L2TP over IPSec can provide data integrity.
The following section examines the differences between the VPN protocols, and when each
protocol should be implemented:
PPTP should be implemented when the following statements are true:

o
You need to support legacy Windows clients.
Client-to-gateway connectivity or network-to-network connectivity is a requirement.
The VPN must move over a firewall or perimeter server that performs NAT. The only
VPN protocol that can pass through NAT is PPTP.
L2TP should be implemented when the following statements are true:

o
All client computers have installed computer certificates.
Client-to-gateway connectivity or network-to-network connectivity is a requirement.
You want to use an IPSec tunnel.
The server is not located behind a firewall or a perimeter server that performs NAT.
IPSec tunnel mode should be implemented when the following statements are true:
o
Certificate based authentication is being used.
Certificates are issued by a trusted Certificate Authority.
Network-to-network connectivity is a requirement.
Machine authentication is required for the tunnel endpoints.
For VPN remote access, the different levels of encryption that you can configure are:
No encryption: This option allows unencrypted VPN connections.
Basic encryption: This option is also not frequently used because the weaker 40-bit key
is used for encryption.
Strong encryption: A 56-bit key is used for encryption.
Strongest encryption: A 128-bit key is used for encryption.
When planning a wireless remote access strategy, the security specific requirements that
need to be considered are summarized below:
Remote access policies that allow wireless users to connect to the network have to be
configured.
For Wireless Access Points (WAP) to use IAS authentication, the following additional
configurations are necessary:
o
Each WAP must be added as a RADIUS client in the IAS MMC snap-in.
On the WAP, you have to enable RADIUS authentication and define the primary and
backup IAS servers.
Because security is a high priority for wireless networks, WAPs and adapters that support
the elements listed next should be used:
Firmware updates
WEP using 128-bit encryption
Disabling of SSID broadcasts
MAC filtering to restrict wireless access based on MAC addresses.
Determine the following important factors.

o
Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy
(WEP) protocol will be used.
For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used.
Whether 802.1X authentication will be used.
Whether wireless clients will use IPSec.
Whether MAC address filtering will be used.
Whether Group Policy will be used to configure wireless client security.
Securing Remote Access through the Dial-in

Properties of a User Account
The different options that you can configure on the Dial-In tab of a specific user account in
the Active Directory Users And Computers management console are:
In the Remote Access Permission (Dial-in Or VPN) area, you can select one of the
following options:
o
Allow Access: The Allow Access option allows remote access for the specific user
account. The Allow Access option overrides any settings specified through remote
access policies.
Deny Access: The Deny Access option prevents remote access for the specific user
account.
Control Access Through Remote Access Policy: When you select the Control Access
Through Remote Access Policy option, whether or not the user is allowed remote
access is determine by remote access policies applied to the connection.
You can enable the Verify Caller ID checkbox to specify the phone number of the user
that should be verified before the remote access connection can be established. A
connection will only be established if the number that the user is calling from
corresponds with the number configured here.
The Callback Options area of the Dial-in tab is where you specify the following:
o
No callback.
Set by caller
Always callback to a specific callback number.
Callback Security is a feature that you can use for dial-in connections. When enabled, and a
remote access client establishes a connection through Callback, the call is disconnected and
the client is called back. You can enable either of the following methods of the Callback
Security feature.
You can allow the user to define the callback number.
An administrator can specify the callback number.
A few guidelines for setting Dial-in Properties of a user account are summarized below:
If you want to prevent the user from remotely accessing the network, set the remote
access permission for the specific user account to the Deny Access option.
If you want to restrict your remote access clients to only certain network segments,
configure static routes for the remote access client which specifies those network
segments that they can access.
If you want to allow or deny remote access based on policies, select the Control Access
Through Remote Access Policy option for the particular user account.
If you want to assign a particular IP addresses for each remote access connection
attempt made by a particular user, specify the IP address in the Assign A Static IP
Address field.
If you want dial-up connections to use a particular phone number, set the value of the
Verify Caller ID field to the specific phone number.
Authentication Methods for Remote Access

There are a number of authentication methods supported by Routing and Remote Access
Service (RRAS).
You configure the authentication protocols through the Routing and Remote Access Service
(RRAS)
1. Click Start, Click Start, Administrative Tools, and then click Routing and Remote Access
to open the Routing and Remote Access console.
2. In the console tree, select the server, and then click the Action menu to select the
Properties command.
3. Switch to the Security tab.
4. Click the Authentication Methods button.
5. The Authentication Methods dialog box opens.
The different authentication methods on the Authentication Methods dialog box are:
Extensible Authentication Protocol (EAP): EAP is used for network and dialup
authentication. It allows the Routing and Remote Access Service to use authentication
protocols provided by Windows 2000 and Windows Server 2003 together with third-party
authentication protocols and mechanisms such as smart cards .EAP offers mutual
authentication, and provides for the negotiation of encryption methods. To secure the
authentication process, the EAP authentication method utilizes Transport Layer Security
(TLS). If you want to use the EAP authentication method, select the Extensible
Authentication Protocol (EAP) checkbox, and then click the EAP Methods button to open
the EAP Methods dialog box:
Extensible Authentication Protocol-Message Digest 5 Challenge Handshake

Authentication Protocol (EAP-MD5 CHAP)
Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
Protected EAP (PEAP)
EAP-RADIUS
Microsoft Encrypted Authentication Version 2 (MS-CHAPv2): MS-CHAPv2 provides mutual

authentication and is used for network and dialup authentication. MS-CHAPv2 enables
mutual authentication through the use of encrypted passwords. This is one of the more
secure authentication methods to use to control remote access connections.
Microsoft Encrypted Authentication (MS-CHAP): MS-CHAP is the initial version of the

Challenge Handshake Authentication Protocol (CHAP) protocol. With MS-CHAP, one-way
authentication is utilized. Only one encryption key is used for sent messages and
received messages. This makes MS-CHAP a weaker authentication method than MSCHAPv2 MS-CHAPv2 provides mutual authentication.
Encrypted Authentication (CHAP): CHAP is a challenge-response authentication protocol

used for PPP connections. This authentication method utilizes the users' passwords for
authentication. To use this authentication method, you have to use group policy and
enable the Store Passwords Using Reversible Encryption password policy and then reset
all users password so that it can be interpreted by CHAP.
Shiva Password Authentication Protocol (SPAP): SPAP uses a non-complicated password

authentication protocol that offers no real authentication. SPAP is considered an insecure
authentication protocol.
Unencrypted Password (PAP): PAP uses plain text passwords and no encryption. PAP is
only provided as an authentication method for those clients that do not support any of
the previously mentioned, more secure authentication methods.
Allow Remote Systems To Connect Without Authentication: This option allows remote
access clients to connect to the remote access servers with no authentication.
From the above mentioned authentication methods, the following password based
authentication methods are considered weak authentication method for securing remote
access. It is recommended that you disable these authentication methods:
Password Authentication Protocol (PAP)
Shiva Password Authentication Protocol (SPAP)
Challenge Handshake Authentication Protocol (CHAP):
Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAPv1)
How to disable password based authentication methods

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the
Routing and Remote Access console.
Properties command.
6. Disable the checkbox for Microsoft Encrypted Authentication (MS-CHAP).
7. Disable the checkbox for Encrypted Authentication (CHAP).
8. Disable the checkbox for Shiva Password Authentication Protocol (SPAP)
9. Disable the checkbox for Unencrypted Password (PAP).
10. Click OK.
A few guidelines and recommendations for selecting authentication methods for your remote
access solution are listed below:
SPAP should be used when Shiva Remote Access servers are being used for Network
Access Servers (NASs). You cannot use SPAP if you require strong encryption methods
for remote access connections. Both SPAP and PAP offer low levels of security.
PAP should only be used when none of the other authentication methods are supported
by your remote access clients.
CHAP: CHAP provides a medium level of security for remote access connections. CHAP
should be used when your remote access clients use Microsoft operating systems (OSs)
and other OSs. Remember that CHAP requires passwords to be stored in reversible
encrypted format on domain controllers.
MS-CHAP: MS-CHAP should be used when the following statements are true:
o
Your remote access clients use Microsoft operating systems (OSs).
You do want to store passwords in reversible encrypted format on domain controllers.
Data needs to be encrypted between the remote access client and the Network Access
Server (NAS).
MS-CHAPv2: MS-CHAPv2 provides a high level of protection for remote access

connections, and should be used when the following statements are true:
o
Mutual authentication is required for the remote access client and the Network Access
Server (NAS).
Server (NAS).
Windows 95 clients and Windows 98 clients are only being utilized for VPN
authentication.
Windows NT 4.0 clients and Windows 2000 clients are utilized for dial-up
authentication and VPN authentication.
EAP-TLS: EAP-TLS also provides a high level of protection for remote access connections,
and should be used when the following statements are true:
o
Mutual authentication is required for the remote access client and the Network Access
Server (NAS).
Server (NAS).
Operating systems that support third-party authentication mechanisms, such as smart

cards, are being used.
Using Remote Access Policies to Secure Remote

Access
Remote access policies can be created to control whether or not the user is allowed to
connect to the remote access server. Remote access policies contain conditions which you
specify through the Routing and Remote Access management console. These conditions
determine which users are allowed to connect to the remote access server.
Remote access policies can be used to:
Specify which authentication protocol clients must utilize.
Specify which encryption methods clients must utilize.
Restrict user access, based on the following:

o
User
Group membership
Time of day
The Grant or Deny setting of a specific policy determines whether the user is allowed or
denied access.
When a user attempts to establish a connection, the remote access policies are evaluated to
determine whether the user is permitted to access the remote access server. The user is
only allowed access once all the conditions in the remote access policy allow access. When
more than one remote access policy is configured, you can define the order in which they
are to be applied. You do this by specifying the order number or priority of each remote
access policy.
A few conditions that remote access policies can compel clients to meet are listed below:
Authentication type; indicates which authentication protocols clients must utilize.
Framed protocol; indicates the data-link layer protocol which clients have to utilize.
Day and time restrictions; indicates which day of the week and the time of the day that
the user can connect.
Tunnel type; for VPN clients, it defines the data-link layer protocol that these clients
must utilize.
Windows groups; indicates which groups users have to be a member of if they want to
connect to the remote access server.
The different attribute types that can be evaluated in a remote access policy are:
Authentication Type; the authentication type, for instance PAP or CHAP.
Called Station ID; the network access server's (NAS) phone number.
Calling Station ID; the phone number used by the caller.
Client-Friendly Name; the name of the RADIUS client requiring authentication.
Client IP Address; the IP address of the RADIUS client.
Client Vendor; the network access server's (NAS) vendor.
Day and Time Restrictions; specifies when a connection can be established.
Framed Protocol; IAS uses this to determine the frame type of the incoming packets.
MS RAS Vendor; the RADIUS client machine's vendor.
NAS Identifier; the network access server's (NAS) name.
NAS IP Address; IP address of the NAS.
NAS Port Type; the media used by the client.
Service Type; the type of service requested.
Tunnel Type; the type of tunnel (PPTP, L2TP) that should be used.
Windows Groups; the groups to which are allowed access to the remote access server.
You can also use remote access policies configure further restrictions once the connection
attempt is authorized by the RRAS. Connections can be restricted through remote access
policies, based on the following elements:
Idle timeout time
Maximum session time
Encryption strength
IP packet filters
Advanced restrictions IP addresses for PPP connections
How the Routing and Remote Access Service (RRAS) applies remote access polices when
multiple policies are configured
You can define the order in which remote access policies should be applied to connections
through the Routing and Remote Access management console. You simply have to select
the remote access policy in the details pane and click the Action menu and then click either
the Move Up command or the Move Down command.
The order that the Routing and Remote Access Service (RRAS) applies remote access
policies is illustrated below:
1. The Routing and Remote Access Service (RRAS) evaluates the connection attempt to the
very first remote access policy. The connection is rejected if there are no configured
remote access policies in the list.
2. If the connection does not meet each condition specified in the initial remote access
policy, then the Routing and Remote Access Service (RRAS) proceeds to check the
connection against the second remote access policy specified in the list.
3. If the connection does not meet all of the conditions of any of the remote access policies,
the attempted connection is rejected.
4. If the Ignore-User-Dialin-Properties attribute has a value of False, the Routing and
Remote Access Service (RRAS) proceeds to check what the remote access permission
setting for the specific user account is.
1. If the Deny Access option is configured for the user account, the attempted
connection is rejected.
2. If the Allow Access option is configured, the user account and profile properties are
applied to the connection. If the user account and profile properties match the
connection attempt, the connection is allowed. If it does not match, RRAS rejects the
attempted connection.
3. If the Control Access Through Remote Access Policy option is configured, the remote
access permission setting of the policy is checked. If Allow Access is specified, RRAS
checks whether the user account and profile properties match the connection attempt.
If so the connection is allowed. If not, the connection is rejected.
5. If the Ignore-User-Dialin-Properties attribute has a value of True, the Routing and
Remote Access Service (RRAS) proceeds to check what the remote access permission
setting of the policy indicates:
1. If the Allow Access is specified, RRAS checks whether the user account and profile
properties match the connection attempt. If so the connection is allowed. If not, the
connection is rejected.
2. If Deny Access is specified, the attempted connection is rejected.
A few recommendations for implementing remote access policies are discussed next:
Because all conditions in a remote access policy have to be matched for a remote access
connection attempt to be allowed, it is wise to not configure a large number of conditions
for each remote access policy.
Ensure that the correct condition is applied to each remote access policy. You should not
include a remote access policy condition that cannot be matched or met.
Specify the correct order in which the Routing and Remote Access Service (RRAS) must
process the remote access policies. Remote access policies that have more precise exact
conditions should be applied to connections before remote access policies that include
more general conditions are applied.
Remember that if no remote access policies are defined in the list, then all remote access
attempts will simply be denied. A remote access policy that allows remote access
connections 24 hours a day is enabled by default.
Using Policy Profiles for Remote Access

Connections
Remote access profiles are an important component of remote access policies. Remote
access profiles determines what happens after the connection is authorized by RRAS. Each
remote access profile contains a set of properties, which are applied to connections that
match the conditions specified in the remote access policy.
You can create a remote access profile for a remote access policy either when you create
the actual remote access policy, or at some later date. You create a profile by accessing the
Properties dialog box of the specific remote access policy, and then clicking the Edit Profile
button. The profile Properties dialog box contains the following six tabs: Dial-In Constraints
tab, IP tab, Multilink tab, Authentication tab, Encryption tab and Advanced tab.
A remote access profile is made up of the following sets of properties, which can be
configured through the profile's Properties dialog box:
Dial-in constraints: Dial-in constraints are used to specify the following:

o
The number of minutes that the server can stay idle, prior to it disconnecting.
The maximum time that a connection is connected.
The time when connections are allowed.
Specify, based on media type, which connections should be rejected.
Authentication properties: Authentication properties allow you to set the following:

o
Specify which authentication methods are allowed for connections.
Specify whether users are allowed to modify expired passwords through MS-CHAP and
MS-CHAP v2.
Encryption properties: Encryption properties allow you to set the following:

o
Specify which encryption strength should be used: Basic Encryption, Strong

Encryption or Strongest Encryption.
IP properties: The IP properties allow you to configure the following:

o
Specify that the remote access client requests an IP address.
Specify that the remote access server provide an IP address.
Specify that static IP addresses be used.
Specify that the remote access server determines how IP addresses are assigned.
Multilink properties: Multilink properties allow you to configure the following:

o
Enable multilink.
Set the number of ports a multilink connection is allowed to utilize.
Advanced properties: Advanced properties allow you to set the following:

o
Specify the RADIUS attributes that are returned by the IAS server to the RADIUS
client.
A few guidelines for implementing remote access profiles are summarized below:
If you want to restrict remote access connections to a certain phone number only, then
you have to configure dial-in constraints to restrict connections to this phone number.
If you want to ensure that idle remote access connections are not utilizing your available
remote access ports, then you have to configure dial-in constraints to disconnect idle
connections once a predefined time elapses.
If you want clients to use a particular authentication protocol, configure a remote access
profile to only accept connections that are using this specific authentication protocol.
Remember that if you do this, then all connections which are not utilizing the specified
authentication protocol will be rejected.
If you want clients to only use a specific encryption strength, then configure a remote
access profile to allow only this specific encryption strength.
If you want to restrict remote access connections to only certain protocols, configure IP
packet filters to only allow these protocols.
If you want to restrict remote access connections to only a specific computer(s),

configure IP packet filters that restrict access to only these specific IP addresses.
Planning a Remote Access Strategy

Remote Access Overview
Dial-up networking allows a remote access client to establish a dial-up connection to a port
on a remote access server. The configuration of the DUN server determines what resources
the remote user can access. Users that connect through a DUN server, connect to the
network much like a standard LAN user accessing resources.
Virtual Private Networks (VPNs) provide secure and advanced connections through a nonsecure network by providing data privacy. Private data is secure in a public
environment. Remote access VPNs provides a common environment where many different
sources such as intermediaries, clients and off-site employees can access information via
web browsers or email. Many companies supply their own VPN connections through the
Internet. Through their ISPs, remote users running VPN client software are assured private
access in a publicly shared environment.Tunneling is the concept used to describe a method
of using an internetwork infrastructure to transfer a payload. IPSec tunnel mode enables IP
payloads to be encrypted and encapsulated in an IP header so that it can be sent over the
corporate IP internetwork or Internet.

Routing is the process that transfers data over the internetwork from one local area network
(LAN) to another. Routers are devices operating at the network layer of the OSI model that
use the IP routing tables to forward traffic which it receives from a host or from another
router. The different types of TCP/IP traffic become important when discussing routing and
the routing protocols:
Unicast traffic comprises of point-to-point connectivity between TCP/IP systems.
Broadcast traffic comprises of point-to-multipoint connectivity between TCP/IP systems.
Multicast traffic comprises of point-to-multipoint traffic to a group of selected members

that belong to a multicast group.
There are a number of technologies that enable remote network connections, including:
Frame Relay: This is a WAN technology that uses other hardware components to
establish remote site connections. A frame relay connection uses a standard leased line
which connects the network site to the frame relay providers nearest point of presence
(POP). The frame relay provider then delivers the connection to the frame relay cloud. In
order to use the frame relay provider for a LAN-to-LAN connection, you have to install a
leased line at each site which connects the network to the nearest point of presence
(POP) of the frame relay provider. The frame relay provider is then responsible for
connecting the lines to the same frame relay cloud so that a connection can be
established between the two networks. The benefits of using the frame relay WAN
technology are:
o
Frame relay provides flexibility.
Each of your sites can be connected to a local point of presence (POP) which in turn
leads to reduced cost of the leased lines.
You can connect to multiple sites using a single frame relay connection.
You pay for only the bandwidth that is used.
Contracted bandwidth can be exceeded when heavy traffic conditions are present.
Leased lines: Dedicated leased lines are also typically used to connect remote networks.
While dedicated leased lines are commonly used for WAN links to enable remote network
connectivity, purchasing and maintaining leased lines are expensive. In addition to this,
you have to pay for allocated bandwidth all the time. This is due to leased lines being
classed as persistent connections. This means that the connections are permanent
connections, and remain open all the time.
Dial-on demand connections: While the WAN connections provided by Integrated Service
Digital Network (ISDN) and standard asynchronous modems are typically slower than
dedicated leased lines, they can be disconnected at an time, and can also be used to
enable connectivity to different locations. One of the main characteristics of dial-on
demand connections is that you pay for the actual bandwidth that you are using.
Virtual private networks (VPNs): Remote access VPNs provides a common environment
where many different sources such as intermediaries, clients and off-site employees can
access information via web browsers or email. Many companies supply their
own VPN connections via the Internet. Through their ISPs, remote users running VPN
client software are assured private access in a publicly shared environment. By using
analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over
extensive shared infrastructures. Remote access VPNs offer a number of advantages,
including the elimination of WAN circuit and modem costs, cable modems enable fast
connectivity and are relatively cost efficient, new users can be added with hardly any
costs, and information is easily and speedily accessible to off-site users through Internet
connectivity.
The Routing and Remote Access Service (RRAS) provides multiprotocol routing services for
Microsoft Windows 2000 Server and Windows Server 2003 computers. RRAS includes a wide
variety of features that support unicast and multicast IP routing, IPX routing, AppleTalk
routing, and remote access.
Determining Organizational and User Requirements

Determining the remote access requirements of the organization and users should be one of
the initial stages when you plan your remote access strategy. All organizations and all users
do not have common remote access requirements.
From an organization perspective, a few issues that need to be initially addressed are:
Identify the subnets which will be remotely accessed.
Determine the resources which need to be remotely accessed.
Determine whether your existing servers can be modified and configured to enable
remote access.
Evaluate existing modems and connections.
Evaluate existing traffic patterns.
Determine what dial-in connection security and VPN connection security mechanism need
to be implemented.
From a users perspective, a few issues that need to be initially addressed are:
Determine what operating systems are being used by clients.
Determine the computers which are being used by clients.
Determine what the bandwidth needs of users are.
Determine what connections can be supported.
Determine whether clients current Internet connections can be used for VPN
connections.
Determine how often users will need to connect to the network.
Determining the Types of Remote Access to Allow

When deciding on the specific type(s) of remote access that you are going to allow, you
have to include the needs of the organization and the users which you have identified. The
focal point here is whether the remote access type meets these needs and requirements.
Another important factor that should be included when you determine the remote access
type you are going to allow is the cost and administrative skills needed to both implement
and maintain the remote access type.
The different types of remote access are summarized below:
Dial-in remote access: Dial-in remote access uses modems and servers running the
Routing and Remote Access (RRAS) service. To enable communication, dial-in access
utilizes the Point-to-Point (PPP) protocol. The advantages of using dial-in remote access
are:
o
Modem access remains unaffected by Internet usage.
You could use existing modems and phone lines.
When high bandwidth is not a requirement, modem access is reliable and its speed is
consistent.
You do not need to provide encryption.
Security features such as caller ID verification and callback security can be used.
VPN remote access: A VPN provides secure and advanced connections through a nonsecure network. With VPN access, encryption is used to create the VPN tunnel between
the remote client and the corporate network. The advantages of using VPN access are:
o
An unlimited number of connections can be allowed from clients, and over a single
connection.
You can easily modify existing Internet connections to enable VPN access.
If clients can use a broadband Internet connection, more bandwidth is available than
that provided by dial-in access.
To secure VPN access, Windows Server 2003 provides strong levels of encryption.
Wireless remote access: Wireless networks are defined by the IEEE 802.11 specification.
With wireless networks, wireless users connect to the network through connecting to a
wireless access point (WAP). Wireless networks do not have the inbuilt physical security
of wired networks, and are unfortunately more prone to attacks from intruders. To
secure wireless networks and wireless connections, administrators can require all
wireless communications to be authenticated and encrypted. There are a number of

wireless security technologies that can be used to protect wireless networks. When
planning wireless remote access, planning security for wireless networks should be a
high priority factor.
Understanding Network Access Client Types:

Based on the different types of remote access, there are three network access client types:
Dial-up client: A dial-up client uses a physical connection to the remote access server to
establish a connection to it. A dial-up client can access resources in much the same
manner as if they are actually physically connected to the network. Dial-up clients can:
o
Access network resources and services.
Share files.
Map network drives, and perform other operations, based on the access that is
allowed.
You should utilize a dial-up client when the following conditions are present:
o
The Internet cannot be used to access resources on the corporate network because of
security issues.
The throughput provide by a dial-up connection adequately meets the requirements of

remote access clients they are able to perform the various functions which they
need to.
The expense of phone lines and modems are affordable.
VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish
a connection to the network.
Wireless client: These clients connect to the network through radio frequencies such as
infrared frequencies.
Dial-In Access Design Considerations

The common dial-up networking connection methods are:
Plain old telephone service (POTS): In the early days of dial-up networking, phone lines
were used to establish the dial-up connection. The amount of data that was passed was
initially limited because analog components caused signal loss. This has since improved
with the connections between phone offices becoming all digital connections paths.
Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and
includes features such as caller ID, call forwarding, and fast call setup times.
Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP
negotiation process to enable devices to establish a TCP/IP connection over a serial
connection. There are a number of protocols that operate above the PPP to enable the
PPP negotiation process, such as Challenge Handshake Authentication Protocol (CHAP),
Callback Control Protocol (CBCP), Compression Control Protocol (CCP), IP Control
Protocol (IPCP) and Internet Protocol (IP).
A few factors to consider before implementing dial-in remote access are:
You need to provide for the initial cost of setting up a dial-up networking infrastructure,
this includes cost on:
Modems
Phone lines
Communication hardware
Server hardware
The cost of dial-in remote access increases as more phone lines are added for remote
access. The number of remote access users also affects the cost component of dial-up
networking.
The main factors or issues that you need to clarify when planning a dial-up networking
strategy are:
The method you will use to assign IP addresses to clients: The methods that you can
select between for assigning assign IP addresses to clients are:
o
Configure the RRAS server to assign IP addresses to clients, using a static address
pool defined on the RRAS server: In this method, you have to configure the static
address pool on the RRAS server. A few factors to consider on static address
assignment are:
Each address assigned has to be unique. You therefore have to ensure that the
static address pool configured for the RRAS server does not overlap with the
address range defined for your DHCP server.
For multiple RRAS servers, the static address has to be unique for each RRAS
server.
Configure the RRAS server to request IP addresses for clients from a DHCP
server: This method is more feasible than using a static address pool. Remote access
clients can be assigned IP addresses from the range of IP addresses already

configured for the DHCP server, thereby eliminating the possibility of conflicting IP
address assignments.
The type of incoming ports and the number of incoming ports you will need: The factors
that fall within this dial-up networking planning component are:
o
Whether multilink connections need to be supported.
The number of remote access users who would simultaneously need to access the
network.
The available number of IP addresses.
The bandwidth available on the connection of the RRAS server to the LAN.
The security you will implement for your dial-in access strategy: There are two methods
that you can use to control which users are able to remotely access the network:
o
You can allow/disallow remote access for individual users. You configure individual
user access through the Properties dialog box of a specific user, on the Dial-in tab.
The Active Directory Users and Computers management console is the tool used to
access the Properties dialog box of a specific user.
You can allow/disallow remote access by configuring remote access policies. This
method allows you to specify remote access rights based on various criteria, such as
users, group, and time of day. The settings specified on the Properties dialog box of a
specific user, on the Dial-in tab dictates whether a user is affected by a Remote
Access Policy.
The different settings on the Dial-in tab of the Properties dialog box of a particular
user are:
Allow Access; the user is allowed to remotely access the network. The remote
access policies are not included in the decision.
Deny Access: the user is denied to remotely access the network.
Control access through Remote Access Policy; the remote access policies dictate
whether or not the user is allowed remote access.
Remote access policies can also be used to restrict remote connections after they
have been authorized based on the following:
Idle timeout time setting
Maximum session time setting
IP packet filters
Encryption strength
IP addresses for PPP connections and static routes.
VPN Access Design Considerations

Before looking at the design considerations for implementing a VPN remote access strategy,
lets first look at the components that are needed for VPN connections to occur:
A transmit network is a public network such as the Internet. Data moves over the public
network toconnect to the remote network.
A VPN client creates a connection to the gateway configured as the VPN server. The
Routing and Remote Access service (RRAS) is used.
The VPN server performs the following operations:

o
Responds to calls from VPN clients
Establishes whether requests are permitted.
Authenticates requests to connect to the VPN server.
Forwards traffic between the VPN client and the corporate network.
Assign IP addresses to clients, either through static address assignment or through

the DHCP protocol.
A VPN tunnel is a connection that encrypts and encapsulates data.
The tunneling protocols used to encapsulate data and manage VPN tunnels are:
Point-to-Point Tunneling Protocol (PPTP)
Layer Two Transport Protocol (L2TP)
The term used to describe data which is being sent over a connection is tunneled data.
The main factors or issues that you need to clarify when planning a VPN remote access
strategy are summarized below:
The placement of the VPN servers: The choices for VPN server placement are:
o
Place the VPN server on the private internal network: For this placement strategy, the
firewall has to allow traffic to the VPN server.
Place the VPN server on the perimeter network: For this placement, you have to
perform the following configurations:
On the VPN server, configure inbound and outbound filters that allow VPN traffic to and
from the Internet interface of the VPN server.
On the firewall, configure it to allow traffic from the VPN server.
The hardware requirements of the VPN server are:
It is recommended to connect the interfaces on the private network to a high-capacity

switch.
Set devices to 100 Mbps Full duplex.
For a multiprocessor computer, bind a processor to each network adapter card.
It is always better to double the processor speed rather than doubling the number of
processors.
512 MB of RAM is sufficient for 1,000 simultaneous connections. An additional 128 MB of

RAM (above the standard RAM capacity for the server) is required for each 1,000
simultaneous calls. A further 128 MB of RAM should be added for remote access and
services.
The VPN protocols that you will be using: You can support the use of one or both of the
VPN tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) or Layer Two Transport
Protocol (L2TP). The factors to consider when deciding on which VPN protocol to use are:
The requirements of clients:

o
Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP
and Windows Server 2003 support PPTP
Only Windows 2000, Windows XP and Windows Server 2003 support L2TP.
Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed
for the mutual authentication of the VPN server and the client. Certificates need to be
installed on the VPN server and VPN clients. In addition to this, user authentication needs
protocols such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and
Extensible Authentication Protocol Transport LayerSecurity (EAP-TLS).
Whether IPSec is needed as well. L2TP can be used with IPSec to provide encryption. If
you need authentication for the VPN server and the client, then you need to be able to
support L2TP. Only L2TP over IPSec can provide data integrity.
Wireless Remote Access Design Considerations

The main requirements for enabling wireless remote access are:
You need to configure remote access policies that allow wireless users to connect to the
network.
If you are going to configure your WAPs for RADIUS authentication, you should deploy a
second IAS server and configure it as a backup to the primary server. This would enable
wireless clients to continue establishing connections when the primary IAS server is
unavailable.
When planning for using multiple WAPs, bear the following in mind:
o
All WAPs and clients should support the same protocols.
All your WAPs can use the same server for authentication if you are using IAS
authentication.
Each WAP must be included in the list of clients on the IAS server.
Each WAP must be configured for RADIUS authentication.
If you want your WAPs to use IAS authentication, you have to perform the following
additional configurations:
o
Each WAP must be added as a RADIUS client in the IAS MMC snap-in.
On the WAP, you have to enable RADIUS authentication and define the primary and
backup IAS servers.
Because security is a high priority for wireless networks, you should use WAPs and
adapters that support the following:
Firmware updates
WEP using 128-bit encryption
Disabling of SSID broadcasts
MAC filtering to restrict wireless access based on MAC addresses.
When planning for wireless security remember to decide on the following important
elements:
o
Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy
(WEP) protocol will be used.
For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used.
Whether 802.1X authentication will be used.
Whether wireless clients will use IPSec.
Whether MAC address filtering will be used.
Whether Group Policy will be used to configure wireless client security.
Determining Authentication Methods for Remote

Access
When planning your remote access strategy, you need to determine the authentication
method that will be used to authenticate clients connecting to the remote access server.
Once authentication occurs, authorization would determine the level of access that the user
has to access network resources. The different authentication protocols are listed below:
Kerberos Version 5: This is a standard Internet protocol that can be used to authenticate
users and systems.
NT LAN Manager (NTLM): This protocol is mainly used to authenticate computers in

Windows NT domains.
Secure Socket Layer/ Transport Layer Security (SSL/TLS): SSL/TLS is used for
authentication when Web servers are accessed.
.NET Passport Authentication: Used to authenticate Internet, intranet and extranet users
for IIS 6.
Challenge Handshake Authentication Protocol (CHAP): This is a challenge-response

authentication protocol used for PPP connections.
Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP

v2): Provides mutual authentication and is used for network and dialup authentication.
Password Authentication Protocol (PAP): A network and dialup authentication method

that uses plain text passwords and no encryption.
Shiva Password Authentication Protocol (SPAP): This method uses a non-complicated

password authentication protocol.
Extensible Authentication Protocol (EAP): Used for network and dialup authentication,
and for authentication for PPP connections.
Extensible Authentication Protocol-Transport Level Security (EAP-TLS): Uses mutual

authentication together with smart card certificates.
Protected Extensible Authentication Protocol (PEAP): Used to increase the security of

wireless network encryption.
MD-5 Challenge: Enables EAP authorization through a name and password combination.
Determining domain function Levels

The domain functional level specified for the domain would determine whether additional
security features are supported, and therefore also affects which remote access security
features can be used. The Windows Server 2003 domain functional level is the highest level
that can be specified for a domain. All Active Directory domain features are available in
Windows Server 2003 domain functional level, including the following:
Local and Global groups
Security group nesting
Group conversion between Security Groups and Distribution Groups
SID History
Update logon timestamp
User password support on the InetOrgPerson object
How to check which domain function level is set for the domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want verify, and select Raise
Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current domain
functional level.
How to raise the domain functional level for a domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want to raise, and select
Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain functional
level for the domain.
5. Click Raise
6. Click OK
Determining the Level of Encryption for VPN

Access
For VPN access, you need to decide on the level of encryption that will be used. The options
are:
No encryption: This option is generally not recommended because it allows unencrypted

VPN connections.
Basic encryption: This option is also not frequently used because the weaker 40-bit key
is used for encryption.
Strong encryption: A 56-bit key is used for encryption. With IPSec, DES is used for
encryption.
Strongest encryption: A 128-bit key is used for encryption.
How to enable remote access for specific user

8. In the Remote Access Permission area, click the Allow Access option.
9. Click OK.
How to enable remote access based on remote

access policy
Policy option.
9. Click OK.
How to install computer certificates to support

L2TP over IPSec for VPN connections
1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
2. From the File menu, select dd/Remove Snap-In.
3. When the Add/Remove Snap-In dialog box opens, click Add.
4. When the Add Standalone Snap-In dialog box opens, select Certificates from the
available list and click Add.
5. Click Close to close the Add Standalone Snap-In dialog box opens.
6. Click OK in the Add/Remove Snap-In dialog box.
7. In the Certificates console, in the console tree, expand Certificates.
8. Select Personal.
9. Click the Action menu, and select All Tasks, and then Request New Certificate.
10. The Certificate Request Wizard launches.
11. Click Next on the initial page of the wizard.
12. For the type of certificate to request, click Computer and click Next.
13. Specify a name and description for the computer certificate, and then click Next.
14. Click Finish.
How to create a remote access policy for wireless

access
2. Click the Action menu, and then select New Remote Access Policy.
3. The New Remote Access Policy Wizard launches.
4. Click Next on the initial screen of the New Remote Access Policy wizard.
5. On the Policy Configuration Method page, select the Use the wizard to set up a typical
policy option.
6. In the Policy Name field, provide a name for the policy. Click Next.
7. On the Access Method page, select the Wireless option. Click Next.
8. On the User or Group Access, select the Group option, and then click the Add button.
9. Specify the group, and then click OK and Next.

10. Select the Smart card or other certificate option and then click Next.
11. Click Finish.
How to disable password based authentication

Because password based authentication is considered a weak authentication method for
securing remote access, you should disable the usage of the following password based
authentication methods/protocols:
Password Authentication Protocol (PAP)
Shiva Password Authentication Protocol (SPAP)
Challenge Handshake Authentication Protocol (CHAP):
Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAP v1)
To do this,
Properties command.
6. Disable the checkbox for Microsoft Encrypted Authentication (MS-CHAP).
7. Disable the checkbox for Encrypted Authentication (CHAP).
8. Disable the checkbox for Shiva Password Authentication Protocol (SPAP)
9. Disable the checkbox for Unencrypted Password (PAP).
10. Click OK.
Securing Remote Access and VPN Servers

Remote Access and VPN Server Security Issues
Remote Access Servers (RAS) provides access to the network for remote users. The
different types of remote access connections are Dial-in remote access, VPN remote access,
and Wireless remote access. Dial-in remote access uses modems, servers running
the Routing and Remote Access (RRAS) service, and the Point-to-Point (PPP) protocol to
enable remote users to access the network. VPN remote access provides secure and
advanced connections through a non-secure network. VPN access uses encryption to create
the VPN tunnel between the remote access client and the corporate network. Wireless users
connect to the network by connecting to a wireless access point (WAP). Wireless networks
do not have the inbuilt physical security of wired networks, and are more prone to attacks
from intruders. To secure wireless networks and wireless connections, administrators can
require all wireless communications to be authenticated and encrypted. There are a number
of wireless securitytechnologies that can be used to protect wireless networks.
Basic security measures for securing remote access servers are listed here:
Physically secure your remote access servers.
Apply and maintain a strong virus protection solution. Software patches should be kept
up to date.
The NTFS file system should be utilized to protect data on the system volume.
All unnecessary services and applications not being utilized on your remote access
servers should be uninstalled.
Secure the well-known accounts: Administrator account, Guest account.
To protect remote access servers from unauthorized access, enforce the use of strong
passwords.
You can use either of these methods to secure traffic between a remote access server
and remote users:
o
Signing
Encryption
Tunneling
IPSec filters can be used to protect confidential IP traffic.
Consider using smart cards to further enhance your security access strategy.
Monitor remote access server activity.
Additional security measures for securing remote access servers are listed below:
You can create and configure remote access policies. Remote access policies can be used
to restrict remote connections once they have been authorized
You can create and configure remote access profiles.
You can configure remote access authentication methods.
You can configure encryption levels to secure remote access communication.
You can control access through the Dial-in Properties of an individual user account that
remote access clients use to connect to the network
You can use Remote Authentication Dial-In User Service (RADIUS) to provide
authentication, authorization, and accounting for your remote access infrastructure.
You can raise the domain functional level to provide additional security features for your
remote access infrastructure.
Using Authentication and Encryption Methods to

Secure Access to Remote Access and VPN Servers
There are a number of different authentication methods supported by Windows Server
2003 Routing and Remote Access Service (RRAS) which you can configure to authenticate
remote users when they attempt to connect to remote access servers:
Unencrypted Password (PAP); uses plain text passwords and no encryption. PAP is only
provided as an authentication method for those clients that do not support any
more secure authentication methods.
Shiva Password Authentication Protocol (SPAP); a simple password authentication

protocol which provides no real authentication. SPAP is an insecure authentication
protocol.
Encrypted Authentication (CHAP); a challenge-response authentication protocol used for

PPP connections. This authentication method utilizes the passwords of users for
authentication.
Microsoft Encrypted Authentication (MS-CHAP); one encryption key is used for sent
messages and received messages, thereby making this method a weaker authentication
method than MS-CHAPv2.
Microsoft Encrypted Authentication Version 2 (MS-CHAPv2); provides mutual

authentication for network and dialup authentication through the use of encrypted
passwords. MS-CHAPv2 is one of the moresecure authentication methods to use to
control remote access connections to your remote access servers.
Extensible Authentication Protocol (EAP) enables RRAS to use authentication protocols

provided by Windows 2000 and Windows Server 2003 together with third-party
authentication protocols such as smart cards. EAP offers mutual authentication, and
provides for the negotiation of encryption methods.
To configure an authentication method,

1. Click Start, Click Start, Administrative Tools, and then click Routing and Remote Access
to open the Routing and Remote Access console.
2. In the console tree, select the remote access server, and then click the Action menu to
select the Properties command.
6. Specify the authentication method you want to use.
To disable the weaker password based authentication methods,
2. In the console tree, select the remote access server that you want to configure, and then
click the Action menu to select the Properties command.
6. Clear the Microsoft Encrypted Authentication (MS-CHAP) checkbox.
7. Clear the Encrypted Authentication (CHAP) checkbox.
8. Clear the Shiva Password Authentication Protocol (SPAP) checkbox.
9. Clear the checkbox for Unencrypted Password (PAP) checkbox.
10. Click OK.

To secure VPN remote access connections, consider configuring either of these levels of
encryption:
Basic encryption, this level should not be used because a weak 40-bit key is used for
encryption.
Strong encryption; a 56-bit key is used for encryption.
Strongest encryption; a128-bit key is used for encryption.
Using Remote Access Policies and Remote Access

Profiles to Secure Remote Access
Remote access policies can be used to specify which users are allowed to establish
connections to remote access servers. Remote access policies enable Administrators to
restrict user access, based on the actual user, group membership, and time of day. You can
also use remote access policies to control which authentication protocols and encryption
methods clients utilize. After a connection is established to a remote access server, you can
through remote access policies also configure restrictions for the connection.
Remote access profiles contains a set of properties that are applied to remote access
connections that match the conditions specified in the remote access policy. Through
remote access profiles, you can specify what actions should occur once the connection is
authorized by the remote access server.
To control connections to remote access servers through remote access policy,
Policy option.
8. Click OK.
Remote Server Management

An Overview on Remote Server Management
In enterprises that need a secure environment; servers and desktops are usually managed
remotely. Administration is hardly performed by logging on to the local console. Remote
management or administration is not a new notion, and is used largely to manage servers
and desktops. Windows Server 2003 includes a few technologies which can be used for the
administration of remote client computers, and to remotely manage servers. These include:
Microsoft Management Console snap-ins can be used to connect to a remote system and
manage the remote system.
Web Interface for Remote Administration can be used to manage a server through a Web
browser on a remote computer.
Remote Desktop For Administration: The Terminal Services service enables Remote
Desktop For Administration and Remote Assistance. The Terminal Services service is
automatically installed on Windows Server 2003, and can be set up to support Remote
Desktop For Administration. Through Remote Desktop For Administration, Terminal
Services can be used as a management tool. Two simultaneous remote connections are
possible.
Remote Assistance: The Remote Assistance feature enables a client or user to request
assistance from another user, normally an administrator or technician who is referred to
as an expert. The expert is able to connect to the
user's computer and view and control the user's
desktop, to provide assistance is solving the user's
issue.
Using Microsoft Management Console snap-ins to

Remotely Manage Computers
The main administrative tools in Windows Server 2003 are MMC consoles which contain one
or multiple tools, known as snap-ins. Snap-ins are specialized administration tools used for
performing certain tasks which are added to an MMC console. Some MMC snap-ins can be
used to manage the local computer, and remote computers. This means that you can create
custom MMC consoles to manage local and remote servers. The MMC is made up of a
console tree pane, a details pane, MMC menus and a MMC toolbar. An MMC console can be
also be configured so that nobody is able to change it.
A MMC console which has no added snap-ins is basically a blank sheet or an empty MMC to
which you can add administration tools or snap-ins. The console root would eventually
include all the snap-ins which you add. Each snap-in that you add to an MMC adds its own
unique MMC menu and MMC toolbar items.
The types of snap-ins that exist are:
Stand-Alone Snap-Ins: These are snap-ins which are provided by an application's

developer for specific tasks. For instance, Administrative Tools for Windows Server 2003
are single snap-ins, or a collection of snap-ins used for a specific set of tasks.
Extension Snap-Ins: These are snap-ins which operates together with a stand-alone
snap-in(s). The extension snap-ins operates with a stand-alone snap-in, based on the
functionality associated with that particular stand-alone snap-in.
The MMC consoles can be saved in two modes, namely Author mode or User mode. The
mode which the console is saved in determines what nodes in the console tree can be
accessed, determines the snap-ins which can be added to the console, and the windows
which can be created.
Author mode: This is the default mode in which a console is saved. It allows full access
to the MMC, and the capability to change all aspects of the MMC, including the following:
o
View the console tree
Save the console
Add and remove snap-ins
Create windows, tasks, and taskpads views
Change options on the console
User mode: You can choose to save the console in user mode if you want to distribute an
MMC. The user modes which you can choose between are listed below:
o
User mode Full Access: Users are able to access the console tree, navigate between
snap-ins, and open window. They have full access to the windowing commands. Users
are however unable to add and remove snap-ins.
User mode Limited Access, Multiple Windows: Users are able to view multiple
windows in the console tree, but can only access those portions of the console that
existed when it was saved.
User mode Limited Access, Single Windows: Users are able to view a single window
in the console tree, but can only access those portions of the console that existed
when it was saved.
A few common menu items added by the majority of snap-ins are listed below:
File menu: Items on this menu allow you to perform the tasks listed below:
o
Create a new console
Add or remove snap-ins from the console
Open an existing console
Specify options for saving the console
Open recently utilized consoles
Action menu: Items on this menu allow you to perform the tasks listed below:
o
Export option
Import option
Configuration option
Help features for the snap-in
View menu: Include options which allow you to customize certain attributes of the
console.
Favorites menu: Include the options which allows you to add saved consoles, and
organize them.
Window menu: Includes options for navigating through and viewing the console, such as
opening a new windows and child windows.
Help menu: The Help menu contains the MMC general help menu, and the help menu
specific to the added snap-ins.
How to create a customized MMC console

1. Click Start, Run, and enter mmc in the dialog box. Click OK.
2. Select Add/Remove Snap-In from the File menu.
4. This opens the Add Standalone Snap-in dialog box which displays the list of available
snap-ins which you can add to the MMC.
5. Select the snap-in which you want to add, and then click Add.
6. On the Select Computer dialog box, select the computer which the snap-in would
manage. You can choose to manage the Local Computer or Another Computer. Click
Finish
7. Click Close in the Add Standalone Snap-In dialog box.
9. The snap-in which you selected on the Add Standalone Snap-in dialog box now appears
in the console tree.
10. Click Save from the File menu to save the MMC.
11. Enter a name for the MMC in the File Name box.
12. Click Save.
13. The saved console can now be accessed via the Administrative Tools Menu.
How to connect to and manage a remote computer
When you create a customized MMC console, and add snap-ins to it, you can choose that
the MMC console be used to manage a remote computer. You can for the majority of snapins change the management focus of the particular snap-in. The account you use has to
though have sufficient privileges on the target remote computer.
To do this,
1. In the console tree pane, right-click the snap-in, and select one of the following options
from the shortcut menu:
o
Connect To Another Computer
Connect To Domain
Connect To Domain Controller
A console typically used to connect to and manage a remote computer is the Computer
Management console. The Computer Management console is a preconfigured MMC console.
The console is available on both client and server computers to perform Administrative
tasks, and can be accessed from the Administrative Tools Menu.
The Computer Management nodes and the snap-ins which are available under each node
are:
System Tools node, contains the following snap-ins

o
Event Viewer, used to display and view event logs
Shared Folders, used view shared folders and open files
Local Users and Groups, used to manage local users and groups
Performance Logs and Alerts, used to set up performance logs
Device Manager, used to manage hardware
Storage node, contains the following snap-ins

o
Removable Storage, used to manage devices which have removable media
Disk Defragmenter, used to the defragment local disks
Disk Management, used to configure and manage disk volumes and partitions.
Services and Applications node, contains the following snap-ins

o
Services, used to manage services
Indexing Service, used to configure the indexing service
WMI Control, used to configure WMI (Windows Management Instrumentation)
DHCP, used to configure the DHCP service
DNS, used to configure the DNS service
Routing and Remote Access, for managing remote access and routing
To manage a remote computer using the Computer Management console,

1. Click Start, right-click My Computer, and select Manage from the shortcut menu.
2. Right-click Computer Management in the console tree, and select Connect To Another
Computer from the shortcut menu.
3. Enter the name or IP address of the computer in the Another computer box, or click the
Browse button to browse for the remote computer on the network.
4. Click OK.
5. After the connection is established with the remote computer, you can perform the
necessary administrative tasks on the particular computer.
Using Web Interface for Remote Administration for

Remote Server Management
The Web Interface for Remote Administration tool of Windows Server 2003 can be used to
manage servers from another location using a Web browser. The Web Interface for Remote
Administration tool is not supported for domain controllers. It is installed on Windows
Server 2003 Web Edition by default. Before you can use the Web Interface for Remote
Administration tool, you first have to install Web Interface for Remote Administration on
your servers, and configure them correctly. After this, it is merely a matter of pointing the
Web browser to your server's IP address, and you can then manage it from any location.
The requirements for accessing a server over the Internet are:
Web Interface for Remote Administration must be installed on the servers.
The server must have a valid external IP address. The external IP address is not needed
if you are going to be accessing the server over the corporate network.
Port 8098 on the server must be used for communication over the Internet connection.
It is recommended to use Internet Explorer version 6.0 or later for remote

administration.
How to install Web Interface for Remote Administration on your servers

1. Open Control Panel, and double-click Add Or Remove Programs.
2. Click Add/Remove Windows Components to open the Windows Components Wizard.
3. In the Windows Components Wizard, select Application Server and then click Details.
4. In the Application Server dialog box, select Internet Information Services (IIS) and then
click Details.
5. In the Internet Information Services (IIS) dialog box, select World Wide Web Service and
then click Details.
6. In the World Wide Web Service dialog box, click the Remote Administration (HTML)
checkbox. Click OK.
7. Click OK in the Internet Information Services (IIS) dialog box.
8. Click OK in the Application Server dialog box.
9. Click Next in the Windows Components Wizard to start the installation
10. When prompted, insert the Windows Server 2003 installation CD.
11. When the installation has completed, click Finish.
How to access and administer a server using the Web Interface for Remote Administration
tool
1. Open Internet Explorer.
2. Browse to https://Servername:8098
3. After the connection is established, you are displayed with a Welcome page.
4. Using the Web interface, you can perform a few common administration tasks, including
administering network settings and local user accounts.
Using Remote Desktop For Administration to

Remotely Manage Computers
Remote Desktop For Administration tool can be used to remotely manage servers running
Windows 2000 or Windows Server 2003. It allows you to manage servers from any location,
without actually affecting server performance, and with no additional licensing
requirements. Two simultaneous remote administration sessions are supported. The
Terminal Services service enables Remote Desktop For Administration. The Terminal
Services service is installed on Windows Server 2003 by default. It is also preconfigured to
support Remote Desktop For Administration.
Remote Desktop for Administration has to be enabled on each end of the connection before
you can use. Remote Desktop for Administration is enabled in the System Properties on the
server.
To enable Remote Desktop for Administration,
1. Click Start, Control Panel, and then double-click System.
2. When the System Properties dialog box opens, click the Remote tab.
3. Select the Allow users to connect remotely to this computer checkbox. Members of the
local Administrators group are now able connect.
4. If you want to specify additional users to connect remotely to the computer, click the
Select Remote Users button.
5. In the Remote Desktop Users dialog box, enter the names of the users who should be
able to connect to the computer.
6. Click OK.
The next step in enabling remote administration using Remote Desktop For Administration
connections, is to configure the Remote Desktop Connection for remote administration.
Remote Desktop Connection must be configured on the workstations or servers which you
are going to be used to manage the other servers.
To open Remote Desktop Connection,
1. Click Start, Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. In the Remote Desktop Connection dialog box, click Options to reveal the tabs on which
you can configure settings.
3. The tabs available on the Remote Desktop Connection dialog box are listed below:
o
General tab, Display tab, Local Resources tab, Programs tab, and Experience tab
You can configure the settings listed below on the General tab:
You enter the name or the IP address of the server that you want to connect to, and
manage on the General tab.
You can also specify the local or domain account credentials which you want used for
authentication.
You can configure the settings listed below on the Display tab:
You can configure display settings that control the size of the Remote Desktop
Connection window, color and depth on the Display tab.
You can also set whether the connection bar should be displayed when in full screen
mode.
You can configure the settings listed below on the Local Resources tab:
The options which can be selected in the Remote Computer Sound area of the tab are:
o
Bring to this computer: Selecting this option redirects audio output from the server to
the client.
Do not play: Audio is disabled at each end of the connection.
Leave at remote computer: Selecting this option results in audio output being played
back at the server.
The options which can be selected in the Keyboard area of the Local Resources tab are:
o
On the local computer: Choose this option to switch applications on the local
computer.
On the remote computer: Choose this option to switch applications on the remote
computer.
In full screen mode only: When selected, the remote system carries out keystroke
combinations when the remote session has encompassed the whole display on the
client workstation.
The options which can be selected in the Local Devices are of the Local Resources tab
allow you to specify what local devices should be connected to when you are logged on
to the remote computer. You can select between the following
o
Disk Drives
Printers
Serial Ports
You can configure the settings listed below on the Programs tab. These settings specify the
programs that should execute when a Remote Desktop for Administration session starts.
Enable the Start the following program on connection checkbox, and then enter the
program's file name and path in the Program path and file name box.
Enter the working directory for the program in the Start in the following folder box.
You can configure the settings listed below on the Experience tab. These settings are
specific to improving the performance of the Remote Desktop for Administration connection.
You can choose to allow the features listed below on the remote computer:
o
Desktop background
Show window contents while dragging
Menu fading and sliding
Themes
Bitmap caching
The Remote Desktop Connection client is installed by default on Windows XP workstations

and Windows 2003 Servers. Remote Desktop Connection client is supported for Windows
95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP Professional and
Windows Server 2003.
How to use Remote Desktop Connection to remotely manage a server,
1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. The Computer box displays the name of the computer that you last connected to.
3. Choose the computer which you want to connect to, using the Computer drop down box.
4. Click Connect.
How to optimize a connection to a remote server on a slow, congested network
1. Click Start, Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. In the Remote Desktop Connection dialog box, click Options to reveal the tabs on which
you can configure settings.
3. Click the Experience tab.
4. Select the Custom option from the Choose your connection speed to optimize
performance box.
5. Clear the Themes checkbox.
6. Ensure that the Reconnect if connection is dropped checkbox is enabled.

7. Click OK.
How to add the Remote Desktops Snap-in to a MMC, and use it for remote administration
The Remote Desktops MMC snap-in can be used to manage Remote Desktop sessions with
Terminal Servers and Windows Server 2003 servers. Once you have added the Remote
Desktops snap-in to a MMC, you can use it to establish Terminal Services connections to
Windows 2003 servers and Terminal Servers.
To add the Remote Desktops snap-in to a MMC,
1. Click Start, Run, enter mmc in the dialog box, and click OK.
2. Click Add/Remove Snap-in from the File menu.
4. When the Add Standalone Snap-in dialog box opens, select Remote Desktops and then
click Add.
5. Click Close in the Add Standalone Snap-In dialog box
7. The Remote Desktops snap-in which you selected on the Add Standalone Snap-in dialog
box now appears in the console tree.
8. Click Save from the File menu to save the MMC.
9. Enter a name for the MMC in the File Name box.
10. Click Save.
11. The saved console can now be accessed via the Administrative Tools Menu.
How to configure a connection in the Remote Desktops snap-in
1. After you have added the Remote Desktops snap-in to a MMC, right-click the Remote
Desktops node in the console tree, and click Add New Connection from the shortcut
menu.
2. Enter the IP address, fully qualified domain name (FQDN), or NetBIOS name of the
server to which you want to connect in the Server Name Or IP Address text box.
3. In the Connection Name text box, enter a name for the connection.
4. Enable the Connect To Console checkbox if you want to connect to the console of the
server.
5. Enter your name in the User Name text box, enter your password in the Password
textbox, and enter the domain name in the Domain text box.
6. Enable the Save Password checkbox to save the password that you have entered.
7. Click OK to save the connection.
Using Remote Assistance for Remote Management

The Remote Assistance feature is a dependant on the Terminal Services service, and is
automatically installed when Windows Server 2003 is installed. Remote Assistance enables a
user (novice) at one computer to request assistance via Windows Messenger or e-mail from
a user (expert) at another computer on the local network, or over the Internet. Once the
expert receives a request for remote assistance, the expert can remotely connect to the
computer of the novice. This means, that when the remote assistance session is
established, the novice and the expert can simultaneously control the computer. The
Remote Assistance feature is extremely useful if you want to troubleshoot user problems, or
connect to a remote computer to change configuration settings or install new software. You
have to though enable and configure Remote Assistance first.
In order for a computer to receive remote assistance, the computer must be running
Windows XP or Windows Server 2003. The computer must also be enabled to use Remote
Assistance.
To enable a computer to use Remote Assistance, use one of the processes listed below:
Control Panel: Use the steps listed below to enable a computer to use Remote Assistance
1. Open the System Properties dialog box in Control Panel.
2. Click the Remote tab.
3. Click the Allow Remote Assistance invitations to be sent from this computer checkbox.
4. Click the Advanced button.
5. When the Remote Assistance Settings dialog box opens, click the Allow this computer
to be controlled remotely checkbox.
6. Click OK.
Group Policy: To enable Remote Assistance using Group Policy,

1. Open the GPO linked to the site, or domain that contains the computer using the
Group Policy ObjectEditor console.
2. Expand the Computer Configuration node, Administrative Templates node, System
node, and click the Remote Assistance node.
3. Double-click the Solicited Remote Assistance policy.
4. When the Solicited Remote Assistance Properties dialog box opens, select Enabled.
5. Use the settings in the Permit remote control of this computer section of the dialog
box to specify whether a client on a remote workstation computer is able to control
the server.
6. Click OK
A user can request remote assistance using one of the methods listed below:
Windows Messenger
E-mail
Save the request to a file
The Windows Messenger tool is a chat application which you can download and install, for
free.
To download the Windows Messenger tool,
1. Open the Help and Support Center
2. Click the Download Windows Messenger link.
3. When a Web page appears, click Download Now.
4. On the Save As dialog box, click Open
5. After the download is completed, click Yes in the Security Warning dialog box.
6. Click Yes to accept the license agreement, and start the installation of the Windows
Messenger tool.
7. After the installation, the Windows Messenger window opens, giving you the option to
sign in.
8. Click the Click here to sign in link.
9. This starts the .NET Passport Wizard.

10. Click Next on the initial screen of the wizard.
11. Click the No. I would like to open an MSN Hotmail e-mail account option, and click Next.
12. Click the I Agree button
13. Click Continue to open the Associate your .NET Passport with your Windows user
account? Page.
14. Click Next. Click Finish.
To send a remote assistance request using the Windows Messenger Tool, you have to first
add contacts or users from whom you will be requesting remote assistance.
1. Click the Add a Contact link in the Windows Messenger window.
2. To search for a contact, click the Search for a contact option. Click Next.
3. Enter the criteria which should be used to search for the contact. Click Next.
4. When the search results are displayed, choose the contact you wish to add. Click Next.
5. Click Finish.
How to request remote assistance using e-mail
1. Open the Help and Support Center.
2. Click Remote Assistance located under the Support area.
3. Click the Invite someone to help you link.
4. Enter the name of the expert which you want to request remote assistance from in the
Type your assistant's first name: text box. Click Continue.
5. In the Set the invitation to expire section, specify the validity period for the invitation.
6. If you want the expert to provide a password to access the invitation, leave the Require
the recipient to use a password checkbox enabled.
7. Enter the password in the Type password and Confirm password text boxes.
8. Click the Create Email Invitation button.
How to initiate Remote Assistance from your computer to a user's computer

2. Click Tools and click Help And Support Center Tools
3. Click Offer Remote Assistance
4. Enter the name or IP address of the computer that you want to offer remote assistance
to.
5. Click Connect
6. If prompted, select a user session.
7. Click Start Remote Assistance.
8. At this point, a message appears on the user's desktop, indicating that an administrator
wants to initiate a Remote Assistance session.
9. Once the user accepts remote assistance, the Remote Assistance session is established.
Remote Administration
Remote Administration Overview
When it comes to administering servers and desktops in secure organizations or large
organizations, administrators would typically be found performing remote administration.
This basically means that administrators would be using the Microsoft Management Console
snap-ins or support tools remotely, to administer servers. For instance, through the
Microsoft Management Console snap-ins, you have the option of connecting to remote
systems. In fact, most administrative tasks which you can perform locally, you can perform
remotely.
With the introduction of Windows Server 2003, came increased support for remote
administration. This entailed support to use the Microsoft Management Console snapins, Remote Desktop For Administration, Remote Assistance, and Web Interface for Remote
Administration to perform remote administration. The tools which are most likely used for
system administration are the graphical user interface (GUI) based tools. These tools
include the Connect To Another Computer option which allows you to specify which
computer you want to connect to.
The main GUI based tools used to administer systems remotely are listed here:
Microsoft Management Console snap-ins
Remote Administration (HTML) tool
Remote Desktop For Administration
Remote Assistance
Administration Tools Pack
Remote Administration through Microsoft

Management Console
snap-ins
The Microsoft Management Console (MMC) is
the administrative framework for most of the
graphical user interface (GUI) based tools
which can be used to manage computers both
locally and remotely. The MMC makes it
possible for administrators to specify which
snap-ins should be added to a MMC console.
Third-party administrative tools that supply
snap-ins can also be added to MMC consoles.
After you have added your snap-ins, you can define different administrative views in the
console by adding windows for each snap-in. You can also configure a MMC console so that
no other individuals can modify the console. This is done by saving the console in one of the
available modes.
The mode which you choose for saving the MMC console affects a number of important
aspects of the MMC console:
The snap-ins that you can add to the MMC console.
The windows that you can create.
The nodes that are displayed in the MMC console tree.
The modes you can select between when saving a MMC console are listed here:
Full mode; provides full access to the MMC. All areas of the console can be changed. Full
mode allows you to add and remove snap-ins as well.
User mode (full access); provides full access to the windowing commands but excludes
the capability of adding and removing snap-ins.
User mode (limited access multiple windows); provides access to those elements of the
specific MMC which existed when saved. Only new windows can be created, and previous
windows cannot be closed.
User mode (limited access single windows); provides a view to only the console as it
existed when saved. No new windows can be created.
To remotely administer a computer through a MMC console, you must have the necessary
administrative rights to access and manage the specific remote computer.
How to create a customized MMC console
1. Click Start, click Run, enter mmc and then click OK
2. A blank MMC console which has no snap-ins opens.
3. From the File menu, click Add/Remove Snap-In.
4. The Add/Remove Snap-In dialog box opens.
5. You can leave the default setting of Console Root in the Snap-Ins Added To box
unchanged. Click Add
6. Select the snap-in you want to add to the MMC by double-clicking it.
7. To close the Add/Remove Snap-In dialog box, click OK
8. The snap-in you added is displayed at the Console Root.
How to create a customized remote MMC console
1. Click Start click Run, enter mmc and then click OK
2. Click the Select Add/Remove Snap-In command from the File menu
3. Click Add in the Add/Remove Snap-In dialog box.
4. Select the snap-in that you want to add, and then click Add
5. Select the Another Computer in the In the This Snap-In Will Always Manage area.
6. Click Browse to select the computer for the snap-in when the Select Computer dialog box
opens.
7. Click OK.
How to add the Remote Desktops snap-in to a MMC console
1. Open a blank console
2. From the File menu, select Click Add/Remove Snap-in.
3. In the Add/Remove Snap-In dialog box, click the Add button.

4. Select Remote Desktops and then click Add.
5. Click Close and then click OK in the Add/Remove Snap-In dialog box.
6. If you want to be able to open the Remote Desktops console can now opened from the
Administrative Tools Menu, click the File menu item and then select the Save command.
7. In the File Name box, provide a name for the MMC.
8. Click Save.
How to remotely administer a system using the

Computer Management console
You can use the Computer Management console to perform management tasks on remote
systems. Computer Management is available on both client and server computers.
The Computer Management console contains the following primary nodes:
The System Tools node contains the Event Viewer, Performance Logs And Alerts, and
Device Manager snap-ins.
The Storage node contains the Removable Storage and Disk Management snap-ins which
are used to manage storage devices and local disks.
The Service and Applications node snap-ins is used to perform server-end administration
tasks.
To remotely administer a system using the Computer Management console

1. Click Start, right-click My Computer, and then select Manage from the shortcut menu.
2. Right-click Computer Management in the console tree, and select Connect To Another
Computer from the shortcut menu.
3. Provide the IP address of the remote computer in the Another computer box.
4. Alternatively, click Browse to locate the remote computer on the network.
5. Click OK to connect to and administer the remote computer.
Remote Administration through the Remote

Administration (HTML) tool
You can use the Remote Administration (HTML) tool if you want to manage your servers
using a Web browser. If the Remote Administration (HTML) tool is installed, you can connect
to an IIS 6.0 Web server through the Remote Administration Web site.
A few requirements have to be met though before you can use the Remote Administration
(HTML) tool to manage a server over the Internet:
If you are not running the Windows Server 2003 Web Edition, you have to install the
Remote Administration (HTML) tool on the server.
The server must have a valid external IP address.
Port 8098 should be used for communication.
How to install the Remote Administration (HTML) tool

2. Double-click Add Or Remove Programs.
3. Click Add/Remove Windows Components.
4. The Windows Components Wizard initiates
5. Select Application Server and then click the Details button.
6. Select Internet Information Services (IIS) and then click Details.
7. Select World Wide Web Service and then click Details.
8. Enable the Remote Administration (HTML) checkbox. Click OK.
9. Click Next in the Windows Components Wizard to install the Remote Administration
(HTML) tool.
10. Click Finish.
11. Ta access and administer a server over the Internet, open Internet Explorer.
12. Browse to https://server name:8098
13. Once the connection to the server is created, you can use the Web interface to remotely
administer the server
Remote Administration through Remote Desktop

For Administration
The emote Desktop For Administration mode of Terminal Services enables you to remotely
manage a Windows Server 2003 server. Remote Desktop for Administration is installed by
default when you install the operating system but it is not enabled by default. You have to
enable Remote Desktop for Administration at each connection end prior to using it.
The Remote Desktop Connection (RDC) utility is the client-end software used to access a
server in the context of Remote Desktop For Administration. You can configure remote
desktop connections to Windows servers and workstations. In Windows 2000 Server, you
have to install and configure Terminal Services in remote access mode to set up remote
desktop connections. Remote Desktop Connection is by default installed with Windows XP
and Windows Server 2003. You can however install Remote Desktop Connection on previous
Windows Operating Systems (OSs) such as Windows 2000, Windows NT, Windows ME,
Windows 98, and Windows 95. The RDC utility is backward compatible, and can therefore
interact with Terminal Services in Windows XP, Windows 2000 and Windows NT 4 Terminal
Server Edition.
How to enable Remote Desktop for Administration
1. Open Control Panel
2. Double-click System.
3. Click the Remote tab.
4. Select the Allow users to connect remotely to this computer checkbox.
5. To enable additional users to connect remotely to the computer, click the Select Remote
Users button.
6. Provide the names of the users who are allowed to connect to the computer.
7. Click OK.
How to grant users rights to create remote connections to remotely administer servers
1. Open the Computer Management console.
2. In the console tree, expand the Systems Tools node, Local Users and Groups node, and
then expand the Groups node.
3. Right-click Remote Desktop Users, and then select Add to Group from the shortcut menu.
4. Click the Add button
5. Select the user who should be added to the Remote Desktop Users group.
6. Click OK.
How to remotely administer a server using Remote Desktop for Administration
Connection.
2. The Computer box displays the name of the computer that was last connected to.
3. Select the computer which you want to connect to in Computer drop down box.
4. Click Connect.
How to optimize remote connections
Connection.
2. In the Remote Desktop Connection dialog box, click the Options button.
3. Click the Experience tab.
4. Select the Custom option from the Choose your connection speed to optimize
performance box.
5. Clear the Themes checkbox.
6. Ensure that the Reconnect if connection is dropped checkbox is enabled.
7. Click OK.
Remote Administration through Remote Assistance

Remote Assistance makes use of the TCP/IP protocol to establish a connection between two
computers so that a user at one computer can request assistance from a user located at
another computer.
Remote Assistance uses Terminal Services and the RDP protocol to enable administrators to
monitor and control desktops of remote computers, send and receive files from a remote
computer and to communicate with a user located at the remote computer.
To establish connections to a remote computer, a local area network (LAN) connection or
Internet connection can be used. Solicited remote access occurs when a user creates a
Remote Assistance invitation and then sends the invitation to the remote assistant. With
Unsolicited remote access, remote assistance is offered without the person offering remote
assistance receiving a Remote Assistance invitation. Windows Messenger or an e-mail client
can be used to send a Remote Assistance invitation to request remote assistance. Remote
Assistance is automatically installed when Windows Server 2003 is installed. For a computer
to receive remote assistance, the computer must be running Windows XP or Windows
Server 2003, with the Remote Assistance feature enabled.
You can use Group Policy to configure settings for Remote Assistance. The Solicited Remote
Assistance policy and Offer Remote Assistance policy can be used to configure Remote
Assistance through Group Policy:
Enable and disable Remote Assistance.
Enable users to send Remote Assistance invitations
Enable s user to allow remote control to another individual.
How to send a Remote Assistance invitation (e-mail)

1. Click Start, and then open Help and Support Center
2. Click Remote Assistance.
3. Click Invite someone to help you.
4. Enter the name of the expert in the Type your assistant's first name text box, and then
click Continue.
5. On the following screen, specify the expiration time and date for the invitation.
6. Leave the Require the recipient to use a password option enabled.
7. Provide a password in the Type password and Confirm password text boxes.
8. Once the password is verified, the Create Email Invitation button is enabled.
9. Click the Create Email Invitation button to send the invitation.
How to send a Remote Assistance invitation (Windows Messenger)
1. Click Start, click Help and Support Center

2. Click the Invite a friend to connect to your computer with Remote Assistance option.
3. Click the Invite someone to help you option.
4. In the Use Windows Messenger section on the following screen, click the Sign In button.
5. Provide a valid email address and password to log on to Windows Messenger.
6. Click OK.
7. The Windows Messenger dialog box opens.
8. Select Tools, Ask for Remote Assistance, and then select the email address of the
individual from which you want to request assistance.
9. A message to request remote assistance is transmitted to the individual.
10. When the individual accepts the remote assistance request, the user is informed through
a message.
11. The Remote Assistance console is displayed on the computer of the expert.
12. A message indicating that an answer is pending is displayed.
13. The user can click Yes to enable the expert to view the desktop of the computer.
How to provide unsolicited remote assistance
2. Click Tools to view computer information located under Pick a task.
3. Click Offer Remote Assistance.
4. The Offer Remote Assistance screen opens.
5. Provide the IP address of the computer that you want to provide Remote Assistance to.
6. Click Connect.
7. A message indicating that remote assistance has been offered is shown on the computer
of the novice.
How to manage Remote Assistance invitations
1. Open Help and Support Center.
2. Click Remote Assistance

3. Click View Invitation Status.
4. The information displayed on each Remote Assistance invitation is displayed. The
information shown includes the name of the person that the invitation was sent to, the
date and time that the invitation expires, and the status of the invitation.
5. Choose the invitation and click the Details, Expire, Resend, or Delete button.

Configuring Remote Access Servers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring Remote Access Servers

Uploaded by

Copyright:

Available Formats

Configuring Remote Access Servers

Installing and Configuring RRAS as a VPN Server

How to configure RRAS as a VPN Server

How to configure VPN ports for the remote access server

How to configure the VPN client computer

How to grant dial-in permission for user accounts

How to manually install the DHCP Relay Agent

How to add the DHCP server that DHCP requests should

How to configure the DHCP Relay Agent on a network

How to configure a VPN Gateway/Router

To configure a VPN router to enable connectivity between LANs,

How to specify server log file properties for the remote

Log errors only

Log errors and warnings

Log all events

Do not log any events

Configuring RRAS LAN Routing and Packet Filters

11. Select the General subnode.

How to configure RRAS packet filters

9. Proceed to enable the RIP Version 2 for Internet Protocol.

Outgoing packet protocol: dropdown list = RIP version 2 broadcast

Incoming packet protocol: dropdown list = RIP version 1 and 2

Outgoing packet protocol: dropdown list = RIP version 2 multicast

Incoming packet protocol: dropdown list = RIP version 2 only

Configuring a Remote Access Dial-Up Server

How to configure properties for the RRAS Dial-Up server

How to configure a Dial-Up Gateway

Configure a demand dial interface to the remote network.

Configure a static route to point non-LAN traffic to the dial-up connection.

Configuring the Remote Access Server to use

How to enable Multilink

How to enable multiple device dialing on the client

Configuring Remote Access Policies for Remote

Remote access permissions

The following connection settings can be administered by configuring advanced remote

Access server identity

Access client phone number or MAC address

Specify to use user account dial-in properties

Specify that unauthenticated access be allowed

Maximum session time

How to configure a remote access policy for a remote

Authentication Type; the authentication type, for instance PAP or CHAP.

Calling Station ID; the phone number used by the caller.

Client-Friendly Name; the name of the RADIUS client requiring authentication.

Client IP Address; the IP address of the RADIUS client.

Client Vendor; the network access servers (NAS) vendor.

Day and Time Restrictions; when a connection can be established.

MS RAS Vendor; the RADIUS client machines vendor.

NAS Identifier; the network access servers (NAS) name.

NAS IP Address; IP address of the NAS.

NAS Port Type; the media used by the client.

Service Type; the type of service requested.

Tunnel Type; the type of tunnel (PPTP, L2TP).

How to configure a remote access policy to authorize

How to configure a remote access policy to authorize

How to restrict remote access by connection type

Using Connection Manager

Manage dial-up and VPN Connection

Customize Connection Manager to suit the

Configure system policies for connections.

Configure restrictions for connections.

Configure executable files that run

Import existing connection settings so that

they can be modified, and then distribute these modifications.