Professional Documents
Culture Documents
Configuring Remote Access Servers
Configuring Remote Access Servers
1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the
Routing And Remote Access management console.
2. In the console tree, expand the node for the server that you want to configure.
3. Right-click Ports and then select Properties from the shortcut menu to open the Ports
Properties dialog box.
4. Select WAN Miniport (PPTP) or select WAN Miniport (L2TP).
5. Click the Configure button.
6. The Configure Device dialog box opens.
7. In the Maximum Ports box, specify the number of connections that the port type which
you have selected can support. The default configuration setting when the RRAS is
installed is 5 PPTP ports and 5 L2TP ports.
8. If you want to specify the IP address of the public interface to which VPN clients connect,
use the Phone Number For This Device box on the Configure Device dialog box.
9. If you want to disable connections for the port type, select the Use the Remote Access
Connections (Inbound Only) checkbox on the Configure Device dialog box.
10. If you do not want to allow the specific VPN type to be used for demand-dial connections,
deselect the Demand-Dial Routing Connections (Inbound And Outbound) checkbox.
11. Click OK to close the Configure Device dialog box.
12. Click OK to close the Ports Properties dialog box.
11. The logon dialog box is displayed after you click the Finish button to complete the New
Connection Wizard.
22. On the VPN Type page, select the VPN protocol which you want to use and then click
Next. You can leave the Automatic selection default option unchanged.
23. On the Destination Address page, provide the IP address that corresponds to the public
interface of the remote gateway and then click Next.
24. On the Protocols And Security Page, select the Route IP packets on this interface
checkbox, and click Next.
25. On the Static Routes For Remote Networks page, click the Add button and then enter the
LAN subnet address for the remote LAN on the Static Route dialog box.
26. Click OK and then click Next.
27. Specify the username, password and domain for authentication purposes and click Next.
28. Click Finish on the Completing the Demand-dial Interface Wizard page.
29. You now have to configure the interface for a persistent connection.
30. In the console tree of the Routing and Remote Access console, select the demand-dial
interface that you want to configure, and then select the Action menu. Click the Options
command on the Action menu.
31. lick Persistent Connection and click OK.
32. In the console tree of the Routing and Remote Access console, expand the IP Routing
node.
33. Select Static Routes to verify that the static route to the remote LAN subnet is
configured. The static route should be displayed in the Details pane.
34. To configure packet filtering properties, select the demand-dial interface and select
Properties from the shortcut menu.
35. On the General tab, select Inbound Filters and then select New.
36. Specify the appropriate LAN subnet information. Click OK.
37. Select the Drop all packets except those that meet the criteria below option and then
click OK.
38. Select the demand-dial interface and select Properties from the shortcut menu.
39. On the General tab, select Outbound Filters and then select New.
40. Specify the appropriate LAN subnet information. Click OK.
41. Select the Drop all packets except those that meet the criteria below option and then
click OK.
42. Click OK again.
43. In the console tree of the Routing and Remote Access console, select the demand-dial
circuit from Network Interfaces, and then select the Connect command from the Action
menu.
44. Examine the information in the Status column and Connection State column to verify the
status and state of the tunnel.
5. Click OK.
13. The following configuration is recommended if you are using RIP version 2;
and Ethernet as the transport medium:
o
14. Click OK
13. To enable remote access, select the Use the Remote Access Connections (Inbound Only)
checkbox and click OK.
Configure the user account, with the correct dial-in permissions, that the remote access
server would use to connect to the remote LAN.
1. Click Start, Administrative Tools, and then select Active Directory Users and Computers
to open the Active Directory Users and Computers management console.
2. In the console tree, right-click the Users container and then select New and then User
from the shortcut menu.
3. In the New Object User dialog box, enter the correct account name information and
then click Next.
4. Enter the password information for the new user account in the Password and Confirm
Password textboxes.
5. Ensure that the User must change password at next logon checkbox is not selected and
then click Next to complete the creation of new user account.
6. In the console tree, select the Users container, right-click the user account which you
created and then select Properties from the shortcut menu.
7. When the Properties dialog box for the user account appears, click the Dial-in tab.
8. Click the Allow access option.
9. Click OK.
10. To configure the demand dial interface, click Start, Administrative Tools, and then select
Routing And Remote Access to open the Routing And Remote Access console.
11. In the console tree, right-click the server that you want to configure, and then select
Configure And Enable Routing And Remote Access.
12. The Routing And Remote Access Server Setup Wizard starts.
13. Click Next on the initial page of the Routing And Remote Access Server Setup Wizard.
14. On the Configuration page, select the Custom Configuration option and then click Next.
15. On the Custom Configuration page, select the Demand-dial connections (used for branch
office routing) checkbox and then click Next.
16. On the Completing The Routing And Remote Access Server Setup Wizard page, click
Finish
17. Click Yes in the message box that appears, asking whether the Routing and Remote
Access service should be started.
18. In the console tree of the Routing And Remote Access management console, right-click
Network Interfaces and then select New Demand-dial Interface from the shortcut menu.
19. The Demand-dial Interface Wizard starts.
20. Click Next on the Demand-dial Interface Wizard Welcome page.
21. Enter a name for the new demand-dial interface and then click Next.
22. On the Connection Type page, choose the Connect using a modem, ISDN adapter, or
other physical device option and click Next.
23. On the Protocols And Security Page, select the Route IP packets on this interface
checkbox, and click Next.
24. On the Static Routes For Remote Networks page, click the Add button to configure the
static route.
25. Click OK in the Static Route dialog box. Click Next.
26. Specify the username, password and domain for authentication purposes on the Dial Out
Credentials page. Click Next
27. Click Finish on the Completing the Demand-dial Interface Wizard page.
28. This process has to be completed for the remote LAN as well.
5. If you want to dynamically dial and hang up devices click Dial devices only as needed
and then click Configure.
6. If you want to use all devices, click Dial all devices.
7. If you want to use only the first available device, click Dial only first available device.
8. Click OK.
Authentication methods: The different authentication methods that can be configured are
listed below:
o
EAP
CHAP
MS-CHAP
MS-CHAP version 2
PAP
PEAP
Unauthenticated access
Group membership
Time of day
Type of connection
After a remote access policy authorizes a connection, you can also configure that certain
constraints be enforced. Constraints are based on the following:
Encryption strength
IP packet filters
Idle timeout
Called Station ID; the network access servers (NAS) phone number.
Framed Protocol; IAS uses this to determine the frame type of the incoming packets.
Windows Groups; the groups to which the user establishing a connection belongs.
Dial-up
VPN
Wireless
Ethernet
8. On the User or Group Access page, click the User option and then click Next.
9. On the Authentication Methods page, specify the authentication methods which the policy
will accept and then click Next.
10. On the Policy Encryption Level page, specify the encryption types and then click Next.
11. Click Finish to create the new remote access policy.
2. In the console tree, right-click Remote Access Policies and then select New Remote
Access Policy from the shortcut menu.
3. The New Remote Access Policy Wizard starts.
4. Click Next on the New Remote Access Policy Wizard Welcome page.
5. When the Policy Configuration Method page appears, select the Use the wizard to set up
a typical policy option.
6. Enter a name in the Policy name box, and then click Next.
7. On the Access Method page, select between the following options and then click Next:
o
Dial-up
VPN
Wireless
Ethernet
8. On the User or Group Access page, select the Group option and then click Add to specify
the group name.
9. Using the Enter the object names to select box, specify the group and then click OK.
10. Click Next on the User or Group Access page.
11. On the Authentication Methods page, specify the authentication methods which the policy
will accept and then click Next.
12. On the Policy Encryption Level page, specify the encryption types and then click Next.
13. Click Finish to create the new remote access policy.
10. On the Permissions page, click the Deny remote access permission option and then click
Next.
11. When the Profile page appears, use the Edit button if you want to change the profile.
Click Next.
12. Click Finish to create the new remote access policy.
Configure a large numbers of clients by creating an executable file which can be deployed
to your users by means of a distribution package.
Users can run more than one Connection Manager service profile at the same time.
Connection Manager can also be used when users share computers. A user does not need
to provideuser credentials for each connection.
You can customize the following components within Connection Manager so that it
reflects the identity of the organization:
o
Help
Messages
Users can run more than one Connection Manager service profile at the same time.
The Connection Manager Administration Kit (CMAK) Wizard can be used to automatically
create a service profile so that users can run Connection Manager to establish VPN and
dial-up connections. The service profile takes the form of an executable file which can be
distributed using either of the following methods:
You can include custom functionality or programs that execute during the connections
process. For instance, you can run a program when the user logs on, and when the user
logs off.
Connection logging, terminal window support and enhanced ISDN support are a few
additional features of Connection Manager.
Access points can be used to save commonly utilized connection settings. Connection
Manager includes help for Access Points and Dialing Rules.
Planning phase: Typical issues that should be determined in the planning phase are:
o
Determine which customizations you want graphics, Phone book information, and so
forth.
Developing custom elements phase: This is when you should create all custom graphics,
icons, and all other elements which you want to include for the new Connection Manager
service profile.
Running the CMAK Wizard phase: The Connection Manager Administration Kit (CMAK)
Wizard is initiated and run to create the new Connection Manager service profile for the
connection.
Preparing for delivery phase: The new Connection Manager service profile can be
distributed via CDROM, floppy disk, Web site, or a network share. It can also be
downloaded to the client.
Testing phase: It is important to test all new packages before users are allowed to
download these packages.
Providing support phase: It is recommended that you define a support strategy once the
new Connection Manager service profile is distributed to users.
There is the risk of an unauthorized user establishing a connection and using it. This can
basically occur when a computer can be accessed by multiple users.
For users to run the existing installation of CMAK, they have to belong to the Power
Users group. The service profiles created by the CMAK Wizard are text files. Because of
this, a user that has access to the text files can simply use a text editor to change the
text files created by the CMAK Wizard.
A few strategies that can be used to address Connection Manager security concerns are
listed below:
You can require that users utilize the more current Windows operating systems that
support the user certificates feature of Connection Manager.
Ensure that only those users who are authorized can download and obtain the
Connection Manager service profile.
For a computer that is utilized by more than one user, ensure that users cannot utilize
the Remember Password feature to store the password for the connection. To disable the
Remember Password feature, configure the HideRememberPassword option. The
HideRememberPassword option can be accessed in the last page of the CMAK Wizard by
clicking Edit Advanced Options.
Merging Profile Information; you can merge the settings of an existing service profile(s)
into the new Connection Manager service profile which you are creating, or in the service
profile which you are editing.
VPN Support; enables you to specify a VPN connection for the service profile which you
are configuring. For client IP address assignment, the following methods exist:
Define that the server assigns IP addresses when the connection is established.
Phone Book; set whether a phone book is to be created with the service profile being
created or edited.
Phone Book Updates; define the method which will be used to pass phone book updates
to clients. You can specify a Connection Point Services server by means of a URL. The
Windows Server 2003 Connection Point Services (CPS) feature can be used to create and
update phone books.
Dial-Up Networking Entries; define the dial-up networking entries for the phone numbers
in the address book.
Routing Table Update; to update the Routing Table. A file containing routing table
information is then included.
Automatic Proxy Information; enables you to specify options which will be used to
configure proxy settings.
Logon Bitmap; set the bitmap that should appear in the Logon dialog box.
Phone Book Bitmap; set the bitmap that should appear in the Phone Book dialog box.
Icons; set the icons which should be displayed for Connection Manager on your clients.
Notification Area Shortcut Menu; define the shortcut menu which is displayed when the
status area icon is right-clicked by users.
Support Information; define the support information for the service profile being created
or edited.
Connection Manager Software; for users to utilize the service profile they must have
Connection Manager installed. For users that do not have the Connection Manager
installed, you can specify that Connection Manager software be added with the service
profile you are creating or editing. Here, the user will perform the following actions:
License Agreement; you can require users to accept a license agreement by including it
in a text file.
Additional Files; for adding any other files with the Connection Manager service profile
being created or edited.
With the CMAK, custom actions are supported. Through custom actions, you can configure
that certain programs should automatically run when the Connection Manager process
occurs.
The different actions which you can specify to run during the Connection Manager process
are summarized here:
On error actions; run when there is an error during the connection establishment
process.
9. Click Next.
10. On the VPN Entries page, perform either of these actions:
o
13. On the Dial-Up Networking Entries page, perform either of these actions
o
To distribute the new service profile package files, use either of these methods:
CDROM
Floppy disk.
Web site
Share the CMAK directory and provide users with the path information.
Dial-up client: A dial-up client uses a physical connection to the remote access server to
establish a connection to it. A dial-up client can access resources in much the same
manner as if they are actually physically connected to the network. Dial-up clients can:
o
Share files.
Map network drives, and perform other operations, based on the access that is
allowed.
You should utilize a dial-up client when the following conditions are present:
o
The Internet cannot be used to access resources on the corporate network because of
security issues.
VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish
a connection to the network.
Wireless client: These clients connect to the network through radio frequencies such as
infrared frequencies.
When determining user requirements for remote access, a few issues that need to be
initially addressed are:
Determine whether clients current Internet connections can be used for VPN
connections.
When configuring a dial-up remote access client, you specify the phone number of the
remote access server.
When configuring a VPN client, you specify the IP address of the server.
After a connection is established, you can change the connections properties through the
connections Properties dialog box. The configuration settings that you can configure
through the various tabs on the Dial-Up Connection Properties dialog box are:
General tab: The configuration settings that you can configure on the General tab are:
o
Specify the connection which should be established prior to the VPN connection being
established.
Modify the settings of the existing modem that the connection uses
Specify whether the connection shows a status icon when the connection is active. For
dial-up connections, the Show Icon In Taskbar When Connected checkbox is enabled
by default.
Options tab: The configuration settings that you can configure on the Options tab pertain
to the dialing and redialing of the connection. The settings on the Options tab are
organized into two sections, namely the Dialing Options section and the Redialing
Options:
o
Dialing Options: The dialing options that you can set are listed below. These settings
control the dial-up networkings interface actions:
Display Progress While Connecting checkbox; tracks the progress of the attempted
connection. This option is enabled by default.
Prompt For Name And Password, Certificate, Etc. checkbox; prompts for any
credentials needed to authenticate the connection to the server. The option is
enabled by default.
Include Windows Logon Domain checkbox; the domain name of the domain
currently logged on to is included with the authentication credentials. The option is
disabled by default.
Prompt For Phone Number checkbox; shows the phone number in the connection
dialog box so that it can be edited prior to dialing.
Redialing Options: These settings control the activities that occur when the remote
end is busy. The redialing options that you can set are:
Redial Attempts box; for specifying the number of attempts that occur to establish
the connection before abandoning it. The default value for the Redial Attempts
setting is 3.
Time Between Redial Attempts setting; for indicating the wait period before
reattempting the connection.
Idle Time Before Hanging Up setting; for specifying the idle time for the connection
before the call is terminated.
Security tab: The configuration settings that you can configure on the Security tab
control the security of the connection. This includes options for authentication protocols
and encryption. The settings on the Security tab are also organized into two sections,
namely the Security Options section and the Advanced Security Settings:
o
Security Options: The settings that you can configure when you select the Typical
(Recommended Settings) option are:
Automatically Use My Windows Logon Name And Password checkbox; for secured
passwords, provides the remote end with the logon credentials used to log on to
the domain/computer.
Require Data Encryption checkbox; for secured passwords and smart card
authentication, specifies whether an encryption method should be negotiated
between the remote server and the client.
Advanced Security Settings: The settings that you can configure when you select the
Advanced (Custom Settings) option are listed below. The Advanced Security Settings
dialog box is accessed by clicking the Settings button after you have selected the
Advanced (Custom Settings) option:
Data Encryption drop down list; includes options that specify whether to encrypt
either end of network connections through IPSec. The options are No Encryption
Allowed the server will drop the connection if the client cannot provide
encryption; Optional Encryption the call continues if encryption cannot be
provided; Require Encryption the client has to request encryption, and is not
allowed to connect if the remote server cannot provide it; Maximum Strength
Encryption a connection can only be established if the client and server support
the same level of encryption.
Logon Security setting; specifies the authentication protocols which the client
utilizes. The available options are Use Extensible Authentication Protocol (EAP)
and Smart Card Or Other Certificate.
Allow These Protocols setting; specifies the authentication protocols that the client
can use. Authentication protocols options include CHAP, MS-CHAPv1, MS-CHAPv2,
PAP and SPAP. The authentication protocols that are by default selected when the
Allow These Protocols option is enabled are CHAP, MS-CHAPv1 and MS-CHAPv2.
Networking tab: The configuration settings that you can configure on the Networking
tab are explained below:
Type Of Dial-Up Server I Am Calling setting; specifies the type of server being
called. The options are PPP and SLIP, with PPP being the default setting.
You can select the Install, Uninstall, and Properties buttons to control the protocols
installed on the machine, and to control the settings of the protocols. The typically
selected options are Internet Protocol (TCP/IP) and Client For Microsoft Networks.
Sharing tab: The configuration settings that you can configure on the Sharing tab are
for RAS clients only:
8. Click OK.
2. In the console tree, expand the domain that contains the user account that you want to
enable remote access for.
3. Select the Users container.
4. In the right pane, locate the user account that you want to configure.
5. Right-click the specific user account and then select Properties from the shortcut menu.
6. The Properties dialog box of the user opens.
7. Click the Dial-in tab.
8. In the Remote Access Permission area, click the Control Access Through Remote Access
Policy option.
9. Click OK.
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, select Remote Access Clients.
3. In the details pane, right-click the user name that you want to send the message to, and
then select Send Message from the shortcut menu.
4. The Send Message dialog box opens.
5. Type the message that you want to send to the user name that you have selected.
6. Click OK.
How to send a message to all remote access clients
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, right-click Remote Access Clients and then select Send To All from
the shortcut menu.
3. When the Send Message dialog box opens, type up the message that you want to send to
all connected remote access clients.
4. Click OK.
How to disconnect remote access clients
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, select Remote Access Clients.
3. In the details pane, right-click the user name that you want to disconnect, and then
select Disconnect from the shortcut menu.
Ensure that the settings of the remote access policy and the settings configured in the
properties of the remote access server are not conflicting.
The remote access server, the remote access policy, and the dial-up remote client should
all be configured to minimally use one common authentication protocol. You can view
this information on the Security tab of the Dial-Up Connection Properties dialog box.
If MS-CHAP v1 is the authentication protocol being used, ensure that the user password
is not more than 14 characters.
The remote access server, the remote access policy, and the dial-up remote client should
all be configured to minimally use one common encryption strength. You can verify this
information on the Security tab of the Dial-Up Connection Properties dialog box.
Ensure that the number of modem devices specified in the Ports node of the Routing And
Remote Access management console can cope with the specified number of concurrent
remote access connections.
The remote access server either assigns addresses to clients from a predefined static
address pool or through a DHCP server on the network.
o
For address assignment from the static address pool, ensure that the address pool can
handle the required concurrent client connections.
For address assignment through the DHCP server, ensure that the DHCP servers
scope can handle the blocks of 10 addresses needed by your remote access server.
The dial-up remote access connection must have the correct permissions for the
connection to be established. You can verify the permissions specified for the connection
by examining the remote access policies and the dial-in properties of the specific user
account.
Verify that the modem is connected correctly to the computers port. Verify that the
power is turned on.
Check whether the phone lines support the speed of the modem. Try using a lower
bps rate.
The issue might be that the modem cannot work with the modem of the remote
access server. Here, you might need to use the same modem type being used by
remote access server.
Verify that you have the necessary remote access permission, and that your user
account is valid.
If you continuously receive an error message, indicating that the remote access server is
not responding, a few guidelines to solve this issue are listed below:
o
Check whether you can connect to the server from a different workstation to ascertain
whether the issue is specific to one workstation.
Check whether the remote access server is running and operating correctly.
Verify whether the modem vendor has released new software updates. There might be
an issue with the version of the modem software that you are using.
If the modem and telephone line appear to not be operating as they should be, use
modem diagnostics to verify that the modem is operating as it should. There might
also be excessive static on the phone line.
There could be a switching mechanism between the remote access client and server
which is preventing the connection from being established. You should attempt using
a lower bps rate.
The issue might be that the modem you are using is conflicting with the modem of the
server. You should attempt using a lower bps rate.
If the modem is experiencing a problem connecting and there is quite some static on
the telephone line, attempt using a lower bps rate. The issue might be that the
modem cannot connect at a higher data rate.
You can verify the quality of your phone line with the telephone company.
If you receive a no answer message when attempting to connect via ISDN, try the
following strategies. A few possible causes for this type of issue is also listed:
o
Try dialing later. The line might be too busy or an existing poor line condition could be
hindering the connection.
Check that the ISDN adapters are installed and that they are set up correctly.
Check whether the phone number is configured correctly. You can contact the
telephone company to determine the numbers that the ISDN line owns.
Verify that the remote access server is up and running, and verify that the modem is
connected.
If remote access client connections to the remote access server are continuously being
dropped, try the following strategies:
o
Check whether the modem cable is connected correctly. It could have been
disconnected.
Verify whether the modem vendor has released new software updates. There might be
an issue with the version of the modem software that you are using.
It could be that the phone has call waiting, and this is hindering the connection.
Disable call waiting and then try again.
You could have been disconnected because of an inactivity period. Try once more.
If somebody picked up the phone, you would have been automatically disconnected.
Try calling once more.
In the Subcomponents of World Wide Web Service list, select the Remote Desktop Web
Connectioncheck box, and then click OK.
port number. The steps listed below are optional but implementing them will highly improve
your machines security.
Note: TCP port number should not be changed if you are already using the machine as a
web server.
Open Control Panel, click on the Performance and Maintenance icon, and then click
onAdministrative Tools. Double-click on the Internet Information Services.
In the ISS snap-in, expand your computer name, expand Web Sites, right-click on
the Default Web Site, and then click on Properties.
On the Web Site tab, change the TCP Port value. Enter a number between 1000 and
65535 that you remember well. This port number will be used for future connections.
Right-click on My Computer from the desktop, and select the Properties option.
Select the Remote tab, and then click on the Allow users to connect remotely to
this computercheck box.
In the Select Users dialog box, type the name of the user and then click on OK. Click
on OK again to return to the System Properties dialog box, and then click on OK to close
it.
Your browser may not be installed with the Remote Desktop ActiveX control, hence if it
prompts you to install it, click Yes.
On the Remote Desktop Web Connection page, click on Connect. You dont need to fill in
the Server field. If you leave the Size field set to Full-screen, the remote desktop will
take over your local desktop.
Enter your user name and password at the Windows logon prompt, and then click OK.
Youll see your desktop completely.
LAN-to-LAN routing
LAN-to-WAN routing
IP multicasting
Packet filtering
Demand-dial routing
DHCP relay
Router discovery, defined in RFC 1256 provides the means for configuring and
discovering default gateways. Router discovery makes it possible for clients to:
o
Use alternate or backup routers when necessary, for instance when a network failure
occurs.
Router solicitations: A router solicitation is sent by a host on the network when it needs
to be configured with a default gateway. When a router solicitation is sent on the
network, each router responds with a router advertisement. The host then selects a
router as its default gateway. This is the router that has the highest preference. A host
can send a router solicitation to the following addresses:
Multicast routing through a multicast proxyprovides multicast for remote access users,
thereby extending multicast support further than the true multicast router.
Network Address Translation (NAT), defined in RFC 1631 translates private addresses to
Internet IP addresses that can be routed on the Internet.
Remote Access Policies (RAPs): RAPs are used to grant remote access permissions. You
can configure RAPs from:
Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of Cisco with
Point-to-Point Tunneling Protocol (PPTP) of Microsoft. L2TP is a Data-link protocol that
can be used to establis Virtual Private Networks (VPNs).
The Windows Server 2003 Routing and Remote Access service console, the graphical
interface for managing RRAS, can be used to configure remote access server-end
configuration options, including the following:
Plain old telephone service (POTS): In the initial days of dial-up networking, phone lines
were used to establish the dial-up connection. With POTS, the amount of data that was
passed was initially limited because analog components caused signal loss. This has since
improved with the connections between phone offices becoming all digital connections
paths.
Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and
includes features such as caller ID, call forwarding, and fast call setup times.
Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP
negotiation process to enable devices to establish a TCP/IP connection over a serial
connection. The device that initiates the establishment of the TCP/IP connection is called
the client. The device that obtains the request to establish the connection is referred to
as the server. The following protocols operate above the PPP to enable the PPP
negotiation process:
o
Link Control Protocol (LCP); LCP deals with the establishment of the lower PPP
connection. LCP is used for two devices to initially come to agreement on establishing
a PPP link.
Callback Control Protocol (CBCP); used to negotiate callback specific operations, such
as whether callback is permitted, and if and when it should occur.
IP Control Protocol (IPCP); used to negotiate the IP parameters that should be used
for the PPP connection.
Internet Protocol (IP); IP makes it possible for IP datagrams to be exchanged over the
connection.
Remote access
Intranet access
Extranet access
Remote access VPNs provides a common environment where many different sources such
as intermediaries, cients and off-site employees can access information via web browsers or
email. Many companies supply their own VPN connections via the Internet. Through their
ISPs, remote users runningVPN client software are assured private access in a publicly
shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP;
VPN's are implemented over extensive shared infrastructures. Email, database and office
applications use these secure remote VPN connections.
Remote access VPNs offer a number of advantages, including:
New users can be added with hardly any costs and with no extra expense to the
infrastructure.
Remote access VPN's call to local ISP numbers. VPN's can be established from anywhere
via the Internet.
Cable modems enable fast connectivity and are relatively cost efficient.
Information is easily and speedily accessible to off-site users in public places via Internet
availability and connectivity.
Unicast IP datagrams
ATM
IP-in-IP (IPinIP)
3. If the client is authenticated, the client and server start a negotiation process. During
negotiation, the client and server agree on the encryption algorithm, and parameters
that should be used for the VPN connection.
4. The VPN session or connection is established.
The process that occurs to convert an IP datagram to a Point-to-Point Tunneling Protocol
(PPTP) packet is outlined below:
1. Data is created by an application for a specific remote host.
2. At the client end, the data then becomes an IP datagram. This is done by adding a TCP
header and IP header to the data. At this point the packet contains all the information
needed to be transmitted by IP.
3. The client then establishes a connection through PPP to add the PPP header to the IP
datagram. At this stage the packet becomes a PPP frame.
4. The following step in the process is for the VPN to encrypt the PPP frame. This ensures
that the data is sent over the Internet in an undecipherable format.
5. A Generic Routing Encapsulation (GRE) header is added to the encrypted payload, to
indicate that the packet is an encapsulated PPTP packet.
6. The PPTP stack adds an IP header to indicate the destination address of the VPN server.
7. The packet is then routed to the VPN server.
A better method than using PPTP tunneling is L2TP/IPSec tunneling:
1. A secure encrypted session is established between the client and server.
2. At this stage the client establishes a L2TP tunnel to the server.
3. The server then sends the client an authentication challenge.
4. The client responds to the server's challenge, and uses encryption when it sends its
challenge response.
5. The server then verifies that the challenge response received by the client is valid. If the
response is valid, the connection is accepted.
Installing the Routing and Remote Access Service
How to enable Routing and Remote Access using the Manage Your Server Wizard
1. Click Start, and then click Manage Your Server.
2. Select the Add or remove a role option.
3. The Configure Your Server Wizard starts.
4. On the Preliminary Steps page, click Next.
5. A message appears, informing you that the Configure Your Server Wizard is detecting
network settings and server information.
6. When the Server Role page appears, select the Remote Access/VPN Server option and
then click Next.
7. On the Summary of Selections page, click Next.
8. The Welcome to the Routing and Remote Access Server Setup Wizard page is displayed.
How to install the Routing and Remote Access Services
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access management console.
2. In the console tree, select the remote access server that you want to configure. Select
the Action menu, and then select the Configure and Enable Routing and Remote Access.
Alternatively, you can right-click the server that you want to configure, and then select
Configure and Enable Routing and Remote Access from the shortcut menu.
3. The Routing and Remote Access Server Setup Wizard initiates.
4. On the initial page of the Routing and Remote Access Server Setup Wizard, click Next.
5. On the Configuration page, select the Remote Access (Dial-Up Or VPN) option and then
click Next.
6. On the Remote Access page, select either the VPN server checkbox, or the dial-up server
checkbox, or both of these checkboxes. Click Next.
7. When the Macintosh Guest Authentication page is displayed, click the Allow
Unauthenticated Access For All Remote Clients option if you want the RRAS server to
accept anonymous remote access. Click Next.
8. On the IP Address Assignment page, accept the default setting of Automatically, or select
the From A Specified Range Of Addresses button. Click Next.
9. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And
Remote Access To Authenticate Connection Requests option, and then click Next.
10. On the Summary page, click Finish.
11. The RRAS service starts.
The Routing And Remote Access console is the graphical user interface used to manage and
configure routing properties.
To access the Routing And Remote Access console,
1. Click Start, Administrative Tools, and then click Routing And Remote Access.
If Routing And Remote Access is only configured for LAN routing, then the following primary
nodes are present in the console tree of the RRAS console:
IP Routing node
If you want to add a dial-up connection, VPN connection or PPPoE connection to the Routing
And Remote Access console, you have to manually add it to the Network Interfaces node. If
you have already enabled the Routing And Remote Access Service, and you add a new
network adapter, then you have to manually add the new network adapter to the IP Routing
node.
How to manually add a dial-up connection, VPN connection or PPPoE connection
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, select the Network Interfaces node.
3. Right-click the Network Interfaces node and then select New Demand-Dial Interface from
the shortcut menu.
4. The Demand Dial Interface Wizard starts.
5. Follow the prompts of the Demand Dial Interface Wizard to manually add the dial-up
connection, VPN connection or PPPoE connection.
How to manually add a new network adapter
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, select General, right-click General, and then select New Interface
from the shortcut menu.
3. Select the Interface that you want to add. Click OK.
Configuring the Routing And Remote Access Service Properties
Routing And Remote Access Service properties are configured in the Routing And Remote
Access console, using the RRAS server's Properties dialog box.
The configuration settings that you can configure through the properties sheet of the remote
access server include:
Routing
Demand-dial
Authentication settings
Logging options
To access the Properties dialog box of the remote access server to configure RRAS
properties
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, select the remote access server that you want to configure, and then
select Properties from the Action menu; OR right-click the server in the console tree and
then select Properties from the shortcut menu.
The remote access server's Properties dialog box contains the tabs listed below. The
configuration settings that you can configure on each of these tabs for the remote access
server are explained as well.
General tab: The settings on the General tab enable you to configure the Routing And
Remote Access Service as a:
LAN router
Demand-dial router
Security tab: The configuration security settings that you can configure on the Security
tab are:
Authentication methods
IP tab: The IP tab is used to configure routing properties to route IP packets over LAN
connections, remote access connections, or demand-dial connections. The options
available are the Enable IP Routing checkbox, and the Allow IP-Based Remote Access
And Demand Dial Connections checkbox. The IP Address Assignment section of the IP tab
is used to configure the manner in which the IP addresses are assigned to remote access
clients. The available options are the Dynamic Host Configuration Protocol (DHCP) option
and the Static Address Pool option. If you select the Static Address Pool option, you have
to specify the address range that the Routing And Remote Access service will use to
assign addresses to remote access clients. The last setting on the IP tab is the Enable
Broadcast Name Resolution checkbox, which is enabled by default.
PPP tab: The options available on the PPP tab are used to configure PPP specific options.
Each option on the tab is by default enabled:
Multilink Connections; when enabled multilink connections are allowed from remote
access clients.
Dynamic Bandwidth Control Using BAP Or BACP; when enabled multilink connections
either add or drop PPP connections based on the available bandwidth.
Link Control Protocol (LCP) Extensions; when enabled advanced PPP features are
supported.
Software Compression; when enabled the RRAS can perform compression of the PPP
data.
i>Logging tab: On this tab, you can configure Routing And Remote Access logging
options:
o
You can also enable the option to log additional information for debugging purposes.
Configuring General IP Routing Properties
There are a few Routing And Remote Access service features that apply to IP routing on the
whole. These IP routing features are configured using the Properties dialog box of the
General sub in the Routing And Remote Access console. The General node can be found
within the IP Routing node in the console tree.
To open the Properties dialog box of the General node
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the
Routing And Remote Access console.
2. In the console tree, expand the IP Routing node.
3. Right-click the General node, and then select Properties from the shortcut menu.
4. The General Properties dialog box contains three tabs: Logging tab, Preference Levels
tab, and Multicast Scopes tab.
5. The General Properties dialog box contains three tabs: Logging tab, Preference Levels
tab, and Multicast Scopes tab.
o
Logging tab: The options available on the Logging tab pertain to IP routing events
that are recorded in the Event log. The options available on the Logging tab are:
Preference Levels tab: The options available on the Preference Levels tab are used to
position the priority of routes which were obtained from a number of sources.
9. If the server Properties dialog box has a NetBEUI tab, click the NetBEUI tab. Clear the
Allow NetBEUI-Based Remote Access Clients To Access checkbox.
10. Click OK.
Control access through the Dial-in Properties of an individual user account. This is the
account that remote access clients utilize to connect to the network.
You can use Remote Authentication Dial-In User Service (RADIUS) to provide
authentication, authorization, and accounting for your remote access implementation.
Planning Remote
Access Security
You should include planning of remote
access security when planning your overall remote access solution. A few issues
Not all users in an organization require remote access. You should therefore identify
those users that need remote access and configure only these users to have remote
access. Authentication can be used to restrict remote access to only those users that are
specified for remote access. You can use remote access policies to define the
requirements (conditions) that users must match to obtain remote access.
In addition, not all users need to access the entire network. You should restrict access to
the remote access server for those users that only need to access the remote access
server to complete their tasks.
Because all users do not need to have access to all resources, you can use permissions
to allow different users, different levels of remote access.
Users can also be restricted to specific applications only. You do this by configuring
packet filters to allow traffic that uses specific protocols and port numbers only.
For dial-in access, you would want to control which users are able to remotely access the
network:
You can allow or disallow remote access for individual users. You can configure individual
user access through the Properties dialog box of a specific user, on the Dial-in tab.
The Active Directory Users and Computers management console is the tool used to
access the Properties dialog box of a specific user account.
You can allow or disallow remote access by configuring remote access policies. This
method allows you to specify remote access rights based on various criteria, such as
users, group, and time of day. The settings specified on the Properties dialog box of a
specific user, on the Dial-in tab dictates whether a user is affected by remote access
policies. The different settings on the Dial-in tab of the Properties dialog box of a
particular user are:
o
Allow Access; the user is allowed to remotely access the network. The remote access
policies are not included in the decision.
Deny Access: the user is denied permission to remotely access the network.
Control Access Through Remote Access Policy; the remote access policies dictate
whether or not the user is allowed remote access.
Remote access policies can also be used to further restrict remote connections after they
have been authorized by the Routing and Remote Access Service (RRAS), based on the
following:
o
IP packet filters
Encryption strength
When planning a VPN remote access strategy, the security specific requirements that you
need to clarify are discussed next. The placement of the VPN servers could dictate that you
implement additional security measures.
If you place VPN server on the private internal network, the firewall has to allow traffic to
the VPN server.
If you place the VPN server on the perimeter network, you need to do the following:
o
On the VPN server, configure inbound and outbound filters that allow VPN traffic to
and from the Internet interface of the VPN server.
You would also need to determine which VPN protocols to utilize. You can support the use of
one or both of the VPN protocols:
The factors to consider when deciding on which VPN protocol to use are:
Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP
and Windows Server 2003 support PPTP
Only Windows 2000, Windows XP and Windows Server 2003 support L2TP.
Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed
for the mutual authentication of the VPN server and the client. Certificates need to be
installed on the VPN server andVPN clients. In addition to this, user authentication needs
IPSec requirement: L2TP can be used with IPSec to provide encryption. If you need
authentication for the VPN server and the client, then you need to be able to support
L2TP. Only L2TP over IPSec can provide data integrity.
The following section examines the differences between the VPN protocols, and when each
protocol should be implemented:
The VPN must move over a firewall or perimeter server that performs NAT. The only
VPN protocol that can pass through NAT is PPTP.
The server is not located behind a firewall or a perimeter server that performs NAT.
IPSec tunnel mode should be implemented when the following statements are true:
o
For VPN remote access, the different levels of encryption that you can configure are:
Basic encryption: This option is also not frequently used because the weaker 40-bit key
is used for encryption.
When planning a wireless remote access strategy, the security specific requirements that
need to be considered are summarized below:
Remote access policies that allow wireless users to connect to the network have to be
configured.
For Wireless Access Points (WAP) to use IAS authentication, the following additional
configurations are necessary:
o
Each WAP must be added as a RADIUS client in the IAS MMC snap-in.
On the WAP, you have to enable RADIUS authentication and define the primary and
backup IAS servers.
Because security is a high priority for wireless networks, WAPs and adapters that support
the elements listed next should be used:
Firmware updates
Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy
(WEP) protocol will be used.
For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used.
In the Remote Access Permission (Dial-in Or VPN) area, you can select one of the
following options:
o
Allow Access: The Allow Access option allows remote access for the specific user
account. The Allow Access option overrides any settings specified through remote
access policies.
Deny Access: The Deny Access option prevents remote access for the specific user
account.
Control Access Through Remote Access Policy: When you select the Control Access
Through Remote Access Policy option, whether or not the user is allowed remote
access is determine by remote access policies applied to the connection.
You can enable the Verify Caller ID checkbox to specify the phone number of the user
that should be verified before the remote access connection can be established. A
connection will only be established if the number that the user is calling from
corresponds with the number configured here.
The Callback Options area of the Dial-in tab is where you specify the following:
o
No callback.
Set by caller
Callback Security is a feature that you can use for dial-in connections. When enabled, and a
remote access client establishes a connection through Callback, the call is disconnected and
the client is called back. You can enable either of the following methods of the Callback
Security feature.
A few guidelines for setting Dial-in Properties of a user account are summarized below:
If you want to prevent the user from remotely accessing the network, set the remote
access permission for the specific user account to the Deny Access option.
If you want to restrict your remote access clients to only certain network segments,
configure static routes for the remote access client which specifies those network
segments that they can access.
If you want to allow or deny remote access based on policies, select the Control Access
Through Remote Access Policy option for the particular user account.
If you want to assign a particular IP addresses for each remote access connection
attempt made by a particular user, specify the IP address in the Assign A Static IP
Address field.
If you want dial-up connections to use a particular phone number, set the value of the
Verify Caller ID field to the specific phone number.
Extensible Authentication Protocol (EAP): EAP is used for network and dialup
authentication. It allows the Routing and Remote Access Service to use authentication
protocols provided by Windows 2000 and Windows Server 2003 together with third-party
authentication protocols and mechanisms such as smart cards .EAP offers mutual
authentication, and provides for the negotiation of encryption methods. To secure the
authentication process, the EAP authentication method utilizes Transport Layer Security
(TLS). If you want to use the EAP authentication method, select the Extensible
Authentication Protocol (EAP) checkbox, and then click the EAP Methods button to open
the EAP Methods dialog box:
EAP-RADIUS
Unencrypted Password (PAP): PAP uses plain text passwords and no encryption. PAP is
only provided as an authentication method for those clients that do not support any of
the previously mentioned, more secure authentication methods.
Allow Remote Systems To Connect Without Authentication: This option allows remote
access clients to connect to the remote access servers with no authentication.
From the above mentioned authentication methods, the following password based
authentication methods are considered weak authentication method for securing remote
access. It is recommended that you disable these authentication methods:
SPAP should be used when Shiva Remote Access servers are being used for Network
Access Servers (NASs). You cannot use SPAP if you require strong encryption methods
for remote access connections. Both SPAP and PAP offer low levels of security.
PAP should only be used when none of the other authentication methods are supported
by your remote access clients.
CHAP: CHAP provides a medium level of security for remote access connections. CHAP
should be used when your remote access clients use Microsoft operating systems (OSs)
and other OSs. Remember that CHAP requires passwords to be stored in reversible
encrypted format on domain controllers.
MS-CHAP: MS-CHAP should be used when the following statements are true:
o
Data needs to be encrypted between the remote access client and the Network Access
Server (NAS).
Mutual authentication is required for the remote access client and the Network Access
Server (NAS).
Data needs to be encrypted between the remote access client and the Network Access
Server (NAS).
Windows 95 clients and Windows 98 clients are only being utilized for VPN
authentication.
Windows NT 4.0 clients and Windows 2000 clients are utilized for dial-up
authentication and VPN authentication.
EAP-TLS: EAP-TLS also provides a high level of protection for remote access connections,
and should be used when the following statements are true:
o
Mutual authentication is required for the remote access client and the Network Access
Server (NAS).
Data needs to be encrypted between the remote access client and the Network Access
Server (NAS).
User
Group membership
Time of day
The Grant or Deny setting of a specific policy determines whether the user is allowed or
denied access.
When a user attempts to establish a connection, the remote access policies are evaluated to
determine whether the user is permitted to access the remote access server. The user is
only allowed access once all the conditions in the remote access policy allow access. When
more than one remote access policy is configured, you can define the order in which they
are to be applied. You do this by specifying the order number or priority of each remote
access policy.
A few conditions that remote access policies can compel clients to meet are listed below:
Framed protocol; indicates the data-link layer protocol which clients have to utilize.
Day and time restrictions; indicates which day of the week and the time of the day that
the user can connect.
Tunnel type; for VPN clients, it defines the data-link layer protocol that these clients
must utilize.
Windows groups; indicates which groups users have to be a member of if they want to
connect to the remote access server.
The different attribute types that can be evaluated in a remote access policy are:
Called Station ID; the network access server's (NAS) phone number.
Framed Protocol; IAS uses this to determine the frame type of the incoming packets.
Tunnel Type; the type of tunnel (PPTP, L2TP) that should be used.
Windows Groups; the groups to which are allowed access to the remote access server.
You can also use remote access policies configure further restrictions once the connection
attempt is authorized by the RRAS. Connections can be restricted through remote access
policies, based on the following elements:
Encryption strength
IP packet filters
How the Routing and Remote Access Service (RRAS) applies remote access polices when
multiple policies are configured
You can define the order in which remote access policies should be applied to connections
through the Routing and Remote Access management console. You simply have to select
the remote access policy in the details pane and click the Action menu and then click either
the Move Up command or the Move Down command.
The order that the Routing and Remote Access Service (RRAS) applies remote access
policies is illustrated below:
1. The Routing and Remote Access Service (RRAS) evaluates the connection attempt to the
very first remote access policy. The connection is rejected if there are no configured
remote access policies in the list.
2. If the connection does not meet each condition specified in the initial remote access
policy, then the Routing and Remote Access Service (RRAS) proceeds to check the
connection against the second remote access policy specified in the list.
3. If the connection does not meet all of the conditions of any of the remote access policies,
the attempted connection is rejected.
4. If the Ignore-User-Dialin-Properties attribute has a value of False, the Routing and
Remote Access Service (RRAS) proceeds to check what the remote access permission
setting for the specific user account is.
1. If the Deny Access option is configured for the user account, the attempted
connection is rejected.
2. If the Allow Access option is configured, the user account and profile properties are
applied to the connection. If the user account and profile properties match the
connection attempt, the connection is allowed. If it does not match, RRAS rejects the
attempted connection.
3. If the Control Access Through Remote Access Policy option is configured, the remote
access permission setting of the policy is checked. If Allow Access is specified, RRAS
checks whether the user account and profile properties match the connection attempt.
If so the connection is allowed. If not, the connection is rejected.
5. If the Ignore-User-Dialin-Properties attribute has a value of True, the Routing and
Remote Access Service (RRAS) proceeds to check what the remote access permission
setting of the policy indicates:
1. If the Allow Access is specified, RRAS checks whether the user account and profile
properties match the connection attempt. If so the connection is allowed. If not, the
connection is rejected.
2. If Deny Access is specified, the attempted connection is rejected.
A few recommendations for implementing remote access policies are discussed next:
Because all conditions in a remote access policy have to be matched for a remote access
connection attempt to be allowed, it is wise to not configure a large number of conditions
for each remote access policy.
Ensure that the correct condition is applied to each remote access policy. You should not
include a remote access policy condition that cannot be matched or met.
Specify the correct order in which the Routing and Remote Access Service (RRAS) must
process the remote access policies. Remote access policies that have more precise exact
conditions should be applied to connections before remote access policies that include
more general conditions are applied.
Remember that if no remote access policies are defined in the list, then all remote access
attempts will simply be denied. A remote access policy that allows remote access
connections 24 hours a day is enabled by default.
The number of minutes that the server can stay idle, prior to it disconnecting.
Specify whether users are allowed to modify expired passwords through MS-CHAP and
MS-CHAP v2.
Specify that the remote access server determines how IP addresses are assigned.
Enable multilink.
Specify the RADIUS attributes that are returned by the IAS server to the RADIUS
client.
A few guidelines for implementing remote access profiles are summarized below:
If you want to restrict remote access connections to a certain phone number only, then
you have to configure dial-in constraints to restrict connections to this phone number.
If you want to ensure that idle remote access connections are not utilizing your available
remote access ports, then you have to configure dial-in constraints to disconnect idle
connections once a predefined time elapses.
If you want clients to use a particular authentication protocol, configure a remote access
profile to only accept connections that are using this specific authentication protocol.
Remember that if you do this, then all connections which are not utilizing the specified
authentication protocol will be rejected.
If you want clients to only use a specific encryption strength, then configure a remote
access profile to allow only this specific encryption strength.
If you want to restrict remote access connections to only certain protocols, configure IP
packet filters to only allow these protocols.
There are a number of technologies that enable remote network connections, including:
Frame Relay: This is a WAN technology that uses other hardware components to
establish remote site connections. A frame relay connection uses a standard leased line
which connects the network site to the frame relay providers nearest point of presence
(POP). The frame relay provider then delivers the connection to the frame relay cloud. In
order to use the frame relay provider for a LAN-to-LAN connection, you have to install a
leased line at each site which connects the network to the nearest point of presence
(POP) of the frame relay provider. The frame relay provider is then responsible for
connecting the lines to the same frame relay cloud so that a connection can be
established between the two networks. The benefits of using the frame relay WAN
technology are:
o
Each of your sites can be connected to a local point of presence (POP) which in turn
leads to reduced cost of the leased lines.
You can connect to multiple sites using a single frame relay connection.
Contracted bandwidth can be exceeded when heavy traffic conditions are present.
Leased lines: Dedicated leased lines are also typically used to connect remote networks.
While dedicated leased lines are commonly used for WAN links to enable remote network
connectivity, purchasing and maintaining leased lines are expensive. In addition to this,
you have to pay for allocated bandwidth all the time. This is due to leased lines being
classed as persistent connections. This means that the connections are permanent
connections, and remain open all the time.
Dial-on demand connections: While the WAN connections provided by Integrated Service
Digital Network (ISDN) and standard asynchronous modems are typically slower than
dedicated leased lines, they can be disconnected at an time, and can also be used to
enable connectivity to different locations. One of the main characteristics of dial-on
demand connections is that you pay for the actual bandwidth that you are using.
Virtual private networks (VPNs): Remote access VPNs provides a common environment
where many different sources such as intermediaries, clients and off-site employees can
access information via web browsers or email. Many companies supply their
own VPN connections via the Internet. Through their ISPs, remote users running VPN
client software are assured private access in a publicly shared environment. By using
analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over
extensive shared infrastructures. Remote access VPNs offer a number of advantages,
including the elimination of WAN circuit and modem costs, cable modems enable fast
connectivity and are relatively cost efficient, new users can be added with hardly any
costs, and information is easily and speedily accessible to off-site users through Internet
connectivity.
The Routing and Remote Access Service (RRAS) provides multiprotocol routing services for
Microsoft Windows 2000 Server and Windows Server 2003 computers. RRAS includes a wide
variety of features that support unicast and multicast IP routing, IPX routing, AppleTalk
routing, and remote access.
Determine whether your existing servers can be modified and configured to enable
remote access.
Determine what dial-in connection security and VPN connection security mechanism need
to be implemented.
From a users perspective, a few issues that need to be initially addressed are:
Determine whether clients current Internet connections can be used for VPN
connections.
Dial-in remote access: Dial-in remote access uses modems and servers running the
Routing and Remote Access (RRAS) service. To enable communication, dial-in access
utilizes the Point-to-Point (PPP) protocol. The advantages of using dial-in remote access
are:
o
When high bandwidth is not a requirement, modem access is reliable and its speed is
consistent.
Security features such as caller ID verification and callback security can be used.
VPN remote access: A VPN provides secure and advanced connections through a nonsecure network. With VPN access, encryption is used to create the VPN tunnel between
the remote client and the corporate network. The advantages of using VPN access are:
o
An unlimited number of connections can be allowed from clients, and over a single
connection.
You can easily modify existing Internet connections to enable VPN access.
If clients can use a broadband Internet connection, more bandwidth is available than
that provided by dial-in access.
To secure VPN access, Windows Server 2003 provides strong levels of encryption.
Wireless remote access: Wireless networks are defined by the IEEE 802.11 specification.
With wireless networks, wireless users connect to the network through connecting to a
wireless access point (WAP). Wireless networks do not have the inbuilt physical security
of wired networks, and are unfortunately more prone to attacks from intruders. To
secure wireless networks and wireless connections, administrators can require all
Dial-up client: A dial-up client uses a physical connection to the remote access server to
establish a connection to it. A dial-up client can access resources in much the same
manner as if they are actually physically connected to the network. Dial-up clients can:
o
Share files.
Map network drives, and perform other operations, based on the access that is
allowed.
You should utilize a dial-up client when the following conditions are present:
o
The Internet cannot be used to access resources on the corporate network because of
security issues.
VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish
a connection to the network.
Wireless client: These clients connect to the network through radio frequencies such as
infrared frequencies.
Plain old telephone service (POTS): In the early days of dial-up networking, phone lines
were used to establish the dial-up connection. The amount of data that was passed was
initially limited because analog components caused signal loss. This has since improved
with the connections between phone offices becoming all digital connections paths.
Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and
includes features such as caller ID, call forwarding, and fast call setup times.
Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP
negotiation process to enable devices to establish a TCP/IP connection over a serial
connection. There are a number of protocols that operate above the PPP to enable the
PPP negotiation process, such as Challenge Handshake Authentication Protocol (CHAP),
Callback Control Protocol (CBCP), Compression Control Protocol (CCP), IP Control
Protocol (IPCP) and Internet Protocol (IP).
You need to provide for the initial cost of setting up a dial-up networking infrastructure,
this includes cost on:
Modems
Phone lines
Communication hardware
Server hardware
The cost of dial-in remote access increases as more phone lines are added for remote
access. The number of remote access users also affects the cost component of dial-up
networking.
The main factors or issues that you need to clarify when planning a dial-up networking
strategy are:
The method you will use to assign IP addresses to clients: The methods that you can
select between for assigning assign IP addresses to clients are:
o
Configure the RRAS server to assign IP addresses to clients, using a static address
pool defined on the RRAS server: In this method, you have to configure the static
address pool on the RRAS server. A few factors to consider on static address
assignment are:
Each address assigned has to be unique. You therefore have to ensure that the
static address pool configured for the RRAS server does not overlap with the
address range defined for your DHCP server.
For multiple RRAS servers, the static address has to be unique for each RRAS
server.
Configure the RRAS server to request IP addresses for clients from a DHCP
server: This method is more feasible than using a static address pool. Remote access
The type of incoming ports and the number of incoming ports you will need: The factors
that fall within this dial-up networking planning component are:
o
The number of remote access users who would simultaneously need to access the
network.
The bandwidth available on the connection of the RRAS server to the LAN.
The security you will implement for your dial-in access strategy: There are two methods
that you can use to control which users are able to remotely access the network:
o
You can allow/disallow remote access for individual users. You configure individual
user access through the Properties dialog box of a specific user, on the Dial-in tab.
The Active Directory Users and Computers management console is the tool used to
access the Properties dialog box of a specific user.
You can allow/disallow remote access by configuring remote access policies. This
method allows you to specify remote access rights based on various criteria, such as
users, group, and time of day. The settings specified on the Properties dialog box of a
specific user, on the Dial-in tab dictates whether a user is affected by a Remote
Access Policy.
The different settings on the Dial-in tab of the Properties dialog box of a particular
user are:
Allow Access; the user is allowed to remotely access the network. The remote
access policies are not included in the decision.
Control access through Remote Access Policy; the remote access policies dictate
whether or not the user is allowed remote access.
Remote access policies can also be used to restrict remote connections after they
have been authorized based on the following:
IP packet filters
Encryption strength
A transmit network is a public network such as the Internet. Data moves over the public
network toconnect to the remote network.
A VPN client creates a connection to the gateway configured as the VPN server. The
Routing and Remote Access service (RRAS) is used.
Forwards traffic between the VPN client and the corporate network.
The tunneling protocols used to encapsulate data and manage VPN tunnels are:
The term used to describe data which is being sent over a connection is tunneled data.
The main factors or issues that you need to clarify when planning a VPN remote access
strategy are summarized below:
The placement of the VPN servers: The choices for VPN server placement are:
o
Place the VPN server on the private internal network: For this placement strategy, the
firewall has to allow traffic to the VPN server.
Place the VPN server on the perimeter network: For this placement, you have to
perform the following configurations:
On the VPN server, configure inbound and outbound filters that allow VPN traffic to and
from the Internet interface of the VPN server.
It is always better to double the processor speed rather than doubling the number of
processors.
The VPN protocols that you will be using: You can support the use of one or both of the
VPN tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) or Layer Two Transport
Protocol (L2TP). The factors to consider when deciding on which VPN protocol to use are:
Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP
and Windows Server 2003 support PPTP
Only Windows 2000, Windows XP and Windows Server 2003 support L2TP.
Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed
for the mutual authentication of the VPN server and the client. Certificates need to be
installed on the VPN server and VPN clients. In addition to this, user authentication needs
protocols such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and
Extensible Authentication Protocol Transport LayerSecurity (EAP-TLS).
Whether IPSec is needed as well. L2TP can be used with IPSec to provide encryption. If
you need authentication for the VPN server and the client, then you need to be able to
support L2TP. Only L2TP over IPSec can provide data integrity.
You need to configure remote access policies that allow wireless users to connect to the
network.
If you are going to configure your WAPs for RADIUS authentication, you should deploy a
second IAS server and configure it as a backup to the primary server. This would enable
wireless clients to continue establishing connections when the primary IAS server is
unavailable.
When planning for using multiple WAPs, bear the following in mind:
o
All your WAPs can use the same server for authentication if you are using IAS
authentication.
Each WAP must be included in the list of clients on the IAS server.
If you want your WAPs to use IAS authentication, you have to perform the following
additional configurations:
o
Each WAP must be added as a RADIUS client in the IAS MMC snap-in.
On the WAP, you have to enable RADIUS authentication and define the primary and
backup IAS servers.
Because security is a high priority for wireless networks, you should use WAPs and
adapters that support the following:
Firmware updates
When planning for wireless security remember to decide on the following important
elements:
o
Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy
(WEP) protocol will be used.
For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used.
Kerberos Version 5: This is a standard Internet protocol that can be used to authenticate
users and systems.
Secure Socket Layer/ Transport Layer Security (SSL/TLS): SSL/TLS is used for
authentication when Web servers are accessed.
.NET Passport Authentication: Used to authenticate Internet, intranet and extranet users
for IIS 6.
Extensible Authentication Protocol (EAP): Used for network and dialup authentication,
and for authentication for PPP connections.
MD-5 Challenge: Enables EAP authorization through a name and password combination.
SID History
How to check which domain function level is set for the domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want verify, and select Raise
Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current domain
functional level.
How to raise the domain functional level for a domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want to raise, and select
Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain functional
level for the domain.
5. Click Raise
6. Click OK
Basic encryption: This option is also not frequently used because the weaker 40-bit key
is used for encryption.
Strong encryption: A 56-bit key is used for encryption. With IPSec, DES is used for
encryption.
To do this,
1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the
Routing and Remote Access console.
2. In the console tree, select the server, and then click the Action menu to select the
Properties command.
3. Switch to the Security tab.
4. Click the Authentication Methods button.
5. The Authentication Methods dialog box opens.
6. Disable the checkbox for Microsoft Encrypted Authentication (MS-CHAP).
7. Disable the checkbox for Encrypted Authentication (CHAP).
8. Disable the checkbox for Shiva Password Authentication Protocol (SPAP)
9. Disable the checkbox for Unencrypted Password (PAP).
10. Click OK.
Basic security measures for securing remote access servers are listed here:
Apply and maintain a strong virus protection solution. Software patches should be kept
up to date.
The NTFS file system should be utilized to protect data on the system volume.
All unnecessary services and applications not being utilized on your remote access
servers should be uninstalled.
To protect remote access servers from unauthorized access, enforce the use of strong
passwords.
You can use either of these methods to secure traffic between a remote access server
and remote users:
o
Signing
Encryption
Tunneling
Consider using smart cards to further enhance your security access strategy.
Additional security measures for securing remote access servers are listed below:
You can create and configure remote access policies. Remote access policies can be used
to restrict remote connections once they have been authorized
You can control access through the Dial-in Properties of an individual user account that
remote access clients use to connect to the network
You can use Remote Authentication Dial-In User Service (RADIUS) to provide
authentication, authorization, and accounting for your remote access infrastructure.
You can raise the domain functional level to provide additional security features for your
remote access infrastructure.
Unencrypted Password (PAP); uses plain text passwords and no encryption. PAP is only
provided as an authentication method for those clients that do not support any
more secure authentication methods.
Microsoft Encrypted Authentication (MS-CHAP); one encryption key is used for sent
messages and received messages, thereby making this method a weaker authentication
method than MS-CHAPv2.
Basic encryption, this level should not be used because a weak 40-bit key is used for
encryption.
Microsoft Management Console snap-ins can be used to connect to a remote system and
manage the remote system.
Web Interface for Remote Administration can be used to manage a server through a Web
browser on a remote computer.
Remote Desktop For Administration: The Terminal Services service enables Remote
Desktop For Administration and Remote Assistance. The Terminal Services service is
automatically installed on Windows Server 2003, and can be set up to support Remote
Desktop For Administration. Through Remote Desktop For Administration, Terminal
Services can be used as a management tool. Two simultaneous remote connections are
possible.
Remote Assistance: The Remote Assistance feature enables a client or user to request
assistance from another user, normally an administrator or technician who is referred to
as an expert. The expert is able to connect to the
user's computer and view and control the user's
desktop, to provide assistance is solving the user's
issue.
Extension Snap-Ins: These are snap-ins which operates together with a stand-alone
snap-in(s). The extension snap-ins operates with a stand-alone snap-in, based on the
functionality associated with that particular stand-alone snap-in.
The MMC consoles can be saved in two modes, namely Author mode or User mode. The
mode which the console is saved in determines what nodes in the console tree can be
accessed, determines the snap-ins which can be added to the console, and the windows
which can be created.
Author mode: This is the default mode in which a console is saved. It allows full access
to the MMC, and the capability to change all aspects of the MMC, including the following:
o
User mode: You can choose to save the console in user mode if you want to distribute an
MMC. The user modes which you can choose between are listed below:
o
User mode Full Access: Users are able to access the console tree, navigate between
snap-ins, and open window. They have full access to the windowing commands. Users
are however unable to add and remove snap-ins.
User mode Limited Access, Multiple Windows: Users are able to view multiple
windows in the console tree, but can only access those portions of the console that
existed when it was saved.
User mode Limited Access, Single Windows: Users are able to view a single window
in the console tree, but can only access those portions of the console that existed
when it was saved.
A few common menu items added by the majority of snap-ins are listed below:
File menu: Items on this menu allow you to perform the tasks listed below:
o
Action menu: Items on this menu allow you to perform the tasks listed below:
o
Export option
Import option
Configuration option
View menu: Include options which allow you to customize certain attributes of the
console.
Favorites menu: Include the options which allows you to add saved consoles, and
organize them.
Window menu: Includes options for navigating through and viewing the console, such as
opening a new windows and child windows.
Help menu: The Help menu contains the MMC general help menu, and the help menu
specific to the added snap-ins.
Connect To Domain
A console typically used to connect to and manage a remote computer is the Computer
Management console. The Computer Management console is a preconfigured MMC console.
The console is available on both client and server computers to perform Administrative
tasks, and can be accessed from the Administrative Tools Menu.
The Computer Management nodes and the snap-ins which are available under each node
are:
Local Users and Groups, used to manage local users and groups
Disk Management, used to configure and manage disk volumes and partitions.
Routing and Remote Access, for managing remote access and routing
2. Right-click Computer Management in the console tree, and select Connect To Another
Computer from the shortcut menu.
3. Enter the name or IP address of the computer in the Another computer box, or click the
Browse button to browse for the remote computer on the network.
4. Click OK.
5. After the connection is established with the remote computer, you can perform the
necessary administrative tasks on the particular computer.
The server must have a valid external IP address. The external IP address is not needed
if you are going to be accessing the server over the corporate network.
Port 8098 on the server must be used for communication over the Internet connection.
4. In the Application Server dialog box, select Internet Information Services (IIS) and then
click Details.
5. In the Internet Information Services (IIS) dialog box, select World Wide Web Service and
then click Details.
6. In the World Wide Web Service dialog box, click the Remote Administration (HTML)
checkbox. Click OK.
7. Click OK in the Internet Information Services (IIS) dialog box.
8. Click OK in the Application Server dialog box.
9. Click Next in the Windows Components Wizard to start the installation
10. When prompted, insert the Windows Server 2003 installation CD.
11. When the installation has completed, click Finish.
How to access and administer a server using the Web Interface for Remote Administration
tool
1. Open Internet Explorer.
2. Browse to https://Servername:8098
3. After the connection is established, you are displayed with a Welcome page.
4. Using the Web interface, you can perform a few common administration tasks, including
administering network settings and local user accounts.
Remote Desktop for Administration has to be enabled on each end of the connection before
you can use. Remote Desktop for Administration is enabled in the System Properties on the
server.
To enable Remote Desktop for Administration,
1. Click Start, Control Panel, and then double-click System.
2. When the System Properties dialog box opens, click the Remote tab.
3. Select the Allow users to connect remotely to this computer checkbox. Members of the
local Administrators group are now able connect.
4. If you want to specify additional users to connect remotely to the computer, click the
Select Remote Users button.
5. In the Remote Desktop Users dialog box, enter the names of the users who should be
able to connect to the computer.
6. Click OK.
The next step in enabling remote administration using Remote Desktop For Administration
connections, is to configure the Remote Desktop Connection for remote administration.
Remote Desktop Connection must be configured on the workstations or servers which you
are going to be used to manage the other servers.
To open Remote Desktop Connection,
1. Click Start, Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. In the Remote Desktop Connection dialog box, click Options to reveal the tabs on which
you can configure settings.
3. The tabs available on the Remote Desktop Connection dialog box are listed below:
o
General tab, Display tab, Local Resources tab, Programs tab, and Experience tab
You can configure the settings listed below on the General tab:
You enter the name or the IP address of the server that you want to connect to, and
manage on the General tab.
You can also specify the local or domain account credentials which you want used for
authentication.
You can configure the settings listed below on the Display tab:
You can configure display settings that control the size of the Remote Desktop
Connection window, color and depth on the Display tab.
You can also set whether the connection bar should be displayed when in full screen
mode.
You can configure the settings listed below on the Local Resources tab:
The options which can be selected in the Remote Computer Sound area of the tab are:
o
Bring to this computer: Selecting this option redirects audio output from the server to
the client.
Leave at remote computer: Selecting this option results in audio output being played
back at the server.
The options which can be selected in the Keyboard area of the Local Resources tab are:
o
On the local computer: Choose this option to switch applications on the local
computer.
On the remote computer: Choose this option to switch applications on the remote
computer.
In full screen mode only: When selected, the remote system carries out keystroke
combinations when the remote session has encompassed the whole display on the
client workstation.
The options which can be selected in the Local Devices are of the Local Resources tab
allow you to specify what local devices should be connected to when you are logged on
to the remote computer. You can select between the following
o
Disk Drives
Printers
Serial Ports
You can configure the settings listed below on the Programs tab. These settings specify the
programs that should execute when a Remote Desktop for Administration session starts.
Enable the Start the following program on connection checkbox, and then enter the
program's file name and path in the Program path and file name box.
Enter the working directory for the program in the Start in the following folder box.
You can configure the settings listed below on the Experience tab. These settings are
specific to improving the performance of the Remote Desktop for Administration connection.
You can choose to allow the features listed below on the remote computer:
o
Desktop background
Themes
Bitmap caching
4. Enable the Connect To Console checkbox if you want to connect to the console of the
server.
5. Enter your name in the User Name text box, enter your password in the Password
textbox, and enter the domain name in the Domain text box.
6. Enable the Save Password checkbox to save the password that you have entered.
7. Click OK to save the connection.
Control Panel: Use the steps listed below to enable a computer to use Remote Assistance
1. Open the System Properties dialog box in Control Panel.
2. Click the Remote tab.
3. Click the Allow Remote Assistance invitations to be sent from this computer checkbox.
4. Click the Advanced button.
5. When the Remote Assistance Settings dialog box opens, click the Allow this computer
to be controlled remotely checkbox.
6. Click OK.
A user can request remote assistance using one of the methods listed below:
Windows Messenger
The Windows Messenger tool is a chat application which you can download and install, for
free.
To download the Windows Messenger tool,
1. Open the Help and Support Center
2. Click the Download Windows Messenger link.
3. When a Web page appears, click Download Now.
4. On the Save As dialog box, click Open
5. After the download is completed, click Yes in the Security Warning dialog box.
6. Click Yes to accept the license agreement, and start the installation of the Windows
Messenger tool.
7. After the installation, the Windows Messenger window opens, giving you the option to
sign in.
8. Click the Click here to sign in link.
Remote Administration
Remote Administration Overview
When it comes to administering servers and desktops in secure organizations or large
organizations, administrators would typically be found performing remote administration.
This basically means that administrators would be using the Microsoft Management Console
snap-ins or support tools remotely, to administer servers. For instance, through the
Microsoft Management Console snap-ins, you have the option of connecting to remote
systems. In fact, most administrative tasks which you can perform locally, you can perform
remotely.
With the introduction of Windows Server 2003, came increased support for remote
administration. This entailed support to use the Microsoft Management Console snapins, Remote Desktop For Administration, Remote Assistance, and Web Interface for Remote
Administration to perform remote administration. The tools which are most likely used for
system administration are the graphical user interface (GUI) based tools. These tools
include the Connect To Another Computer option which allows you to specify which
computer you want to connect to.
The main GUI based tools used to administer systems remotely are listed here:
Remote Assistance
The modes you can select between when saving a MMC console are listed here:
Full mode; provides full access to the MMC. All areas of the console can be changed. Full
mode allows you to add and remove snap-ins as well.
User mode (full access); provides full access to the windowing commands but excludes
the capability of adding and removing snap-ins.
User mode (limited access multiple windows); provides access to those elements of the
specific MMC which existed when saved. Only new windows can be created, and previous
windows cannot be closed.
User mode (limited access single windows); provides a view to only the console as it
existed when saved. No new windows can be created.
To remotely administer a computer through a MMC console, you must have the necessary
administrative rights to access and manage the specific remote computer.
How to create a customized MMC console
1. Click Start, click Run, enter mmc and then click OK
2. A blank MMC console which has no snap-ins opens.
3. From the File menu, click Add/Remove Snap-In.
4. The Add/Remove Snap-In dialog box opens.
5. You can leave the default setting of Console Root in the Snap-Ins Added To box
unchanged. Click Add
6. Select the snap-in you want to add to the MMC by double-clicking it.
7. To close the Add/Remove Snap-In dialog box, click OK
8. The snap-in you added is displayed at the Console Root.
How to create a customized remote MMC console
1. Click Start click Run, enter mmc and then click OK
2. Click the Select Add/Remove Snap-In command from the File menu
3. Click Add in the Add/Remove Snap-In dialog box.
4. Select the snap-in that you want to add, and then click Add
5. Select the Another Computer in the In the This Snap-In Will Always Manage area.
6. Click Browse to select the computer for the snap-in when the Select Computer dialog box
opens.
7. Click OK.
How to add the Remote Desktops snap-in to a MMC console
1. Open a blank console
2. From the File menu, select Click Add/Remove Snap-in.
The System Tools node contains the Event Viewer, Performance Logs And Alerts, and
Device Manager snap-ins.
The Storage node contains the Removable Storage and Disk Management snap-ins which
are used to manage storage devices and local disks.
The Service and Applications node snap-ins is used to perform server-end administration
tasks.
If you are not running the Windows Server 2003 Web Edition, you have to install the
Remote Administration (HTML) tool on the server.
3. Right-click Remote Desktop Users, and then select Add to Group from the shortcut menu.
4. Click the Add button
5. Select the user who should be added to the Remote Desktop Users group.
6. Click OK.
How to remotely administer a server using Remote Desktop for Administration
1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. The Computer box displays the name of the computer that was last connected to.
3. Select the computer which you want to connect to in Computer drop down box.
4. Click Connect.
How to optimize remote connections
1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop
Connection.
2. In the Remote Desktop Connection dialog box, click the Options button.
3. Click the Experience tab.
4. Select the Custom option from the Choose your connection speed to optimize
performance box.
5. Clear the Themes checkbox.
6. Ensure that the Reconnect if connection is dropped checkbox is enabled.
7. Click OK.
Remote Assistance uses Terminal Services and the RDP protocol to enable administrators to
monitor and control desktops of remote computers, send and receive files from a remote
computer and to communicate with a user located at the remote computer.
To establish connections to a remote computer, a local area network (LAN) connection or
Internet connection can be used. Solicited remote access occurs when a user creates a
Remote Assistance invitation and then sends the invitation to the remote assistant. With
Unsolicited remote access, remote assistance is offered without the person offering remote
assistance receiving a Remote Assistance invitation. Windows Messenger or an e-mail client
can be used to send a Remote Assistance invitation to request remote assistance. Remote
Assistance is automatically installed when Windows Server 2003 is installed. For a computer
to receive remote assistance, the computer must be running Windows XP or Windows
Server 2003, with the Remote Assistance feature enabled.
You can use Group Policy to configure settings for Remote Assistance. The Solicited Remote
Assistance policy and Offer Remote Assistance policy can be used to configure Remote
Assistance through Group Policy: