Chapter 12

Chapter 12:
Remote Access and Virtual
Private Networks
 Learning Objectives
Chapter 12

■ Explain how remote access and virtual

private network (VPN) services work
■ Explain how to implement remote
access communications devices and
protocols
■ Configure remote access services,
security, dial-up connectivity, and client
access
Learning Objectives (continued)
Chapter 12

■ Configure VPN services, security, dial-

up connectivity, and client access
■ Troubleshoot remote access, VPN
services, and client connectivity
 Using RAS
Chapter 12

Figure 12-2
Remotely accessing a
network through M odem

Microsoft RAS T e le p h o n e lin e

W in d o w s 2 0 0 0 s e r v e r
N e tW a re s e rv e r w ith R A S
M odem

E th e rn e t

M odem

T e le p h o n e lin e
C lie n t C lie n t
w o r k s ta tio n w o r k s ta tio n

M odem
 Virtual Private Network
Chapter 12

■ Virtual private network: A private

network that is like a tunnel through a
larger network – such as the Internet,
an enterprise network, or both – that is
restricted only to designated member
clients
■ Use a VPN to save money on modems
and telephone lines for remote access
to a network
 VPN Architecture
Chapter 12

Figure 12-3 V P N tu n n e ls

VPN network M odem

T e le p h o n e lin e

architecture
In te rn e t
1 7 7 .2 8 .4 4 .1 2 9 W in d o w s 2 0 0 0 S e rv e r
W in d o w s 2 0 0 0 w ith V P N /IIS
s e rv e rs line
re lay
me
Fra
T-3
S u b n e t 1 7 7 .2 8 .4 4 line

S u b n e t 1 7 7 .2 8 .1 9
In te rn e t
R o u te r
T e le p h o n e lin e
V P N T u n n e ls
R o u te r R o u te r

M odem
S u b n e t 1 7 7 .2 8 .7
S u b n e t 1 7 7 .2 8 .2 3

V P N tu n n e l

W e b s e rv e r
1 7 7 .2 8 .2 3 .1 0
 Operating Systems Than Can
Connect to RAS/VPN Chapter 12

■ MS-DOS
■ Windows 3.1 and 3.11
■ Windows NT (all versions)
■ Windows 95
■ Windows 98
■ Windows 2000 Server and Professional
■ Windows XP
 Connection Types
Supported by RAS Chapter 12

■ Regular dial-up telephone lines

■ Leased telecommunications lines, such
as Frame Relay, T-1 or T-3
■ ISDN lines (and digital modems)
■ Null modem connections
■ X.25 lines
■ DSL lines
 T-Carrier
Chapter 12

■ T-carrier: A dedicated leased telephone

line that can be used for data
communications over multiple channels
for speeds of up to 44.736 Mbps and
beyond
■ Two common varieties of T-carrier are:
◆ T-1 at 1.544 Mbps
◆ T-3 at 44.736 Mbps
 Frame Relay
Chapter 12

■ Frame relay: A WAN communications

technology that relies on packet
switching and virtual connection
techniques to transmit from 56 Kbps to
45 Mbps
 ISDN
Chapter 12

■ Integrated Services Digital Network

(ISDN): A telecommunications standard
for delivering data services over digital
telephone lines with a current practical
limit of 1.536 Mbps
 X.25
Chapter 12

■ An older packet-switching protocol for

connecting remote networks at speeds
up to 2.048 Mbps
 DSL
Chapter 12

■ Digital subscriber line (DSL): A

technology that uses advanced
modulation technologies on regular
telephone lines for high-speed
networking at speeds of up to 60 Mbps
between subscribers and a
telecommunications company
 Transport and Remote
Communication Protocols Chapter 12

■ RAS supports protocols such as:

◆ TCP/IP
◆ NWLink
◆ NetBEUI
◆ PPP
◆ PPTP
◆ L2TP
 Using Modems
Chapter 12

■ One of the most common ways to

connect through RAS is by using
modems either at the RAS server end,
the client end, or both
■ Cable modems are another possibility,
but verify that the end-to-end
connections can be made secure
 ISDN Connectivity
Chapter 12

■ Digital “modems” can be used to

connect a RAS server to ISDN
■ A design advantage of ISDN is that you
can aggregate multiple lines (multilink)
to operate as one super fast connection
 Access Server
Chapter 12
■ An effective way to connect different
telecommunications and WAN media to RAS
is through an access server
■ For example, an access server can provide
the following types of connectivity:
◆ Modems
◆ ISDN
◆ X.25
◆ T-carrier
 Access Server Architecture
Chapter 12

W in d o w s 2 0 0 0 S e r v e r
w ith R A S
E th e rn e t

Figure 12-4
Using an M o d u la r a c c e s s s e rv e r
T-1 line
Leased
te le c o m m u n ic a tio n s

access server X.2

5 li
ne
c o n n e c tio n

e
lin
DN Leased
IS
te le c o m m u n ic a tio n s
ine

c o n n e c tio n
Nl
ISD

M odem M odem

T e le c o m m u n ic a tio n s
n e tw o rk

T e le c o m m u n ic a tio n s
n e tw o rk
 Remote Access Protocols
Chapter 12

■ Serial Line Internet Protocol (SLIP): An

older remote communications protocol that
is used by UNIX computers. The modern
compressed SLIP (CSLIP) version uses
header compression to reduce
communications overhead.
■ Point-to-Point Protocol (PPP): A widely
used remote communication protocol that
supports encapsulation of IPX/SPX,
NetBEUI, and TCP/IP for point-to-point
communication.
 SLIP and PPP Compared
Chapter 12

Feature SLIP PPP

Network protocol support TCP/IP TCT/IP, IPX/SPX, and
NetBEUI
Asynchronous communications support Yes Yes
Synchronous communications support No Yes
Simultaneous network configuration No Yes
negotiation and automatic connection with
multiple levels of the OSI model between the
communicating nodes
Support for connection authentication to guard No Yes
aginst eavesdroppers

Table 12-1 SLIP and PPP Compared

 Remote Access Protocols
(continued) Chapter 12

■ Point-to-Point Tunneling Protocol

(PPTP): A remote communication
protocol that encapsulates other
protocols (TCP/IP, IPX or NetBEUI) for
transport across the internet or a private
network.
■ Enables networks to be connected either
through the Internet or through intranets
and VPNs
 Remote Access Protocols
(continued) Chapter 12

■ Layer Two Tunneling Protocol (L2TP): A

protocol that transports PPP over a VPN,
intranet, or Internet. L2TP works similarly
to PPTP but uses an additional network
communications standard, called Layer
Two Forwarding, that enables forwarding
on the basis of MAC addressing
 General RAS
Configuration Steps Chapter 12

■ Configure a Windows 2000 server with

RAS, including the appropriate protocols
■ Configure a DHCP Relay Agent (if IP
addresses are assigned via DHCP)
■ Configure RAS security
■ Configure a dial-up and remote
connection
■ Configure RAS on client workstations
 Configuring RAS
Chapter 12

■ Use the Routing and Remote Access tool

to install RAS
 Installing RAS
Chapter 12

Figure 12-5 Configuring routing and RAS

Installing RAS (continued)
Chapter 12

Figure 12-6 Selecting the option to install RAS

 Routing and Remote
Access Options Chapter 12
Option Description
Internet connection server Use this option so that networked computers in addition to the server can connect to

the Internet, which is especially useful in a small office environment in which all users

need Internet access, but there is only one dial-up, ISDN, or other outside line to an

ISP

Remote access server Use this option to set up remote access services to the network through the Windows
2000 server
Virtual private network Use this option when you have an intranet (VPN) that you want users to be able to
(VPN) server access through a remote connection or the Internet
Network router Use this option to have Windows 2000 Server function as a router on the network –
directing traffic to other networks or subnetworks
Manually configure the Use this option when you want to customize the routing and remote access capabilities
server
Installing RAS (continued)
Chapter 12

Figure 12-7 IP address assignment options

 RAS Installation Tip
Chapter 12

■ If you configure RAS for AppleTalk, then

users access RAS through the Guest
account, which cannot have a password
 RAS Properties
Chapter 12

■ You can configure RAS properties after

RAS is installed by right-clicking the
RAS server in the tree of the Routing
and Remote Access tool and then
clicking Properties
 Viewing a RAS
Server’s Properties Chapter 12

Figure 12-8 RAS server properties

 DHCP Relay Agent
Chapter 12

■ If you configure RAS to use DHCP to

assign IP addresses, then you must
configure a DHCP Relay Agent:
◆ Double-click the RAS server in the tree of
the Routing and Remote Access tool
◆ Click IP Routing in the tree
◆ Right-click DHCP Relay Agent and click
Properties
◆ Enter the IP address of the RAS server,
click Add, and then click OK
 Multilink
Chapter 12

■ If you plan to use an aggregated

connection, such as for ISDN or multiple
modems, configure Multilink and
Bandwidth Allocation Protocol in the RAS
Properties PPP tab
 Multilink and BAP
Chapter 12
■ Multilink: A capability of RAS to aggregate multiple
data streams into one logical network connection for
the purpose of using more than one modem, ISDN
channel, or other communication line in a single
logical connection
■ Bandwidth Allocation Protocol (BAP): A protocol that
works with Multilink in Windows 2000 Server that
enables the bandwidth or speed of a remote
connection to be allocated on the basis of the needs
of an application, with the maximum allocation equal
to the maximum speed of all channels aggregated
via Multilink
 BACP
Chapter 12

■ Bandwidth Allocation Control Protocol:

Similar to BAP, but BACP is able to select a
preferred client when two or more clients vie
for the same bandwidth
 Configuring Multilink
and BAP/BACP Chapter 12

Figure 12-9 Configuring Multilink and BAP

 Security Set at the Client
Chapter 12

■ Set up security on the client’s account

properties via the Dial-in tab, including
whether to use a remote access policy for
security and callback security
 Callback Options
Chapter 12

■ No Callback: access is allowed on the

first dial-up attempt
■ Set By Caller: the server calls back a
number provided by the remote
computer
■ Always Callback to: the server calls
back a number that has already been
entered in the Dial-in tab
 Configuring Dial-in Security
Chapter 12

Figure 12-10 Configuring dial-in security for a user account

 Remote Access Policies
Chapter 12

■ Configure remote access policies and a

profile to secure the RAS server and to
manage access including:
◆ Dial-inconstraints
◆ IP address assignment rules
◆ Authentication
◆ Encryption
◆ Allowing Multilink connections
 Configuring Remote
Access Policies Chapter 12

Figure 12-11 Granting remote access as a RAS policy

 Authentication Options
Chapter 12

■ There are several authentication

options that can be set in a remote
access policies profile:
◆ Extensible Authentication Protocol (EAP):
An authentication protocol employed by
network clients that use special security
devices such as smart cards, token cards,
and others that use certificate
authentication
 Authentication Options
(continued) Chapter 12
◆ Challenge Handshake Authentication Protocol
(CHAP): An encrypted handshake protocol
designed for standard IP- or PPP-based exchange
of passwords. It provides a reasonably secure,
standard, cross-platform method for sender and
receiver to negotiate a connection.

◆ CHAP with Microsoft extensions (MS-CHAP): A

Microsoft-enhanced version of CHAP that can
negotiate encryption levels and that uses the
highly secure RSA RC4 encryption algorithm to
encrypt communications between client and host
 Authentication Options
(continued) Chapter 12

◆ CHAP with Microsoft extensions version 2 (MS-

CHAP v2): An enhancement of MS-CHAP that
provides better authentication and data
encryption and that is especially well suited for
VPNs
◆ Password Authentication Protocol (PAP): A non-
encrypted plain-text password authentication
protocol. This represents the lowest level of
security for exchanging passwords via PPP or
TCP/IP
Configuring Authentication
Chapter 12

Figure 12-12 Configuring authentication

 Encryption Options
Chapter 12

■ The RAS encryption options incorporate

IPSec and Microsoft Point-to-Point
Encryption (MPPE)
■ MPPE: A starting to ending point
encryption technique that uses special
encryption keys varying in length from
40 to 128 bits
 Encryption Selections
Chapter 12

■ No Encryption: Clients do not employ

data encryption
■ Basic: Intended for clients using 40-bit
encryption key MPPE or IPSec
■ Strong: Intended for clients using 56-bit
encryption key MPPE or IPSec
 Dial-in and VPN
Remote Access Tabs Chapter 12

Option Description
Advanced Used to designate connection attributes, such as RADIUS, frame types, AppleTalk zones, special

filters, and many others

Authentication Used to select the type or types of authentication methods such as EAP, CHAP, MS-CHAP, MS-
CHAP v2, PAP, and SPAP (or no authentication)
Dial-in constraints Used to set dial-in limitations, such as times of the day and days of the week when the RAS servers
can be accessed, amount of time a connection can be idle before it is disconnected, maximum session
time, dial-in number, and media through which to dial in (such as ISDN, X.25, modem, and fax).
Encryption Used to designate encryption levels: no encryption, basic, strong
IP Used to define how TCP/IP dial-in clients obtain an IP address, such as by using the server user
account settings; and to set up packet filters to limit which IP addresses can access the RAS servers
Multilink Used to enable Multilink connections, when RAS is set up for Multilink and to specify Multilink
BAP settings
 Configuring a Dial-up
Connection for a RAS Server Chapter 12

■ Use the Network and Dial-up Connections

tool to configure a new dial-up connection
for a RAS server
Creating a New Connection
Chapter 12

Figure 12-13 Creating a new connection

 General Steps to
Configure a VPN Chapter 12

■ Set up the network connectivity, such as

through a WAN adapter, access server, or
router
■ Install the Routing and Remote Access Service,
configuring it as a VPN server
■ Establish the remote access policies and
profile, including setting up EAP authentication
■ Configure the number of PPTP and L2TP ports
Configuring VPN Server Remote
Access Policies Chapter 12

■ Configure VPN remote access policies

and a profile using the same steps as
for configuring a RAS server
 Steps for Configuring Ports
Chapter 12

■ To configure the number of ports:

◆ Right-click Ports in the tree under the
server in the Routing and Remote Access
tool
◆ Click Properties
◆ Double-click WAN Miniport (PPTP) and set
the number of ports
◆ Double-click WAN Miniport (L2TP) and set
the number of ports
Steps for Configuring Ports
(continued) Chapter 12

Figure 12-15 Configuring the number of ports

 Hardware Troubleshooting Tips
for RAS and VPN Servers Chapter 12

■ Use the Add/Remove Hardware tool or the

Device Manager to test modems and WAN
adapters
■ Use the Network and Dial-up Connections
tool to check dial-up and WAN connections
■ Make sure access servers are working
■ Make sure modem lines are properly
connected and working
 Software Troubleshooting Tips
for RAS and VPN Servers Chapter 12

■ Make sure that the Remote Access Auto

Connection Manager and Remote Access
Connection Manager services are started
■ Make sure the RAS or VPN server is
enabled
■ Use the Ports option to check the status of
ports
■ Make sure all IP parameters are properly
configured
 RAS and VPN Client
Troubleshooting Tips Chapter 12
■ Check the dial-up networking and RAS
setup on the client
■ Make sure that clients are using the
right protocols
■ Check the dial-in security on the client’s
user account
■ Check the client’s modem to make sure
it is working and set for compatible
communications with the server
 Chapter Summary
Chapter 12

■ RAS and VPN servers enable clients to

remotely access Windows 2000 Server,
such as those who telecommute
■ Remote access can be configured
through many types of WAN
connectivity, such as dial-up telephone
lines, high-speed lines, Internet
connections, and routers
 Chapter Summary
Chapter 12

■ RAS and VPN servers are compatible

with remote access protocols such as
PPP, PPTP, and L2TP
■ Manage RAS and VPN servers using
remote access policies and profiles