Configuring Remote Access

Windows Server 2003 includes the Routing and Remote Access Service (RRAS), which enables remote clients to connect to a remote access server and use resources as though they were directly attached to the network. RRAS can be used to configure VPNs, thus expanding your LAN over the Internet.

Windows 2000 introduced routing and remote access, which replaced the remote access service of Windows NT 4.0. RRAS in Windows Server 2003 now includes the following new features:

• RRAS servers can be configured to use a preshared key instead of a certificate for VPN connections using the Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec).

• Network Address Translation (NAT) now supports both dynamic and static packet filtering. Dynamic filtering is implemented through the use of Basic Firewall.

• In Windows 2000, NAT did not support L2TP/IPSec connections. NAT in Windows Server 2003 can now translate L2TP/IPSec VPN connections.

Windows Server 2003 remote access provides two connectivity methods :

• Dial-up Using dial-up remote access such as an ISDN or a phone line, clients can connect to a remote access server.

• VPN Clients connect to a remote access server configured as a VPN server using an IP-based internetwork (most often the public Internet).

Enabling Routing and Remote Access

RRAS is installed by default with Windows Server 2003. However, before you can begin using RRAS, it must first be enabled. To enable RRAS, follow these steps:

1. Click Start, point to Administrative Tools, and click Routing and Remote Access.

2. Right-click the server and select Configure and Enable Routing and Remote Access. Click Next.

3. The Routing and Remote Access Server Setup Wizard opens. From the list of common configurations, select Remote Access (dial-up or VPN). The remaining options are summarized in Table 5.1. Click Next.

4. Select the connection methods clients can use to connect to the remote access server (VPN and/or dial-up). Click Next.

5. Choose the network interface for clients to use. Click Next.

6. On the IP Address Assignment screen, select how remote access clients will receive an IP address (see Figure 5.1). IP addresses can be assigned automatically using a Dynamic Host Configuration Protocol (DHCP) server on the internal network, or you can configure a range of IP addresses on the remote access server to assign to remote access clients. If you choose the second option, the resulting wizard screen enables you to configure the range of IP addresses that are available to remote clients. Click Next.

   Figure 5.1. You must configure IP address assignments for remote clients.

   

7. Specify whether to use a Remote Authentication Dial-In User Service (RADIUS) server. If you choose to use a RADIUS server, the resulting wizard screen enables you to specify the name of the primary and alternative RADIUS servers and the shared secret. Click Next.

8. Click Finish.

Table 5.1. Common Remote Access Configurations

When you click the Finish button to exit the wizard, a warning message appears if you chose to use a DHCP server to assign IP addresses to remote clients (see Figure 5.2). The message warns you that to have DHCP messages relayed from remote clients to a DHCP server on the internal network, the remote access server must be configured as a DHCP Relay Agent. (This issue is covered in more detail in the section entitled "Configuring Routing and Remote Access for DHCP.")

Configuring Inbound Connections

The two main communication protocols used by dial-up remote access clients are the Point-to-Point Protocol ( PPP ) and the Serial Line Internet Protocol ( SLIP ) . PPP has become an industry-standard communications protocol because of its popularity; it provides support for multiple network protocols, including TCP/IP, IPX/SPX, and NetBEUI.

SLIP is a legacy communication protocol used primarily to connect to Unix systems. One of the major disadvantages of SLIP is the lack of security (for example, sending passwords in clear text). Windows Server 2003 remote access supports the use of SLIP for outbound connections only. SLIP also does not support the DHCP functionality on a RAS server to assign dial-in clients an IP address.

The two protocols used for accessing a VPN server are the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP). PPTP is used over a PPP connection to create a secure tunnel.

You can configure PPP using the PPP tab in the Properties window of the remote access server (see Figure 5.3). You can enable the Multilink Connections option to allow remote access clients to aggregate multiple phone lines into a single logical connection, which increases bandwidth. For example, you can combine two B channels from an ISDN BRI connection. Although multilink enables multiple connections to act as a single logical connection, on its own it does not provide a way of dynamically adding and dropping links based on bandwidth requirements. The Bandwidth Allocation Protocol (BAP) provides this feature. BAP enables multilink connections to be added and dropped as bandwidth requirements change. For example, if the bandwidth utilization for a link goes beyond a configured level, the client who is requesting an additional link can send a BAP request message. The Bandwidth Allocation Control Protocol (BACP) works in conjunction with the Link Control Protocol (LCP) to elect a favored "peer" so that a favored peer can be identified if multiple BAP requests are received simultaneously . You can also enable or disable BAP, BACP, LCP, and software compression for PPP connections from the Properties window shown in Figure 5.3.

To apply multilink at the remote access policy level, you must first enable it at the server level. This means that if multilink is not enabled through the Properties window for the remote access server, you will not be able to apply it in a remote access policy.

Configuring Ports

Configuring inbound connections allows a remote access server to accept incoming connections from remote access clients. After RRAS has been enabled, a number of ports are created. Additional ports can be created, if necessary. You can configure the ports by right-clicking the Ports icon under the RAS server and selecting Properties. Select the ports that you want to configure and click the Configure button. Keep in mind that the configuration changes made apply to all ports. The configurable options are the same for PPTP and L2TP ports (see Figure 5.4). From this Properties window, you can also increase the number of ports by changing the Maximum Ports setting.

In the Configure Device dialog box shown in Figure 5.4, you can configure the ports for inbound use only, or for inbound and outbound use if the server is used for demand-dial routing. This is also where you can configure additional ports by setting the Maximum Ports value.

Demand-dial routing enables on-demand connections using physical or virtual links. The benefits of a demand-dial connection, as opposed to a dedicated link, include reduced costs and increased security. For example, you can use demand-dial routing to enable two offices in different geographical locations to connect without incurring the cost of a dedicated link. This way, the connection is established only when necessary.

Modem and serial ports are also created for any modems that are installed on the server, and for any serial or parallel connections. These ports can also be configured in the Ports Properties dialog box.