Connections Tasks |
The following tasks apply generally to most types of connections you can create.
Network Connections Folder right-click on connection Enable/Disable
Be sure to notify users before disabling a connection they are using.
You can monitor the status of your connections a couple of ways:
Network Connections Folder Right-click on an active connection Status
Right-click on connection icon in system tray (if present) Status
The General tab displays basic connection statistics. Some connections like VPN also have a Details tab that shows information like the IP address of the remote server, the authentication and encryption methods used, and so on.
You can also monitor the general status of all the connections on your machine by:
Network Connections Folder View Details
See Advanced under Configure a Dial-up Connection later in this section.
If a connection stops working properly, you can try repairing it by:
Network Connections Folder right-click on connection Repair
This may fix simple issues like an expired DHCP lease or missing DNS server IP address. After repairing a connection, check it like this:
Network Connections Folder right-click on connection Status Support Details
If it still doesn't work, open its properties and check its configuration settings.
For outbound dial-up connections to remote access servers, you can configure your client location information, autodial, and callback settings as follows :
Network Connections Folder Advanced Remote Access Preferences specify your information OK twice
Enabling autodialing starts an outgoing connection on demand when it's required to access the Internet or a remote access server. Callback lets a remote access server call back a remote client attempting to connect, either to avoid having the client pay the charges or to verify the identity of the client by its phone number. You can also enable connection logging here for troubleshooting purposes.
|
This feature is toggled on or off using:
Network Connections Folder Operator-Assisted Dialing
With this feature on, you can double-click on a connection, pick up the telephone, and manually dial the number or ask the operator to do it. Once the number has been dialed , click Dial, wait for the modem to take control of the line (the modem has gone silent at this point), and hang up.
You can easily bridge two or more LAN or high-speed Internet connections. Suppose your server has two NICs connected to different network segments. By bridging these connections, computers on each segment can communicate with each other. To bridge connections:
Network Connections Folder hold down Ctrl and select connections right-click Bridge
If you have several connections of one type (such as remote access), you can rearrange the order in which they are accessed by network services and which network services they can use. Do this as follows:
Network Connections Folder Advanced Advanced Settings move connections or bindings up or down
The following tasks are for outbound dial-up connections to private networks and the Internet.
New Connection Wizard Connect to the Internet Connect using a dial-up modem specify ISP name and phone number specify who can use the connection (only you or anybody) specify credentials enable/disable Internet Connection Firewall (ICF)
If you allow the connection to be used by anybody, you can select the "Use this account name and password when anyone connects to the Internet using this connection" option to use the specified credentials for all users.
New Connection Wizard Connect to the network at my workplace Dial-up connection specify company name and phone number specify who can use the connection (only you or anybody)
An administrator on the remote network must grant remote access permissions for your user account before you can dial up and connect.
Once a connection has been created, you can dial it by:
Network Connections Folder double-click on connection Dial
Note that the administrator on a remote private network must first grant dial-in permission to a user before the user can connect to a remote access server. See Incoming Connections later in this section for more information.
To disconnect an established connection, you can do one of two things:
Double-click on connection Disconnect
Right-click on connection icon in system tray (if shown) Disconnect
When you use the New Connection Wizard to create an outbound dial-up connection, you specify only minimal configuration information for the connection. If you need to further configure the connection, open its properties sheet by:
Right-click on connection Properties
The configuration options are the same whether you are configuring a dial-up connection to a private network or to the Internet. The following are some of the more important settings on the five tabs of this properties sheet. Note that some remote access terminology is used in this discussionfor an explanation of PPP, BAP, PAP, CHAP, and similar terms, see Routing and Remote Access later in this chapter. Now I'll describe what each tabbed page of options does.
Click the Alternates button on the General tab if you want to assign multiple phone numbers to a connection. You can then have the connection try each number in order until it succeeds in establishing a connection. You can also configure it so that successful numbers are moved to the top of the list for future connection attempts.
Select the checkbox to make the connection icon visible in the system tray, as this simplifies the process of monitoring and terminating the connection. The connection icon blinks when data is being transferred, and you can double-click on it to display the status of the connection or right-click on it to terminate the connection.
If you have more than one modem installed, you have additional options on this tab that let you do the following actions.
Specify which modem or modems will be used for this connection.
Specify the order in which they are used to establish a connection. (If the first modem fails, then the next one in the list is used.)
Specify whether they will all call the same numbers.
The Options tab is where you specify redial attempts and whether the connection should automatically terminate after being idle for a period of time. You can also specify that the connection should automatically redial if it is droppedthis is useful for file transfers using FTP since WS2003 can resume a file transfer without needing to start all over.
If you have more than one modem installed and have enabled at least two of them for this connection on the General tab, you have the additional option of Multiple Devices on the Options tab. This new option can be specified as:
Use this to configure a PPP Multilink dial-up connection. (The remote access server you are dialing must also support PPP Multilink.)
Use this if you want to use multiple modems to provide fault tolerance for your connection.
Use this to configure a BAP connection for dynamic multilinking. (The remote access server you are dialing must also support BAP.) After you make this selection, click Configure to specify the conditions under which lines are added or dropped to your connection.
|
The Typical option on the Security tab gives you a series of preconfigured settings for authentication protocols and data encryption schemes. In any case, the remote access client and server will negotiate the highest degree of security for authentication and data integrity that they are both configured to support. The three settings here are (in order of increasing security):
Allows any authentication protocol including PAP but doesn't encrypt data
Doesn't allow PAP but can encrypt data
Allows only smart-card authentication and can encrypt data
If you want more granular control over which authentication protocols and data encryption schemes the dial-up client supports, select Advanced (custom settings) Settings. For more information on these various schemes and protocols, see Routing and Remote Access later in this chapter.
|
Also on this tab are options for opening an interactive terminal window and running a script during the connection establishment process. These options are usually needed only for legacy SLIP connections.
On the Networking tab you can specify that the ISP's modem bank or company's remote access server you are dialing into is either PPP or SLIP (it's almost always PPP nowadays). If it is PPP, click Settings to configure advanced PPP features, such as software compression, if they are supported by the server you are calling.
Usually, a dial-up connection to the Internet dynamically obtains a client IP address using DHCP, and this is configured by default for Internet Protocol (TCP/IP). If you need to specify a static IP address for your machine for this connection, you can do so here. Table 4-4 shows which networking components are enabled for Internet versus remote access dial-up connections.
Networking component | Type of dial-up connection | |
---|---|---|
To a private network | To the Internet | |
Internet Protocol (TCP/IP) | Yes | Yes |
Client for Microsoft Networks | Yes | No |
File and Print Sharing for Microsoft Networks | No | No |
Formerly labeled "Sharing" in W2K Server, the Advanced tab is used to set up Internet Connection Firewall and configuring Internet Connection Sharing:
Integrated into WS2003 connections is an enhanced firewall feature that you can use to block dangerous traffic from your server. This firewall has been significantly improved over that in W2K Server. To configure ICF:
Advanced tab select Internet Connection Firewall Settings
This tab essentially lets you configure which inbound ports to open on your connection to allow Internet users to access services on your network. For example, if you select Web Server (HTTP), it opens port 80 for inbound traffic. By default, all inbound network traffic is blocked.
This tab lets you log inbound packets that are either passed through or blocked by your firewall (or both). If you use ICF, you should review your firewall logs regularly.
This tab lets you control which kinds of inbound ICMP packets are allowed through your firewall. ICMP packets are often used to probe networks, and a flood of them may be used in a denial-of-service (DoS) attack to prevent legitimate users from accessing services on your network. By default, all inbound ICMP traffic is blocked.
ICS lets your computer act as a gateway to the Internet so that other computers on your network can access the remote private network or the Internet by dialing up the connection to this server. Using the second checkbox, you can also specify that the connection be dialed automatically when another computer on your network tries to use it, a feature sometimes called on-demand dialing.
|
Direct computer connections are used mainly for file transfers between two computers over a null-modem (file-transfer) cable when no networking adapters are installed. However, you can share a direct computer connection, which gives you a way of connecting two networks together using a null-modem cable.
To create a direct computer connection, you first need to configure either a COM port to use a serial RS-232C null-modem cable or a parallel port to use an ECP parallel file-transfer cable:
Control Panel Phone and Modem Options Modems Add select Don't detect my modem select either cable option select Port
Then decide which role your machine will assume:
The computer that listens for and responds to direct computer connection attempts from a Guest machine:
New Connection Wizard Set up an advanced connection Connect directly to another computer select Host choose port (LPT or COM) select users allowed to connect
The computer that attempts to initiate a direct computer connection with a Host machine:
New Connection Wizard Set up an advanced connection Connect directly to another computer select Guest choose port (LPT or COM) specify who can use the connection (only you or anybody)
Note that when you create a Host connection, the RRAS service starts and the connection is displayed in the Network Connections folder as an Incoming Connection. However, when you create a Guest connection, it's displayed as a Direct Connection.
Make sure the null-modem cable is attached, then go to the Guest computer and do this:
Network Connections Folder double-click on connection Connect
Configuring Guest machines is similar to configuring dial-up connections, and the same five tabs are present on the properties sheet. There are a few differences, though:
The General tab lets you choose only which device (COM or LPT port) is used for the connection.
Advanced security settings are used instead of Typical ones used by dial-up connections, and these should generally not be changed.
All default networking services are enabled for this connection.
The properties sheet for Host machines has only three tabs:
Here, you can configure the Host to listen for Guests on multiple portsfor example, COM and LPT. You can even use multilink to combine multiple connections from a single Guest machine, though you'd have to create multiple Guest connections on the Guest machine to do this.
Here, you specify which users are allowed to establish direct computer connections with the Host machine. The information displayed depends on whether your machine belongs to a workgroup or domain.
Like Guest machines, all default networking services are enabled for this connection.
We'll focus here on creating incoming connections on a standalone server in a workgroup scenario. In a domain environment, you're more likely to use the Routing and Remote Access Service (RRAS) to create a full-fledged remote access server for your remote clients .
New Connection Wizard Set up an advanced connection Accept incoming connections select devices to listen on enable/disable VPN select users allowed to connect Properties allow callback if desired configure networking components for this connection
Note that the devices you can select depend on what's installed on your machine and may include COM and LPT ports (for direct cable connections), modems, ISDN adapters, and so on.
By enabling a VPN for your connection, you allow remote users to connect to your computer over the Internetprovided, of course, that your machine has a public IP address so packets can be routed to it from the Internet. This option is disabled by default for security reasons. If you enable it, Windows automatically configures ICF, but you should check the firewall configuration to make sure it's configured the way you want it.
The main networking component to configure for the connection is TCP/IP. By opening the properties of this component you can:
Have clients use their own IP addresses or assign them using DHCP (the default) or from a pool of addresses
Allow (the default) or deny clients access to other computers on your network
When creating an incoming connection using the procedure described earlier, you specified the user accounts allowed to connect. By doing so, the remote access permissions for these accounts were set to Allow Access on the Dial-in tab of the properties sheet for each account. If you later want to allow additional users to use the incoming connection or decide to deny access to a user you previously granted it to, do the following:
Computer Management System Tools Local Users and Groups Users right-click on user account Properties Dial-in allow or deny access
You can also change the callback option for the user here.
Right-click on connection Properties
These settings discussed previously under Direct Computer Connection in reference to Host machines.
In addition to dial-up Internet connections (discussed under Dial-up Connections earlier in this section), you can create two types of broadband Internet connections: always-on (LAN) or on-demand (PPPoE) connections.
First, make sure your DSL router is configured properly, is turned on, and your network cables are attached. Then do this:
New Connection Wizard Connect to the Internet Connect using a broadband connection that is always on
That was easy!
New Connection Wizard Connect to the Internet Connect using a broadband connection that requires a username and password specify ISP name specify who can use the connection (only you or anybody) specify credentials enable/disable ICF
The configuration options here are identical to those for dial-up Internet connections, except all references to modems and phone numbers are removed.
Local area connections (typically, Ethernet connections) can't be created manually using the New Connection Wizard. Instead, they're created automatically during Setup or when Windows detects a new network adapter. By selecting them in the Network Connections folder, they can be configured, disabled, enabled, and monitored like other connections, but they can't be deleted unless you remove the network card associated with the connection.
To configure networking components and protocols for local area connections, do this:
Control Panel Network Connections select a local area connection Properties General
For information about configuring TCP/IP settings for local area connections, see TCP/IP later in this chapter. To configure firewall settings on your connection, do this:
Control Panel Network Connections select a local area connection Properties Advanced Protect my computer Settings
For wireless LAN (WLAN) connections, you can also configure authentication by:
Control Panel Network Connections select a local area connection Properties Authentication
These are outbound connections that securely tunnel over the Internet to a remote VPN server, such as a WS2003 machine with RRAS configured.
First, make sure you have an Internet connection configured on your machine, either dial-up, on-demand broadband, or always-on, as described previously. Also, make sure the VPN server on the remote network is ready and listening so you can test your connection after you create it. Now proceed as follows if you have a dedicated Internet connection:
New Connection Wizard Connect to the network at my workplace Virtual Private Network connection specify company name specify IP address or DNS name of remote VPN server specify who can use the connection (only you or anybody)
If you have a dial-up or on-demand Internet connection, do this instead:
New Connection Wizard Connect to the network at my workplace Virtual Private Network connection specify company name select a dial-up connection specify IP address or DNS name of remote VPN server specify who can use the connection (only you or anybody)
Instead of selecting a dial-up connection to automatically dial when you try to establish your VPN connection, you can choose not to automatically dial a connection. In this case, you have to manually establish your Internet connection before you open your VPN connection.
The settings for configuring a VPN connection are the same as those for a dial-up connection to a private network (discussed previously), except for the following differences:
Instead of modem settings, you specify the IP address of the remote VPN server on this tab. If you have multiple dial-up or on-demand Internet connections available, you can also specify which one to try first when establishing your VPN connection.
While the default security setting for dial-up connections to private networks is Allow Unsecured Password, the default setting for VPN connections is Require Secured Password with Require Data Encryption also enabled. These settings are necessary because the VPN connection travels over the Internet, which as everyone knows , is a dangerous place (just like the Wild West was in its heyday).
If you enable the option Automatically Use My Windows Name and Password, the credentials of the user currently logged on to your machine are sent to the remote VPN server for authentication.
File and Print Sharing is enabled for VPN connections (it wasn't for dial-up connections).
Network Connections Folder Right-click on an active VPN connection Status
The General tab shows bytes sent and received since the connection was initiated, as well as other network traffic information. The Details tab shows useful information about the type of server, IP address of server and client, type of authentication protocol used, and so on. Here's an example of what you might see on the Details tab if you were connected to another WS2003 machine configured as a VPN server:
Server type: PPP Transports: TCP/IP Authentication: MS CHAP V2 Encryption: MPPE 56 Compression: MPPC PPP multilink framing: On Server IP address: 172.16.11.128 Client IP address: 172.16.11.130