In a remote access networking environment, the server component is only half of the configuration, and the remote access clients need to be properly configured to complete the secured mobile access environment. There are many variations in remote access client systems that make choosing the right client configuration important. A client system could vary based on the operating system such as Windows 95/98, Windows NT4, Windows 2000, or Windows XP, or the client system could be Macintosh, Unix, or even a system at an Internet café or kiosk in an airport. The configuration of the client system also varies based on the type of information being transferred, such as just email, or the transmission of files or confidential database information. This section covers the technologies available and the decisions that need to be made to choose the right configuration for remote access client systems. VPN Client ConfigurationIf you have a small number of VPN clients, you can configure the connections manually for each client. For an environment with a hundred or more remote access VPN clients, it makes more sense to configure the remote access configuration automatically. Some of the problems encountered when automatically configuring VPN connections for a large environment include the following:
The solution to these configuration issues is to use the Connection Manager, which contains the following features:
Connection Manager Client DialerThe Connection Manager (CM) client dialer is software that is installed on each remote access client. It includes advanced features that make it a superset of basic dial-up networking. CM simplifies the client configuration for the users by enabling them to do the following:
A customized CM client dialer package (CM profile) is a self-extracting executable file created by the Connection Manager Administration Kit. The CM profile can be distributed to VPN users via CD-ROM, email, Web site, or file share. The CM profile automatically configures the appropriate dial-up and VPN connections. The Connection Manager profile does not require a specific version of Windows and will run on the following platforms: Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition, and Windows 98. Connection Manager Administration KitThe Connection Manager Administration Kit (CMAK) allows administrators to preconfigure the appearance and behavior of the CM. With CMAK, client dialer and connection software allows users to connect to the network using only the connection features that are defined for them. CMAK also allows administrators to build profiles customizing the Connection Manager Installation package sent to remote access users. Connection Point ServicesConnection Point Services (CPS) allows the automatic distribution and update of custom phone books. These phone books contain one or more Point of Presence (POP) entries, with each POP containing a telephone number that provides dial-up access information for an Internet access point. The phone books give users a complete POP list, which enables remote users to connect to different Internet access points when they travel. CPS also can automatically update the phone book when changes are made to the POP list. CPS has two components:
The Connection Manager Administration Kit (CMAK) and the Connection Point Service (CPS) are not installed by default on a Windows Server 2003 system. To install the CMAK and CPS, do the following:
Single Sign-onSingle sign-on enables remote access users to create a remote access connection to an organization and log on to the organization's domain by using the same set of credentials. For a Windows Active Directory domain-based infrastructure, the username and password or a smartcard is used for both authenticating and authorizing a remote access connection and for authenticating and logging on to a Windows domain. You enable single sign-on by selecting the Logon by Using Dial-Up Networking option on the Windows XP and Windows 2000 logon property page and then selecting a dial-up or VPN connection to connect to the organization. For VPN connections, the user must first connect to the Internet before creating a VPN connection. After the Internet connection is made, the VPN connection and logon to the domain can be established. The Impact of NAT Traversal at Improving Remote ConnectivityNetwork Address Translation Traversal (NAT-T) is a set of capabilities that allows network-aware applications to discover they are behind a NAT device, learn the external IP address, and configure port mappings to forward packets from the external port of the NAT to the internal port used by the application. This process happens automatically, so the user does not have to manually configure port mappings. NAT Traversal relies on discovery and control protocols that are part of the Universal Plug and Play Forumdefined specifications. The UPnP Forum has a working committee focused on defining the control protocol for Internet gateway devices and defining the services for these devices. NAT and NAT Traversal will no longer be needed in an IPv6 world where every client has a globally routable IP address. The significance of NAT Traversal is the ability of a privately addressed L2TP/IPSec client to access an RRAS system. In Windows 2000, although L2TP/IPSec was introduced, it was rarely used for remote users because individuals who connect to the Internet frequently connect through a private address public provider using NAT. As an example, when a user connects to the Internet from a hotel, airport, wireless Internet café connection, or the like, the host provider of Internet connectivity usually does not issue a public IP address. Rather the provider uses Network Address Translation, effectively providing the user a private 10.x.x.x address behind a proxy. With Windows 2000, the L2TP/IPSec client cannot traverse out of the private address space. With Windows Server 2003, NAT Traversal allows the privately addressed L2TP/IPSec client to route outside the private address zone, thus allowing the client to gain VPN connectivity. In early implementations of Windows Server 2003, many organizations have migrated to this new OS specifically for the benefit of being able to set up a NAT Traversal RRAS system. |