Configuring Remote Access Clients


In a remote access networking environment, the server component is only half of the configuration, and the remote access clients need to be properly configured to complete the secured mobile access environment. There are many variations in remote access client systems that make choosing the right client configuration important.

A client system could vary based on the operating system such as Windows 95/98, Windows NT4, Windows 2000, or Windows XP, or the client system could be Macintosh, Unix, or even a system at an Internet café or kiosk in an airport. The configuration of the client system also varies based on the type of information being transferred, such as just email, or the transmission of files or confidential database information.

This section covers the technologies available and the decisions that need to be made to choose the right configuration for remote access client systems.

VPN Client Configuration

If you have a small number of VPN clients, you can configure the connections manually for each client. For an environment with a hundred or more remote access VPN clients, it makes more sense to configure the remote access configuration automatically. Some of the problems encountered when automatically configuring VPN connections for a large environment include the following:

  • The organization has a variety of Windows desktop clients.

  • End users make configuration errors.

  • A VPN connection may need a double-dial configuration, where a user must dial the Internet first before creating a VPN connection with the organization's intranet.

The solution to these configuration issues is to use the Connection Manager, which contains the following features:

  • Connection Manager Client Dialer

  • Connection Manager Administration Kit

  • Connection Point Services

Connection Manager Client Dialer

The Connection Manager (CM) client dialer is software that is installed on each remote access client. It includes advanced features that make it a superset of basic dial-up networking. CM simplifies the client configuration for the users by enabling them to do the following:

  • Select from a list of phone numbers to use, based on physical location.

  • Use customized graphics, icons, messages, and help.

  • Automatically create a dial-up connection before the VPN connection is made.

  • Run custom actions during various parts of the connection process, such as pre-connect and post-connect actions.

A customized CM client dialer package (CM profile) is a self-extracting executable file created by the Connection Manager Administration Kit. The CM profile can be distributed to VPN users via CD-ROM, email, Web site, or file share. The CM profile automatically configures the appropriate dial-up and VPN connections. The Connection Manager profile does not require a specific version of Windows and will run on the following platforms: Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition, and Windows 98.

Connection Manager Administration Kit

The Connection Manager Administration Kit (CMAK) allows administrators to preconfigure the appearance and behavior of the CM. With CMAK, client dialer and connection software allows users to connect to the network using only the connection features that are defined for them. CMAK also allows administrators to build profiles customizing the Connection Manager Installation package sent to remote access users.

Connection Point Services

Connection Point Services (CPS) allows the automatic distribution and update of custom phone books. These phone books contain one or more Point of Presence (POP) entries, with each POP containing a telephone number that provides dial-up access information for an Internet access point. The phone books give users a complete POP list, which enables remote users to connect to different Internet access points when they travel. CPS also can automatically update the phone book when changes are made to the POP list.

CPS has two components:

  • Phone Book Administrator A tool used to create and maintain the phone book database and to publish new phone book information to the Phone Book Service.

  • Phone Book Service A Microsoft Internet Information Services (IIS) extension that runs on a Windows Server 2003 server configured with IIS. Phone Book Service automatically checks the current phone book and downloads a phone book update if required.

The Connection Manager Administration Kit (CMAK) and the Connection Point Service (CPS) are not installed by default on a Windows Server 2003 system. To install the CMAK and CPS, do the following:

1.

Click on Start, Control Panel, Add or Remove Programs.

2.

Click on Add/Remote Windows Components.

3.

On the Windows Components Wizard screen, double-click Management and Monitoring Tools.

4.

Select Connection Manager Administration Kit and Connection Point Service.

5.

Click OK and then click Next to complete the installation of the components. Click Finished when done.

Single Sign-on

Single sign-on enables remote access users to create a remote access connection to an organization and log on to the organization's domain by using the same set of credentials. For a Windows Active Directory domain-based infrastructure, the username and password or a smartcard is used for both authenticating and authorizing a remote access connection and for authenticating and logging on to a Windows domain. You enable single sign-on by selecting the Logon by Using Dial-Up Networking option on the Windows XP and Windows 2000 logon property page and then selecting a dial-up or VPN connection to connect to the organization. For VPN connections, the user must first connect to the Internet before creating a VPN connection. After the Internet connection is made, the VPN connection and logon to the domain can be established.

The Impact of NAT Traversal at Improving Remote Connectivity

Network Address Translation Traversal (NAT-T) is a set of capabilities that allows network-aware applications to discover they are behind a NAT device, learn the external IP address, and configure port mappings to forward packets from the external port of the NAT to the internal port used by the application. This process happens automatically, so the user does not have to manually configure port mappings. NAT Traversal relies on discovery and control protocols that are part of the Universal Plug and Play Forumdefined specifications. The UPnP Forum has a working committee focused on defining the control protocol for Internet gateway devices and defining the services for these devices. NAT and NAT Traversal will no longer be needed in an IPv6 world where every client has a globally routable IP address.

The significance of NAT Traversal is the ability of a privately addressed L2TP/IPSec client to access an RRAS system. In Windows 2000, although L2TP/IPSec was introduced, it was rarely used for remote users because individuals who connect to the Internet frequently connect through a private address public provider using NAT. As an example, when a user connects to the Internet from a hotel, airport, wireless Internet café connection, or the like, the host provider of Internet connectivity usually does not issue a public IP address. Rather the provider uses Network Address Translation, effectively providing the user a private 10.x.x.x address behind a proxy. With Windows 2000, the L2TP/IPSec client cannot traverse out of the private address space.

With Windows Server 2003, NAT Traversal allows the privately addressed L2TP/IPSec client to route outside the private address zone, thus allowing the client to gain VPN connectivity. In early implementations of Windows Server 2003, many organizations have migrated to this new OS specifically for the benefit of being able to set up a NAT Traversal RRAS system.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net