Configuring Remote Access
Configuring remote access using dial-up or VPN could not be easier with SBS 2003. As usual the built-in wizards take care of most of the heavy work, and they even take care of configuring the workstations.
Configuring the Server
The following steps outline how to run the Remote Access Wizard:
Open the Server Management Console. On the left pane expand Standard Management and then select To Do List. Under Network Tasks, click on Configure Remote Access.
On the welcome screen click Next. To enable remote access using VPN or dial-up, select Enable Remote Access and check the VPN Access and the Dial-in Access boxes (as shown in Figure 7.6). Click Next.
Figure 7.6. Remote Access Method screen in the Remote Access Wizard.
If the Client Addressing screen appears, you should either select the DHCP server to hand out the IP addresses to the remote clients (which is normally the SBS box) or set a static block of addresses for that purpose.
On the VPN Server Name screen type in the FQDN or public IP address of the server and click Next. This is the address that will be used to connect to the server remotely, so a public DNS record should exist that points to the public IP of your server. You can create a new onefor example, vpn.smallbizco.netor you could just use the same FQDN for which the SSL certificate was issued.
If you selected dial-up access in the Remote Access Method screen, the next screen asks you which modem(s) you want to use for incoming dial-up calls. Select the appropriate modem (as shown in Figure 7.7) and click Next. Remember that this modem should be used exclusively for remote access. If you have only one modem and you plan to use it as a fax, go back and disable dial-up remote access.
Figure 7.7. Modem Selection screen in the Remote Access Wizard.
The next screen asks you for the phone number to access the modem(s) selected in step 5. The primary phone number is required; only use the alternate if you have more than one line. Enter the phone number(s) and click two times to finish the wizard.
The server is now configured to accept incoming VPN connections. If you have a router/firewall in front of SBS that is not configured automatically, you need to forward port 1723 to the SBS box and allow protocol GRE 47 (sometimes called PPTP passthrough in some routers) for it work. Finally, if you haven't done so already, make sure that you enforce strong password policies in your network.
This chapter focuses exclusively on using Point-to-Point Tunneling Protocol (PPTP) VPNs to connect individual devices to the network. However, other kinds of VPNs might adjust better to your situation. For example:
Layer 2 Tunneling Protocol (L2TP) is commonly used as an alternative to PPTP. Although its functionality is similar, L2TP provides a higher level of security. This protocol uses certificates that are issued to the clients to mutually authenticate against the server, thus allowing you to restrict people from connecting using unapproved machines. Implementing L2TP requires a fair amount of manual configuration on both the client and the server.
Gateway to Gateway VPNs are commonly used when a permanent connection between two offices is desired. Normally, this type of VPN requires a hardware router that supports that capability.
Configuring the Clients
Configuring the clients to connect remotely using VPN or dial-up is the easiest part of this process. If you already ran the Remote Access Wizard and the server is properly configured, the client configuration is almost automatic.
For computers that will be part of the domain but for which the Connect Computer Wizard has not been run yet, just select the Install Connection Manager when you are setting up the new computer on the Server Management Console. After that, run the Connect Computer Wizard (http://sbs/ConnectComputer) and wait for the applications to install.
For computers that already have been joined using the Connect Computer Wizard you need to redeploy the Connection Manager. Follow these steps:
Open the Server Management Console. On the left pane, expand Standard Management and then select Client Computers. On the right side, click Assign Applications to Client Computers.
On the Assign Applications Wizard, select the computers you want to deploy the Connection Manager and click Next.
Unselect any application you don't want to redeploy and click Next. On the next screen, select Install Connection Manager and click Next two times to finish the wizard.
The next time you log on to the client, the Connection Manager will be installed.
Finally, for any other computer you can download and install the Connection Manager from RWW. Follow these steps:
On the client open Internet Explorer and go to the RWW site (http://mail.smallbizco.net/remote). Unselect I'm Using a Public or Shared Computer and log in with your domain credentials.
On the welcome screen click on Download Connection Manager (as shown in Figure 7.8). Save the file to a location on your computer and run it. The program installs the Connection Manager to your machine.
Figure 7.8. Connection Manager in RWW.
After the Connection Manager has been installed, you should have an icon on your desktop named Connect to Small Business Server. You can also find it by opening the Connect To menu (or Network Connections folder).
To connect via dial-up or VPN double-click on the desktop icon and type your domain credentials. If you want to connect using VPN, just click Connect. However, if you want to connect using dial-up, select Properties (see Figure 7.9) and select Dial a Phone Number to Connect. Click OK and then click Connect.
Figure 7.9. Connect to Small Business Server Properties screen.