Windows 2000 includes a remote access service , allowing remote clients to connect to a remote access server and use resources as though they were directly attached to the network. RAS can also be used to configure virtual private networks (VPNs), thus expanding your LAN over the Internet. Windows 2000 remote access provides two connectivity methods :
Enabling Routing and Remote AccessRouting and Remote Access Service ( RRAS ) is installed by default with Windows 2000. However, before you can begin using RRAS, it must first be enabled. To enable RRAS, follow these steps:
Table 4.1. Common Remote Access Configurations
After you click Finish to exit the wizard, a warning message appears if you chose to use a DHCP server to assign IP addresses to remote clients (see Figure 4.3). The message warns you that to have DHCP messages relayed from remote clients to a DHCP server on the internal network, the remote access server must be configured as a DHCP Relay Agent. (This issue is covered in more detail in the section "Configuring Remote Access for DHCP," later in this chapter.) Figure 4.3. Routing and Remote Access warning message.
NT 4 RAS in a Windows 2000 EnvironmentBefore configuring RAS, it is worth mentioning a few points in regard to the co-existence of a Windows NT 4.0 RAS server on a Windows 2000 network. The problem that occurs is that Windows NT RAS servers attempt to retrieve user account information from Active Directory using null credentials, which Active Directory does not allow. To maintain the NT RAS servers in an Active Directory environment, one of the following requirements must be met:
Configuring Inbound ConnectionsThe two main communication protocols used by dial-up remote access clients are PPP and SLIP. The point-to-point protocol (PPP) has become an industry standard communication protocol because of its popularity. PPP provides support for multiple network protocols, including TCP/IP, IPX/SPX, and NetBEUI. PPP supports a number of authentication protocols, discussed later in this chapter in the section entitled "Configuring a Virtual Private Network (VPN)." Serial Line Internet Protocol (SLIP) is a legacy communication protocol used primarily to connect to UNIX systems. One of the major disadvantages of SLIP is the lack of security (for example, sending passwords in clear text). Windows 2000 remote access supports the use of SLIP for outbound connections only. SLIP also does not support the DHCP functionality on a RAS server to assign dial in clients an IP address.
You can configure PPP using the PPP tab in the Properties window of the remote access server (see Figure 4.4). You can enable the Multilink connections option to allow remote access clients to aggregate multiple phone lines into a single logical connection, which increases bandwidth. For example, combining two B channels from an ISDN BRI connection. Although Multilink enables multiple connections to act as a single logical connection, it does not provide a way of dynamically adding and dropping links based on bandwidth requirements. Figure 4.4. Configuring PPP.
This feature is provided by the Bandwidth Allocation Protocol (BAP). BAP enables multilink connections to be added and dropped as bandwidth requirements change. For example, if the bandwidth utilization for a link goes beyond a configured level, a BAP request message can be sent by the client requesting an additional link. The Bandwidth Allocation Control Protocol (BACP) works in conjunction with the Link Control Protocol (LCP) to elect a favored "peer" so if multiple BAP requests are received simultaneously , a favored peer can be identified. From the properties window shown in Figure 4.4, you can also enable or disable BAP, BACP, LCP, and software compression for PPP connections.
Configuring PortsConfiguring inbound connections allows a remote access server to accept incoming connections from remote access clients. Once RRAS has been enabled (see the steps discussed in the "Installing Routing and Remote Access" section near the start of the chapter to refresh your memory on how to enable the server), five PPTP and five L2TP ports are automatically created. Additional ports can be created if necessary. You can configure the ports by right-clicking the Ports icon under the RAS server and selecting Properties. Select the ports you want to configure and click the Configure button. Keep in mind that the configuration changes made apply to all five ports. The configurable options are the same for PPTP and L2TP ports (see Figure 4.5). From this properties window, you can also increase the number of ports by changing the Maximum ports setting. Figure 4.5. Configuring ports.
In the Configure Device dialog box shown in Figure 4.5, you can configure the ports for inbound use only, or inbound and outbound use if the server is used for demand-dial routing. This is also where you can configure additional ports by setting the maximum ports value.
Modem and serial ports are also created for any modems installed on the server and any serial or parallel connections. These ports can also be configured in the Ports Properties dialog box. Configuring a Remote Access PolicyA remote access policy allows you to control which users are permitted remote access to the network and the characteristics of the connection. Windows 2000 introduces some major changes from Windows NT 4.0 in terms of remote access, one of which is the use of remote access policies. Prior to Windows 2000, remote access was controlled through the Properties dialog box of a user account. Windows 2000 uses user account properties and remote access policies to control remote access. With remote access policies, administrators can permit or deny connection attempts based on a number of criteria (such as the time of day or group membership), giving administrators much more flexibility and granular control. Once a connection has been granted, administrators can further control the session by defining the maximum session time and encryption settings. A remote access policy consists of the following elements that work together to provide secure access to remote access servers:
After remote access is enabled, a default remote access policy is automatically created. The default policy allows remote access any time on any day of the week, denies remote access permission to all users, and has no remote access profile settings configured. You can create additional policies by right-clicking the Remote Access Policies icon within the Routing and Remote Access management console and selecting the New Remote Access Policy option. The wizard walks you through policy configuration elements, all of which are discussed in the next section. Remote Access ConditionsConditions define the parameters that must match those configured on the remote access client before remote access will be granted. These can include parameters such as the time of day and Windows group membership. Before the permissions of a remote access policy are evaluated, the connection attempt must match the condition within a remote access policy. If multiple policies are configured, the first policy that matches the conditions of the connection attempt is then further evaluated for permissions and profile settings. Table 4.2 summarizes some of the commonly used conditions that can be configured for a remote access policy. Table 4.2. Conditions That Can Be Configured in a Remote Access Policy
To configure the conditions of a remote access policy, follow these steps:
Remote Access PermissionsIf the connection attempt matches the conditions of a remote access policy, the permissions of that policy are then evaluated. The remote access permissions determine whether a specific user is granted or denied remote access. Windows 2000 uses a combination of the dial-in properties of a user account and the permissions in the remote access policy to determine whether the connection attempt is allowed. Remote access permissions can be explicitly allowed or denied through user account properties. When configuring remote access permissions using the Dial-in tab in the Properties dialog box for a user account, you have three options (see Figure 4.7):
Figure 4.7. Configuring remote access permissions through the user account properties.
If you explicitly allow remote access by selecting the Allow access option, the connection attempt can still be denied if the properties configured for the user account do not match the remote access policy or if the profile settings are not met. If you choose to have remote access permissions controlled through the policy, permission can be granted or denied through the policy's Properties window (see Figure 4.8). If you are using the default policy, remote access permission is denied by default. You have to change this setting to allow access. Figure 4.8. Controlling access through the remote access policy.
From the Dial-in tab, several other settings can be configured, including caller ID, callback options, and static IP routes. Again, if you configure the settings for the user account, they must match the settings configured on the client or the connection attempt will be denied.
Configuring a Remote Access ProfileThe final element of the remote access policy is the remote access profile. Once the remote access client has been granted permission, the profile determines the settings of the connection. Once again the settings in the profile must match those of the connection attempt, or it will be denied. To configure the profile settings, click the Edit Profile button in the policy's Properties window. This opens the Edit Dial-in Profile dialog box, as shown in Figure 4.9. Several tabs are available, as summarized in Table 4.3. Figure 4.9. Configuring a remote access profile.
Table 4.3. Remote Access Profile Settings
Remote Access Policy EvaluationGiven the many options and the complexity of remote access policy elements, it's important to have a good understanding of how policies are applied when a remote access client attempts a connection. Assuming you are running in native mode, the following points outline the connection process:
Configuring a Virtual Private Network (VPN)A virtual private network ( VPN ) enables you to connect to a remote server using an internetwork such as the Internet. Once a remote access client has established a connection to the Internet, a connection is created with the VPN server using a tunneling protocol (PPTP or L2TP). The tunnel provides secure communication between the user and the private network. One of the biggest advantages to implementing a VPN is a reduction in cost. Remote clients can dial in to a local ISP and then connect to the remote server instead of incurring possible long-distance charges. There are two types of tunneling protocols that can be used to connect to a VPN server: the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP ). Both protocols are automatically installed by default. PPTP is used over PPP connections on an IP-based network and supports the encryption and encapsulation of IP, IPX, and NetBEUI packets. L2TP can encapsulate IP traffic over a variety of networks, including Frame Relay, ATM, and X.25. Both PPTP and L2TP encrypt data being transferred. PPTP has built-in encryption technologies and uses MPPE 40-bit to 128-bit encryption. L2TP uses IPSec for data encryption. IPSec uses the Data Encryption Standard (DES) to encrypt data with supported key lengths between 56 bits (DES) and 168 bits (3Des). In terms of authentication, a user attempting to establish a VPN connection can be authenticated using EAP, MS-CHAP, CHAP, SPAP, or PAP. If you are using L2TP over IPSec, computer- and user-level authentication is provided. The mutual authentication of computers occurs through the exchange of computer certificates, which means that certificates must be installed on both the VPN client and the VPN server. The user-level authentication can be performed by EAP, CHAP, MS-CHAP, SPAP, and PAP. Table 4.4 summarizes the differences between the two tunneling protocols. Table 4.4. Differences Between PPTP and L2TP
To enable a Windows 2000 server as a VPN server, use the same process outlined when enabling a remote access server, only select the option to configure a VPN server. Once a VPN server is enabled, five PPTP and five L2TP ports are automatically created. Additional ports can be created and configured using the process outlined in the section titled "Configuring Inbound Connections" earlier in this chapter. Configuring Multilink ConnectionsWindows 2000 includes a feature known as Multilink that allows you to combine multiple phone lines connected to multiple modems into a single logical connection to increase bandwidth. Multilink functionality is enhanced through the Bandwidth Allocation Protocol (BAP) and the Bandwidth Allocation Control Protocol (BACP), which basically work together to provide bandwidth on demand. To enable Multilink for individual remote access policies, click the Edit Profile button in the Properties dialog box for the policy and select the Multilink tab (see Figure 4.10). Figure 4.10. Configuring Multilink for a remote access policy.
The following three options are available for configuring Multilink settings:
Configuring Routing and Remote Access for DHCPAs you saw when enabling RRAS, you can configure the remote access server with a range of IP addresses to assign to remote access clients. (If you do, make sure the range does not conflict with the range of IP addresses configured on the DHCP server to avoid duplicate addresses.) You can also configure the RAS server to obtain IP addresses from the DHCP server to lease to clients. When you select to use a DHCP server, the remote access server obtains, by default, 10 IP addresses to lease to clients. If all 10 IP addresses are in use, the remote access server obtains 10 more from the DHCP server. (The default number is 10 but can be changed through the Registry.) The benefit of using DHCP with RAS is that IP address assignment remains centralized. For DHCP to be used with RAS, the DHCP Relay Agent must be configured on the RAS server. When you configure the DHCP Relay Agent, clients still receive IP addresses from the RAS server but they can use DHCPInform messages to obtain optional parameters, such as the IP addresses of WINS and DNS servers, directly from the DHCP server. The relay agent component allows the RAS server to relay the DHCPInform messages between the remote access clients and the DHCP server. To configure DHCP to work with remote access, follow these steps:
|