Configuring and Troubleshooting Remote Access

Windows 2000 includes a remote access service , allowing remote clients to connect to a remote access server and use resources as though they were directly attached to the network. RAS can also be used to configure virtual private networks (VPNs), thus expanding your LAN over the Internet.

Windows 2000 remote access provides two connectivity methods :

• Dial-up Using dial-up remote access such as an ISDN or phone line, clients can connect to a remote access server.

• VPN (virtual private network) Clients connect to a remote access server configured as a VPN server using an IP-based internetwork (most often the public Internet).

Enabling Routing and Remote Access

Routing and Remote Access Service ( RRAS ) is installed by default with Windows 2000. However, before you can begin using RRAS, it must first be enabled. To enable RRAS, follow these steps:

1. Click Start, point to Programs, Administrative Tools, and click Routing and Remote Access.

2. Right-click the server and select Configure and Enable Routing and Remote Access. Click Next .

3. The Routing and Remote Access Server Setup Wizard opens. From the list of common configurations, select one of the available options (see Figure 4.1). To configure a virtual private network, select the Virtual private network (VPN) server option. The remaining options are outlined in Table 4.1. Click Next.

   Figure 4.1. Enabling a remote access server.

   

4. Verify that the protocols required by remote clients are installed on the server. If necessary, you can add additional protocols. Click Next.

5. On the IP Address Assignment screen, select how remote access clients will receive an IP address (see Figure 4.2). IP addresses can be assigned automatically using a DHCP server on the internal network or you can configure a range of IP addresses on the remote access server to assign to remote access clients. If you choose the second option, the resulting wizard screen allows you to configure the range of IP addresses available to remote clients. Click Next.

   Figure 4.2. Configuring IP address assignments for remote clients.

   

6. Specify whether to use a RADIUS server. If you choose to use a RADIUS server, the resulting wizard screen allows you to specify the name of the primary and alternative RADIUS servers and the shared secret. Click Next.

7. Click Finish.

Table 4.1. Common Remote Access Configurations

After you click Finish to exit the wizard, a warning message appears if you chose to use a DHCP server to assign IP addresses to remote clients (see Figure 4.3). The message warns you that to have DHCP messages relayed from remote clients to a DHCP server on the internal network, the remote access server must be configured as a DHCP Relay Agent. (This issue is covered in more detail in the section "Configuring Remote Access for DHCP," later in this chapter.)

NT 4 RAS in a Windows 2000 Environment

Before configuring RAS, it is worth mentioning a few points in regard to the co-existence of a Windows NT 4.0 RAS server on a Windows 2000 network. The problem that occurs is that Windows NT RAS servers attempt to retrieve user account information from Active Directory using null credentials, which Active Directory does not allow. To maintain the NT RAS servers in an Active Directory environment, one of the following requirements must be met:

• Permission within Active Directory must be relaxed to allow the Everyone group Read access to Active Directory objects. This can be done by adding the Everyone group to the Pre-Windows 2000 Compatible Access group .

• The RAS service is running on a backup domain controller (BDC) in a mixed-mode Windows 2000 domain.

• The NT RAS server is configured to retrieve dial-in account property information from a BDC (again, the domain must be running in mixed mode).

Configuring Inbound Connections

The two main communication protocols used by dial-up remote access clients are PPP and SLIP. The point-to-point protocol (PPP) has become an industry standard communication protocol because of its popularity. PPP provides support for multiple network protocols, including TCP/IP, IPX/SPX, and NetBEUI. PPP supports a number of authentication protocols, discussed later in this chapter in the section entitled "Configuring a Virtual Private Network (VPN)."

Serial Line Internet Protocol (SLIP) is a legacy communication protocol used primarily to connect to UNIX systems. One of the major disadvantages of SLIP is the lack of security (for example, sending passwords in clear text). Windows 2000 remote access supports the use of SLIP for outbound connections only. SLIP also does not support the DHCP functionality on a RAS server to assign dial in clients an IP address.

The two protocols used for accessing a VPN server are Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), which are discussed later in this chapter. PPTP is used over a PPP connection to create a secure tunnel.

You can configure PPP using the PPP tab in the Properties window of the remote access server (see Figure 4.4). You can enable the Multilink connections option to allow remote access clients to aggregate multiple phone lines into a single logical connection, which increases bandwidth. For example, combining two B channels from an ISDN BRI connection. Although Multilink enables multiple connections to act as a single logical connection, it does not provide a way of dynamically adding and dropping links based on bandwidth requirements.

This feature is provided by the Bandwidth Allocation Protocol (BAP). BAP enables multilink connections to be added and dropped as bandwidth requirements change. For example, if the bandwidth utilization for a link goes beyond a configured level, a BAP request message can be sent by the client requesting an additional link. The Bandwidth Allocation Control Protocol (BACP) works in conjunction with the Link Control Protocol (LCP) to elect a favored "peer" so if multiple BAP requests are received simultaneously , a favored peer can be identified. From the properties window shown in Figure 4.4, you can also enable or disable BAP, BACP, LCP, and software compression for PPP connections.

To apply Multilink at the remote access policy level, you must first enable it at the server level. This means if Multilink is not enabled through the Properties window for the remote access server, you cannot apply Multilink in a remote access policy.

Configuring Ports

Configuring inbound connections allows a remote access server to accept incoming connections from remote access clients. Once RRAS has been enabled (see the steps discussed in the "Installing Routing and Remote Access" section near the start of the chapter to refresh your memory on how to enable the server), five PPTP and five L2TP ports are automatically created. Additional ports can be created if necessary. You can configure the ports by right-clicking the Ports icon under the RAS server and selecting Properties. Select the ports you want to configure and click the Configure button. Keep in mind that the configuration changes made apply to all five ports. The configurable options are the same for PPTP and L2TP ports (see Figure 4.5). From this properties window, you can also increase the number of ports by changing the Maximum ports setting.

In the Configure Device dialog box shown in Figure 4.5, you can configure the ports for inbound use only, or inbound and outbound use if the server is used for demand-dial routing. This is also where you can configure additional ports by setting the maximum ports value.

Demand-dial routing enables on-demand connections using physical or virtual links. The benefit of a demand-dial connection as opposed to a dedicated link is reduced cost and increased security. For example, you can use demand-dial routing to allow two offices in different geographical locations to communicate without incurring the cost of a dedicated link. This way the connection is only established when necessary.

Modem and serial ports are also created for any modems installed on the server and any serial or parallel connections. These ports can also be configured in the Ports Properties dialog box.

Configuring a Remote Access Policy

A remote access policy allows you to control which users are permitted remote access to the network and the characteristics of the connection. Windows 2000 introduces some major changes from Windows NT 4.0 in terms of remote access, one of which is the use of remote access policies. Prior to Windows 2000, remote access was controlled through the Properties dialog box of a user account. Windows 2000 uses user account properties and remote access policies to control remote access.

With remote access policies, administrators can permit or deny connection attempts based on a number of criteria (such as the time of day or group membership), giving administrators much more flexibility and granular control. Once a connection has been granted, administrators can further control the session by defining the maximum session time and encryption settings.

A remote access policy consists of the following elements that work together to provide secure access to remote access servers:

• Conditions

• Permissions

• Profile

After remote access is enabled, a default remote access policy is automatically created. The default policy allows remote access any time on any day of the week, denies remote access permission to all users, and has no remote access profile settings configured.

You can create additional policies by right-clicking the Remote Access Policies icon within the Routing and Remote Access management console and selecting the New Remote Access Policy option. The wizard walks you through policy configuration elements, all of which are discussed in the next section.

Remote Access Conditions

Conditions define the parameters that must match those configured on the remote access client before remote access will be granted. These can include parameters such as the time of day and Windows group membership. Before the permissions of a remote access policy are evaluated, the connection attempt must match the condition within a remote access policy. If multiple policies are configured, the first policy that matches the conditions of the connection attempt is then further evaluated for permissions and profile settings. Table 4.2 summarizes some of the commonly used conditions that can be configured for a remote access policy.

Table 4.2. Conditions That Can Be Configured in a Remote Access Policy

To configure the conditions of a remote access policy, follow these steps:

1. Open the Routing and Remote Access management console and click Remote Access Policies.

2. Right-click the remote access policy and click Properties.

3. From the Properties dialog box for the policy, click the Add button.

4. In the Select Attribute dialog box, select the attributes you want to configure and click Add (see Figure 4.6).

   Figure 4.6. Configuring remote access conditions.

   

Remote Access Permissions

If the connection attempt matches the conditions of a remote access policy, the permissions of that policy are then evaluated. The remote access permissions determine whether a specific user is granted or denied remote access. Windows 2000 uses a combination of the dial-in properties of a user account and the permissions in the remote access policy to determine whether the connection attempt is allowed. Remote access permissions can be explicitly allowed or denied through user account properties. When configuring remote access permissions using the Dial-in tab in the Properties dialog box for a user account, you have three options (see Figure 4.7):

• Allow access

• Deny access

• Control access through Remote Access Policy

If the Control Access Through Remote Access Policy option is unavailable, switch the domain from mixed mode to native mode. When operating in mixed mode, this option is not available. Once the domain mode is changed, this is the default option.

If you explicitly allow remote access by selecting the Allow access option, the connection attempt can still be denied if the properties configured for the user account do not match the remote access policy or if the profile settings are not met.

If you choose to have remote access permissions controlled through the policy, permission can be granted or denied through the policy's Properties window (see Figure 4.8). If you are using the default policy, remote access permission is denied by default. You have to change this setting to allow access.

From the Dial-in tab, several other settings can be configured, including caller ID, callback options, and static IP routes. Again, if you configure the settings for the user account, they must match the settings configured on the client or the connection attempt will be denied.

Using the callback feature, a RAS server can be configured to call a remote access client back at a preconfigured number or at a number set by the caller. This provides an added level of security because users are only allowed to dial into the remote access server from the number specified.

Configuring a Remote Access Profile

The final element of the remote access policy is the remote access profile. Once the remote access client has been granted permission, the profile determines the settings of the connection. Once again the settings in the profile must match those of the connection attempt, or it will be denied.

To configure the profile settings, click the Edit Profile button in the policy's Properties window. This opens the Edit Dial-in Profile dialog box, as shown in Figure 4.9. Several tabs are available, as summarized in Table 4.3.

Table 4.3. Remote Access Profile Settings

Remote Access Policy Evaluation

Given the many options and the complexity of remote access policy elements, it's important to have a good understanding of how policies are applied when a remote access client attempts a connection. Assuming you are running in native mode, the following points outline the connection process:

• When a user attempts to connect, the RAS server determines whether a policy exits. The first policy in the ordered list of remote access policies is checked. If there is no policy configured (and the default policy has been deleted), the connection attempt is rejected. If a policy does exist, the evaluation process continues.

• The conditions of the first policy in the list are evaluated. If the connection attempt matches all the conditions, the evaluation process continues. If all conditions do not match the connection attempt, the next policy in the list is evaluated. If no more policies exist, the connection attempt is rejected.

• If the connection attempt matches the conditions in one of the policies, the user's permissions are evaluated. If the user's account property is set to Deny Access or if the permission within the policy is set to Deny Access, the connection attempt is rejected. If the policy or the account property is set to Allow Access, the process continues.

• The settings of the remote access profile and the properties of the user account are evaluated against the connection attempt. If the connection attempt matches both the profile and account settings, the user is granted remote access. If not, the connection attempt is rejected.

Remote access policies are a popular topic on the exam. Be sure you are familiar with how remote access policies and the policy elements are evaluated. Also keep in mind that remote access policies are not stored within Active Directory but on each individual server.

When running in mixed mode, keep in mind that the permission settings configured using the Dial-in tab for a user account override those in the policy, unless set to Deny Access. For example, if the account property is set to Allow Access but the profile denies it, the user is granted access and the process of evaluation continues. On the other hand, if the account property is set to Deny Access and the profile permits access, the connection attempt is rejected. By default, the Administrator and Guest accounts on a standalone remote access server or in a Windows 2000 native-mode domain are set to control access through the Remote Access Policy. For a Windows 2000 mixed-mode domain, they are set to Deny access. Any new accounts created on a standalone remote access server or in a Windows 2000 native-mode domain are set to Deny Access.

Configuring a Virtual Private Network (VPN)

A virtual private network ( VPN ) enables you to connect to a remote server using an internetwork such as the Internet. Once a remote access client has established a connection to the Internet, a connection is created with the VPN server using a tunneling protocol (PPTP or L2TP). The tunnel provides secure communication between the user and the private network. One of the biggest advantages to implementing a VPN is a reduction in cost. Remote clients can dial in to a local ISP and then connect to the remote server instead of incurring possible long-distance charges.

There are two types of tunneling protocols that can be used to connect to a VPN server: the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP ). Both protocols are automatically installed by default. PPTP is used over PPP connections on an IP-based network and supports the encryption and encapsulation of IP, IPX, and NetBEUI packets. L2TP can encapsulate IP traffic over a variety of networks, including Frame Relay, ATM, and X.25.

Both PPTP and L2TP encrypt data being transferred. PPTP has built-in encryption technologies and uses MPPE 40-bit to 128-bit encryption. L2TP uses IPSec for data encryption. IPSec uses the Data Encryption Standard (DES) to encrypt data with supported key lengths between 56 bits (DES) and 168 bits (3Des).

In terms of authentication, a user attempting to establish a VPN connection can be authenticated using EAP, MS-CHAP, CHAP, SPAP, or PAP. If you are using L2TP over IPSec, computer- and user-level authentication is provided. The mutual authentication of computers occurs through the exchange of computer certificates, which means that certificates must be installed on both the VPN client and the VPN server. The user-level authentication can be performed by EAP, CHAP, MS-CHAP, SPAP, and PAP.

Table 4.4 summarizes the differences between the two tunneling protocols.

Table 4.4. Differences Between PPTP and L2TP

To enable a Windows 2000 server as a VPN server, use the same process outlined when enabling a remote access server, only select the option to configure a VPN server. Once a VPN server is enabled, five PPTP and five L2TP ports are automatically created. Additional ports can be created and configured using the process outlined in the section titled "Configuring Inbound Connections" earlier in this chapter.

Configuring Multilink Connections

Windows 2000 includes a feature known as Multilink that allows you to combine multiple phone lines connected to multiple modems into a single logical connection to increase bandwidth.

Multilink functionality is enhanced through the Bandwidth Allocation Protocol (BAP) and the Bandwidth Allocation Control Protocol (BACP), which basically work together to provide bandwidth on demand.

To enable Multilink for individual remote access policies, click the Edit Profile button in the Properties dialog box for the policy and select the Multilink tab (see Figure 4.10).

The following three options are available for configuring Multilink settings:

• Default to Server Settings This setting establishes that the use of Multilink is determined by the settings configured at the remote access server level.

• Disable Multilink (restrict client to single port) This option restricts remote access clients to a single phone line.

• Allow Multilink This option enables Multilink for the profile and configures the maximum number of ports that can be used by a dial-in client. You can also specify the criteria that must be met for a line to be dropped, as well as enable BAP for dynamic Multilink requests.

Configuring Multilink through a remote access profile applies those settings to that policy only. Before Multilink can be used, it must be enabled using the PPP tab within the Properties dialog box for the remote access server.

Configuring Routing and Remote Access for DHCP

As you saw when enabling RRAS, you can configure the remote access server with a range of IP addresses to assign to remote access clients. (If you do, make sure the range does not conflict with the range of IP addresses configured on the DHCP server to avoid duplicate addresses.) You can also configure the RAS server to obtain IP addresses from the DHCP server to lease to clients.

When you select to use a DHCP server, the remote access server obtains, by default, 10 IP addresses to lease to clients. If all 10 IP addresses are in use, the remote access server obtains 10 more from the DHCP server. (The default number is 10 but can be changed through the Registry.) The benefit of using DHCP with RAS is that IP address assignment remains centralized.

For DHCP to be used with RAS, the DHCP Relay Agent must be configured on the RAS server. When you configure the DHCP Relay Agent, clients still receive IP addresses from the RAS server but they can use DHCPInform messages to obtain optional parameters, such as the IP addresses of WINS and DNS servers, directly from the DHCP server. The relay agent component allows the RAS server to relay the DHCPInform messages between the remote access clients and the DHCP server.

To configure DHCP to work with remote access, follow these steps:

1. Within the Routing and Remote Access management console, right-click General under the IP Routing icon and select New Routing Protocol.

2. In the Select Routing Protocol window, select the DHCP Relay Agent and click OK.

3. Right-click the DHCP Relay Agent icon listed under IP routing and select New Interface. Select the network connection over which DHCP messages will be routed and click OK.

4. Right-click the DHCP Relay Agent and select Properties. Type the IP addresses of the DHCP server or servers to which the RAS server should forward the DHCPInform requests (see Figure 4.11).

   Figure 4.11. Configuring the RAS server with the IP address of the DHCP server.

   

5. Right-click the interface to bring up the property window (see Figure 4.12). From the property window, you can disable or enable the relaying of DHCP packets and configure the hop count and the boot threshold.

   Figure 4.12. Configuring the DHCP Relay Agent.