The remote access feature of Microsoft Windows 2000 Server enables remote or mobile workers who use dial-up communication links to access corporate networks as if they were directly connected. Windows 2000 Server remote access also provides virtual private networking services so that users can access corporate networks over the Internet.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
Windows 2000 Server remote access, which is part of the integrated Routing and Remote Access service, connects remote or mobile workers to corporate networks. Remote users can work as if their computers were physically connected to the network. Users (or clients) run remote access software to initiate a connection to the remote access server. The remote access server, which is a computer running Windows 2000 Server with the Routing and Remote Access service enabled, authenticates users and services sessions until terminated. All services typically available to a user connected to a local area network (LAN), including file and print sharing, Web server access, and messaging, are enabled by means of the remote access connection.
Remote Access clients use standard tools to access network resources. For example, on a computer running Windows 2000, clients can use Microsoft Windows Explorer to map network drives and connect to printers. Connections are persistent, so users do not need to reconnect to network resources during their remote sessions. Because drive letters and universal naming convention (UNC) names are fully supported by remote access, most commercial and custom applications work without modification. A remote access server running Windows 2000 provides two different types of remote access connectivity:
Dial-up networking over an analog telephone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.
In contrast to dial-up networking, virtual private networking is a logical (rather than physical) connection between the VPN client and server. To ensure privacy, you must encrypt data sent over the connection.
The Windows Routing and Remote Access feature set provides Network Address Translation (NAT), multiprotocol routing, Layer Two Tunneling Protocol (L2TP), Internet Authentication Service (IAS), and Remote Access Policies (RAP). The lesson concludes with information about demand-dial filters, dial-out hours, dial-in user properties, remote access use of name servers and DHCP, Bandwidth Allocation Protocol (BAP), and monitoring remote access.
Windows 2000 has a new feature called router discovery, which is specified in Request for Comments (RFC) 1256. Router discovery provides an improved method of configuring and detecting default gateways. When using DHCP or manual default gateway configuration, there is no way to adjust to network changes. Using router discovery, clients dynamically discover routers and can switch to backup routers if a network failure or administrative change is needed. Router discovery is made up of two types of packets:
Microsoft Windows 2000 supports router discovery as a host and router.
NAT is a standard defined in RFC 1631. A NAT is a router that translates IP addresses of an intranet or home LAN to valid Internet addresses. A NAT allows Internet connectivity for a private network with private addresses through a single Internet IP address. Windows 2000 Server includes a full-featured NAT implementation called Connection Sharing and a configuration-free version called Shared Access.
Windows 2000 Server implements a limited form of multicast routing using a multicast proxy. This proxy can be used to extend multicast support beyond a true multicast router. The multicast proxy is best used to provide multicast for remote access users or a single LAN network connected to the Internet. On one or more interfaces Windows 2000 acts like a multicast router, communicating with local clients about their multicast needs. On an interface that has direct access to a true multicast router, Windows acts as a multicast client, forwarding multicast traffic on behalf of the local clients.
L2TP can be thought of as the next version of Point-to-Point Tunneling Protocol (PPTP). It works much like PPTP but is now a combined development effort with Cisco. L2TP combines Cisco's Layer 2 Forwarding (L2F) and PPTP technologies (created by Microsoft, Ascend, 3Com, U.S. Robotics, and ECI-Telematics). L2TP is currently an RFC draft, soon to be an industry standard. L2TP is an Open Systems Interconnection (OSI) layer 2 (Data-link layer) protocol used to create VPNs.
IAS is a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is a network protocol that enables remote authentication, authorization, and accounting of users who are connecting to a network access server (NAS). A network access server such as Windows Routing and Remote Access can be a RADIUS client or RADIUS server.
Microsoft released a limited version of RADIUS server in the Windows NT 4.0 Option pack. A RADIUS server—IAS—is now available in Windows 2000.
In Windows NT 3.5 and later versions, remote access was granted based on a simple Grant Dial-In Permission To User option in User Manager or the Remote Access Admin utility. Callback options were also granted on a per-user basis.
In Windows 2000, remote access connections are granted based on the dial-in properties of a user object and remote access policies (RAPs). A RAPs is a set of conditions and connection parameters that allows network administrators more flexibility in granting remote access permissions and usage. Some examples of conditions include time of day, group, and type of connection (VPN or dial-up). Some examples of connection parameters are authentication and encryption requirements, use of Multilink, and length of session. One benefit of this added control is requiring strong encryption on VPN connections and allowing no encryption on modem connections where it may not be needed.
RAPs are stored on the local computer and are shared between Windows 2000 Routing and Remote Access and Windows 2000 IAS. RAP is configured from the Internet Authentication Service Manager or from the Routing and Remote Access Manager.
Now that you have an understanding of Routing and Remote Access, you will enable the service. Before you enable this service, the Routing and Remote Access Manager will look like the illustration in Figure 12.1.
Figure 12.1 The Routing and Remote Access Manager before installation
In this practice, you install a Routing and Remote Access server using the Routing and Remote Access Manager.
Before you continue with the lesson, run the Ch12.exe demonstration file located in the Media folder on the Supplemental Course Materials CD-ROM that accompanies this book. The file provides an overview of installing a Routing and Remote Access server.
The Routing and Remote Access Manager will look like the illustration in Figure 12.2.
Figure 12.2 The Routing and Remote Access Manager after installation
The distinctions between remote access and remote control solutions are the following:
A system upgraded from Windows NT 4.0 Remote Access Service (RAS)/Routing and Remote Access service (RRAS) to Windows 2000 has one minor problem. Windows NT 4.0 uses the LocalSystem account. When any service logs on as LocalSystem, it logs on with NULL credentials, meaning that the service does not provide a user name or password.
Active Directory directory service, by default, does not accept querying of object attributes through NULL sessions. Therefore, in a mixed environment, planning is necessary to allow Windows NT 4.0 Remote Access Service/Routing and Remote Access Service servers to retrieve user dial-in properties from Active Directory directory service. Remote Access Service/Routing and Remote Access Service servers require this access to determine whether the user has been granted dial-in permissions and whether any other dial-in settings, such as callback telephone numbers, have been configured.
Using NULL credentials prevents an account from being able to access network resources relying on Windows NT LAN Manager (NTLM) authentication (unless the remote computer specifically allows NULL sessions).
For a Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server to retrieve user properties from Active Directory, you must meet one of the following conditions:
Unless Active Directory security has been loosened or the Remote Access Service/Routing and Remote Access Service server is installed on a backup domain controller, dial-in connectivity success could be intermittent. Even if your domain runs in Mixed mode, it is impossible to configure the Remote Access Service/Routing and Remote Access Service server to contact a Windows NT 4.0 backup domain controller only for authentication. If a Windows 2000 domain controller authenticates the user, dial-in will fail.
The Permission Compatible With Pre-Windows 2000 Servers option places the Everyone group in the Pre-Windows 2000 Compatible Access Local group. You can strengthen permissions by deleting the Everyone group from this group's membership list after all remote access servers have been upgraded to Windows 2000. This Everyone group workaround should be used only after understanding its impact on Active Directory security. If it conflicts with your security requirements, it is recommended that you upgrade the Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server to Windows 2000 and make it a member of a Windows 2000 mixed or native domain. This will help prevent inconsistent dial-in access while the domain is in Mixed mode.
If you would like to loosen security to allow Windows NT 4.0 Remote Access Service/Routing and Remote Access Service servers to function after running the Active Directory Installation wizard, you can add the Everyone group to the Pre-Windows 2000 Compatible Access group by typing the command net localgroup "Pre-Windows 2000 Compatible Access" Everyone /add.
This lesson provided a basic overview of remote access features. These include router discovery, NAT, multicast routing, L2TP, IAS, and RAPs. Installing and configuring Routing and Remote Access was also introduced.