Overview of Remote Access Client Deployment

If you have users who travel frequently or need to access your network from home or other locations, Connection Manager provides a way for you to customize a self-installing service profile for your users. The Connection Manager client allows users to either connect to your network directly or to create a VPN connection from a remote location. Using this managed remote access solution reduces administration by providing a single connection client for all remote access users.

Before you deploy a remote access client solution, you must design and deploy your remote access and VPN servers and related infrastructure. You must also deploy an authentication service, such as Internet Authentication Service (IAS), to enable authentication, authorization, and accounting. Many of the decisions that you make when you deploy your Connection Manager service profiles are based on the decisions that you make when you design your servers.

Deploying Connection Manager Process

The process for deploying Connection Manager includes designing phone books if you are configuring dial-up access, and optionally deploying phone book servers to provide phone book updates; customizing the Connection Manager service profile through the CMAKwizard; testing your remote access solution; and distributing your Connection Manager profile to users.

Figure 9.1 shows the process for deploying Connection Manager.

Figure 9.1: Deploying Connection Manager

Remote Access Clients Background Information

In order for users to take advantage of an organization's remote access solution, each client must be configured to connect to the remote access dial-up or VPN servers. You can either use the native connection features in Windows to configure clients or use a managed client solution, such as Connection Manager and its components, to create and distribute a custom service profile.

Native Connection Capabilities and Limitations

It is possible for users to manually configure remote access connections using the native network connection capabilities in Windows. To connect to the remote access server using these native capabilities, the user configures the network settings on the client. These settings include:

Dial-up connections The telephone number for your remote access server, user authentication method, encryption settings, and dialing scripts.

VPN connections The host name or IP address for the VPN server, VPN type, user authentication method, and encryption settings.

The native connection capabilities are best suited for when there are few users connecting to the network. These connections are relatively simple to set up when there are a small number of clients; however, there are major disadvantages to this method when you are administering a large network with many remote access users, including:

• The procedure for manually configuring remote access clients varies between versions of Windows; therefore, you would need a separate set of procedures for each client operating system you support.

• Each client must be manually configured; either an administrator must configure each client individually, or the users must configure their own settings using operating system-specific instructions. Either approach can lead to a large resource drain in the IT department.

• If any telephone numbers change, either the administrator or the user must manually reconfigure the connection. For example, you might contract with a telecommunications supplier to provide multiple dial-up telephone numbers and worldwide access for users who travel. Similarly, you might choose to use VPN connections over Internet connections supplied by an Internet service provider (ISP), with multiple access numbers and worldwide Internet access. If any of these telephone numbers change, you need a way to notify the users.

Connection Manager provides a solution for these and other issues when you deploy a large number of remote access clients.

Connection Manager Solutions

The Connection Manager family of programs is a set of optional components used to create a managed remote access solution. Connection Manager enables a network administrator to preconfigure remote access clients, add custom behavior and a custom appearance, and provide an updateable phone book that enables users to find the most convenient dial-up access number. The Connection Manager family of products includes:

• The Connection Manager client

  The Connection Manager client provides a simplified way of connecting to a remote network. Typically, the user only needs to enter a user name and password and select a phone number if applicable. The administrator configures all other settings before distributing the service profile.

• The Connection Manager Administration Kit (CMAK)

  CMAK allows the administrator to create and configure the service profile and creates a small, self-installing package. CMAK also allows the administrator to customize Connection Manager features such as branding, custom actions, and custom Help files, as well as enhanced security features.

• Connection Point Services (CPS)

  CPS allows you to create and maintain phone books. It consists of two parts:

  • Phone Book Administrator (PBA)

    PBA is a tool used to create and maintain phone book files, and to publish new or updated phone book files on the PBS server.

  • Phone Book Service (PBS)

    PBS distributes phone books to Connection Manager clients on request.

Connection Methods

Remote users connect to networks by using one of two methods: they either connect with direct dial, where they connect directly by using dial-up lines, or they use VPNs to connect over the Internet. When using a VPN to connect, remote users who do not have a pre-existing connection to the Internet must use a double-dial configuration, where they first dial an ISP number to access the Internet and then establish the VPN connection. Connection Manager can make this double dial process look like a single connection attempt to the end user.

Direct Dial

Users who connect to your network by using direct dial call directly into your network, using the dial-up phone numbers that your organization provides to connect to remote access dial-up servers. You can easily manage a small number of users calling a small number of phone numbers. However, if a large number of users are dialing into your network, or if your network can be reached through many phone numbers, Connection Manager and CPS are useful for managing remote access.

VPN

Organizations that offer VPN access to their remote users approach this in either one of two ways:

• Assume that the users have their own connections to the Internet.

• Provide users with an easy method to dial up the Internet and establish a subsequent VPN connection to the corporate network.

An organization can also contract with an ISP to supply a national or worldwide collection of phone numbers for Internet access. Connection Manager provides a method to expose these numbers from the ISP in a phone book and automatically establish the VPN connection after the ISP connection is complete. For more information about working with an ISP, see "Providing Connection Manager Phone Book Support" in this chapter. For more information about double-dial connections, see "Example: Deploying Remote Access Clients" in this chapter.

Authentication Methods

The user authentication method that you implement depends on the operating systems that your clients are running and the level of security that you require for your network. For example, you might require passwords, certificates, or smart cards for user authentication, depending on your organization's security needs. For more information about user authentication methods, see "Designing an Authentication Strategy" in Designing and Deploying Directory and Security Services of this kit. For more information about deploying smart cards, see "Deploying Smart Cards" in Designing and Deploying Directory and Security Services of this kit.

VPN Tunneling Protocols

For VPN connections, you can require Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) connections, or you can allow users to attempt L2TP connections and use PPTP if they cannot connect using L2TP. If you require L2TP/IPSec authentication, you can use preshared keys or certificates. For more information about choosing a VPN strategy, see "Deploying Dial-Up and VPN Remote Access Servers" in this book.

Network Access Quarantine Control

Network Access Quarantine Control, a new feature in the Windows Server 2003 family, delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script. Without Network Access Quarantine Control, only the credentials of the user are verified, and a user with the correct credentials can connect even if their configurations do not comply with corporate network policy. For example, a remote access user with valid credentials can connect to a network with a computer that does not have required antivirus software installed on it. Remote access client can use either a manually-configured connection or a Connection Manager profile. For more information about configuring Network Access Quarantine Control by using a Connection Manager profile, see "Incorporating Custom Actions" later in this chapter.

For more information about Network Access Quarantine Control, see "Deploying Dial-up and VPN Remote Access Servers" and "Deploying IAS" in this book, and "IAS Network Access Quarantine Control" in Help and Support Center for Windows Server 2003.