Customizing Connection Manager

Use the CMAK wizard to create a custom service profile. You then distribute this .exe file to your users. When they double-click the file, it installs a service profile customized with the information you entered in the CMAK wizard. The Connection Manager client then allows users to dial in to your organization directly or to complete a VPN connection, based on the information provided in the CMAK wizard.

Figure 9.3 shows steps in the process for customizing your service profile.

Figure 9.3: Customizing Connection Manager

Before you run the CMAK wizard, make sure you know the following information, which is required to complete the wizard:

• The service name and a file name that you will use for the new profile and related files.

• A realm name, if your service requires it. A realm name is a prefix or suffix that Connection Manager automatically adds to the user name.

• Any existing service profiles that you plan to merge into the new profile. For more information about merging service profiles, see "Merging Service Profiles" later in this chapter.

• VPN Support information, including: the VPN server address(s) and whether or not the client will use the same passwords for the dial-up and VPN connection in a double-dial situation. For an example of configuring VPN Support information, see "Example: Deploying Remote Access Clients" later in this chapter. For information about configuring a VPN-only profile, see "Implementing VPN support" in Help and Support center for Windows Server 2003.

• VPN Entries network and security information. For more information about networks and security, see "Configuring Network and Security Settings" later in this chapter.

• Preshared key information, if needed for L2TP/IPSec VPN connections. If you are using a preshared key, encrypt it with a PIN that follows strong password rules. Strong passwords include a combination of uppercase and lowercase letters, numbers, and special characters so the password is protected from a dictionary attack or a database of popular passwords.

• The location of the phone book file that was created by PBA to include in this service profile and any text that should appear in the More access numbers box in the Phone Book dialog box.

• Phone book file name for downloading updates and the update URL to point to on the phone book server, if applicable.

• Dial-up Networking Entries and security information. For more information about networks and security, see "Configuring Network and Security Settings" later in this chapter.

• Routing table update information, if you are planning to implement split-tunneling where users can connect to both your internal network and the Internet simultaneously.

• Automatic Proxy Configuration settings, if you want Connection Manager to automatically update proxy settings for this connection.

• Custom Actions, which are any programs you want to start automatically before, during, or after users connect to your service. For more information about custom actions, see "Incorporating Custom Actions" later in this chapter.

• Branding information, including custom graphics, icons, menu items for the notification area shortcut, custom Help, and support information, if applicable. For more information about including branding information in your service profile, see "Branding Your Connection Manager Client" later in this chapter.

• Whether to include the latest version of Connection Manager with your service profile. This is a small file, so if you are not sure that all clients have the latest version of CM, include the latest version with your profile.

• A custom license agreement, if applicable. For more information about including a custom license agreement in your service profile, see "Branding Your Connection Manager Client" later in this chapter.

• Any additional files you want to include in this service profile.

• Any information you require for advanced customization, if applicable. For more information about advanced customization, see "Providing Advanced Customization" later in this chapter.

For a worksheet to assist you in completing the CMAK wizard, see "Preparation for Running the CMAK Wizard" (DNSRAC_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see "Preparation for Running the CMAK Wizard" on the Web at http://www.microsoft.com/reskit).

For more specifics about customizing Connection Manager using CMAK, see "Preparing to run the CMAK Wizard" and "Connection Manager Administration Kit" in Help and Support Center for Windows Server 2003.

Merging Service Profiles

Merging service profiles is especially useful for incorporating information from multiple phone books, including service types, POP names, and access numbers. You can also use it to consolidate different dial-up access numbers that are covered by more than one of your phone books. By merging existing service profiles into a single top-level service profile, you can present several dissimilar networks as a single, cohesive service.

You can merge multiple profiles so that the top-level profile, which is the service profile you distribute to users, behaves as if it has a single phone book, which contains all the POPs defined in each of the component profiles. For example, if you outsource your phone book through multiple ISPs, and each ISP provides you with a service profile containing its phone book(s), you can merge the profiles together within a top-level service profile that contains dial-up numbers for all the POPs from all the providers.

For an example of merging service profiles, see "Example: Deploying Remote Access Clients" later in this chapter.

Configuring Network and Security Settings

Configure network and security settings by editing the appropriate networking entry from the VPN Entries page and/or the Dial-Up Networking Entries page of the CMAK wizard. From the Edit VPN Entry and the Edit Dial-Up Networking Entry dialog boxes, you can customize general network properties, TCP/IP settings, and security settings.

Configuring General Network Properties

Use the general network properties to disable file and print sharing and enable clients to log on to a network. For a dial-up connection, you can also enter a dial-up networking script.

Configuring TCP/IP Settings

Use the TCP/IP settings to change the Domain Name System (DNS) and Windows Internet Name Service (WINS) client configuration by either allowing the server to assign these addresses or manually configuring the DNS and WINS addresses for this profile. You can also choose to make this connection the default gateway for the client and to use IP header compression.

Configuring Security Settings

Use the security settings to select the authentication method for VPN or dial-up users and the VPN strategy for VPN clients. You can choose to use basic or advanced security settings for all computers or use a combination. If you choose a combination of both basic and advanced security settings, Connection Manager uses the advanced security settings for clients running on the operating systems that support them and basic security settings for clients running on operating systems that do not support advanced security settings.

Incorporating Custom Actions

Connection Manager has the ability to run custom actions at various points when establishing a connection. By providing custom actions, you can enhance the connection experience for your users. Use the CMAK wizard to include custom actions in your service profile to automatically start programs when users connect to your service. A custom action can be any batch file, executable file, or dynamic-link library (DLL). These custom actions can use programs that users have installed, or you can distribute the programs with your service profile.

Using the CMAK wizard, you can specify custom actions for each of the following points during the connection process.

• Pre-initialization actions. These actions occur immediately when the user starts the Connection Manager client.

• Pre-connect actions. These actions occur before the connection attempt.

• Pre-dial actions. These actions occur before every dialing attempt, including redials. (For dial-up connections only.)

• Pre-tunnel actions. These actions occur before tunneling. (For VPN connections only.)

• Post-connect actions. These actions occur immediately after the connection is established.

• Disconnect actions. These actions occur immediately after the user or server disconnects.

• On cancel actions. These actions occur whenever the user abandons a connection attempt.

• On error actions. These actions occur whenever the connections attempt fails due to an error.

You might want to use pre-connect actions to start an application before you connect, such as an e-mail program, or use a post-connect action to upload logs of connection activity or to download the latest virus signatures. An on error action could also be used to point the user to custom Help files for self-help information, potentially reducing help desk calls.

Several common custom actions are built into CMAK, such as:

• A post-connect action checks for phone book updates. This action is automatically included in your profile if you leave the Automatically download phone book updates check box selected on the Phone Book page of the CMAK wizard.

• A post-connect action obtains and installs routing tables for the target network. This action is automatically included in your profile if you enable the Routing Table Update feature.

• A post-connect action updates proxy settings of the client during the connection. This action is automatically included in your profile if you enable the Automatic Proxy Configuration feature.

The Microsoft Windows Server 2003 Resource Kit also contains custom actions you can use to customize your profile:

Profile update

This includes the files Getcm.exe, which runs as a post-connect action that checks for and downloads an updated service profile, and Instcm.exe, which runs as a disconnect action that checks to see if an updated service profile has been downloaded and installs it.

Certificate deployment

This DLL (Cmgetcer.dll) allows Connection Manager to automatically obtain a certificate for L2TP/IPSec connections.

Network Access Quarantine Control

This network policy requirements script runs as a post-connect action. The network policy requirements script performs validation checks on the remote access client computer to verify that it conforms to network policies. The script can be a custom executable file or simple batch file.

When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script executes a notifier component (an executable) with the appropriate parameters. You can also configure your script to download the latest version of the script from a quarantine resource. If the script does not run successfully, it directs the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.

The notifier component sends a message to the quarantine-compatible remote access server that indicates a successful execution of the script. You can use your own notifier component or you can use Rqc.exe, which is provided on the Windows Server 2003 Deployment Kit companion CD. With these components installed, the remote access client computer uses the Connection Manager profile to perform its own network policy requirements check and indicate its success to the remote access server as part of the connection setup.

For more information about Network Access Quarantine Control, see "IAS Network Access Quarantine Control" in Help and Support Center for Windows Server 2003, "Deploying Dial-up and VPN Remote Access Server" and "Deploying IAS" in this book. For a sample notifier component, see the Windows SDK. For more information about the Windows SDK, see the Software Development Kit (SDK) information in the MSDN Library link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

In addition to these predefined custom actions, you can create your own custom actions to include in the service profile.

For security reasons, custom actions cannot be run when users log on to the network using dial-up networking unless certain registry keys have been set. For more information about custom actions, see "Incorporating custom actions" in Help and Support Center for Windows Server 2003.

Branding Your Connection Manager Client

Another important feature of CMAK is the ability to apply your own branding to the client by using your organization's graphics, icons, menu items for the notification area shortcut, Help, and license agreement. If you do not want to customize the appearance of the client, accept the defaults provided in CMAK.

Using Custom Graphics and Icons

You must specify whether to use the default bitmaps or your own graphics. Customize the user interface by including your company logo or another image that identifies your organization. You can replace the graphics in both the Logon dialog box and the Phone Book dialog box. The replacement graphic must be a bitmap (.bmp) file.

Provide custom icons for your service profile in the form of either one file containing icons in multiple sizes or one file for each icon in each size. Use the CMAK wizard to specify the icons.

Customizing Connection Manager Help and License Agreement

To offer your users customized Help and license agreement files, enter the appropriate file information in the CMAK wizard.

The default Help file is Cmmgr32.hlp. If you do not want to use the default Help, create your own hlp file, and then use the CMAK wizard to replace the default Help with your .hlp file in the service profile. To include a license agreement, create a .txt file containing the agreement and enter the file name into the CMAK wizard when prompted. For more information about providing your users with custom Help, see "Providing custom Windows Help" in Help and Support Center for Windows Server 2003.

Providing Advanced Customization

The CMAK wizard guides you through most of the customization features that you need to build a service profile. However, you can provide additional customization by selecting the Advanced Customization check box in the Ready to Build the Service Profile page of the CMAK wizard.

You can also delete any section or key from the .cms or .cmp files by using the Advanced Customization page of the CMAK wizard.

• To delete a section

  1. On the Advanced Customization page of the CMAK wizard, in the File name box, select the appropriate file.

  2. In the Section name box, select the section you want to delete.

  3. Clear the Key name and Value boxes.

  4. Click Apply.

  5. Click Yes to confirm that you want to delete the entire section.

• To delete a key

  1. On the Advanced Customization page of the CMAK wizard, in the File name box, select the appropriate file.

  2. In the Section name box, select the appropriate section.

  3. In the Key name box, select the key you want to delete.

  4. Clear the Value box.

  5. Click Apply.

  6. Click Yes to confirm that you want to delete the key.

For more information, including a comprehensive list of the service profile files and keys that you can customize through advanced customization, see "Advanced customization" in Help and Support Center for Windows Server 2003.

The following procedures show four ways to use advanced customization to increase security for user connections.

Removing the Save Password Option

Edit the HideRememberPassword key to remove the Save Password check box from the Connection Manager user interface.

• To remove the Save Password check box from the Connection Manager user interface

  1. On the Advanced Customization page of the CMAK wizard, in the File name box, select FileName.cms.

  2. In the Section name box, select Connection Manager.

  3. In the Key name box, type or select HideRememberPassword.

  4. In the Value box, type 1.

  5. Click Apply.

  Important

  In order for any advanced customization setting to be recorded, you must click Apply after entering each setting.

Disabling ICS

Edit the DisableICS key to disable Internet Connection Sharing (ICS) in Windows XP for this connection.

• To disable Internet Connection Sharing (ICS) from the Connection Manager user interface

  1. On the Advanced Customization page of the CMAK wizard, in the File name box, select FileName.cms.

  2. In the Section name box, select Connection Manager.

  3. In the Key name box, type or select DisableICS.

  4. In the Value box, type 1.

  5. Click Apply.

Enabling ICF

Edit the EnableICF key to turn on Internet Connection Firewall (ICF) in Windows XP for this connection.

• To enable ICF from the Connection Manager user interface

  1. On the Advanced Customization page of the CMAK wizard, in the File name box, select FileName.cms.

  2. In the Section name box, select Connection Manager.

  3. In the Key name box, type or select EnableICF.

  4. In the Value box, type 1.

  5. Click Apply.

Hiding the Advanced Tab

Edit the HideAdvancedTab key to hide the Advanced tab from the Connection Manager user interface in Windows XP for this connection. The Advanced tab is where users control ICF and ICS for the connection. You should only enable this key if you are using the DisableICS and EnableICF keys.

• To hide the Advanced tab from the Connection Manager user interface

  1. From the Advanced Customization page of the CMAK wizard, in the File name box, select FileName.cms.

  2. In the Section name box, select Connection Manager.

  3. In the Key name box, type or select HideAdvancedTab.

  4. In the Value box, type 1.

  5. Click Apply.