Implementing Your Connection Manager Solution

Previous page
Table of content
Next page

After you create your service profile(s), test your remote access solution in its entirety before distributing your service profile to the users.

Figure 9.4 shows the process for implementing your managed remote access client solution using Connection Manager.

click to expand
Figure 9.4: Implementing Your Connection Manager Solution

Testing Your Remote Access Solution

When testing your solution in a lab, recreate the actual user experience as closely as possible. It is likely that the client will be deployed on computers not directly under the control of your organization, such as a user's home computer. For this reason, it is necessary to test your service profile(s) using a standard set of applications and test on the same types of hardware that you will deploy to.

Important

Test both the server and client portions of your remote access design.

Use the following guidelines to test your deployment:

  • Load and run the client on each operating system you are supporting for remote access. If you are supporting both dial-up and VPN connections, test both of these types of connections on your test clients.

  • Test custom actions in detail, using a standard set of application that users might have on their computers. Be sure your test is representative of the end-user experience.

  • Make sure your phone books are updating. If phone books are not updating, check the URL that is pointing to the phone book server, check for firewall conflicts, and ensure that IIS is correctly configured on PBS server.

  • Test your distribution method before announcing and rolling it out. For information about establishing a distribution method, see "Distributing Your Connection Manager Service Profiles" later in this chapter.

Distributing Certificates

If you configured the security settings of the VPN Entries in the CMAK wizard to use L2TP/IPSec, you might need to distribute certificates to your users. The certification authority (CA) is generally set up as a Web server. You can either have your CA on the Internet or on your intranet.

Internet Enrollment

With Internet enrollment, users go to a public Web site to obtain their certificates. Internet enrollment is useful if you are using a CA that is provided by another company.

Intranet Enrollment

If certificates are optional but recommended, users can obtain their certificates after connecting to your intranet. Configure the service profile to attempt authentication by using L2TP first. This setting allows the client to attempt a connection using L2TP; if L2TP is not available, the client connects using PPTP. When you configure this setting, the client will first attempt to connect using L2TP each time the client connects. By using this setting, clients can connect the first time by using PPTP and get a certificate. After receiving the certificate, subsequent connections will use L2TP.

You can configure the Connection Manager Certificate Deployment Tool, Cmgetcer.dll, as a custom action. This tool enables the client to get a certificate from the certification authority.

For more information about certification authorities and certificates, see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.

Educating Users About Security

When distributing your service profiles, you should also inform users of their responsibilities in protecting the organization's resources. Educate your users about potential threats and how to avoid them, including:

  • Enable a personal firewall (such as ICF in Windows XP).

  • Use strong passwords on their remote computers.

  • Never save passwords for any connection.

    To prevent users from saving their password for this connection, disable the Save Password check box on the Connection Manager client. For more information, see "Providing Advanced Customization" earlier in this chapter.

  • Lock their computers when they are not actively using them. They do this by password-protecting the screen saver or through the Ctrl-Alt-Delete dialog box.

  • Do not share VPN connections or run a VPN connection from an ICS host. Sharing the VPN connection allows all computers on the ICS network — using the VPN connection — to access your organization's network and resources using the VPN connection's credentials.

Distributing Your Connection Manager Service Profiles

There are several ways to distribute your service profile, each with costs and benefits. Choose one of the following methods, or provide more than one method to give your users a choice.

Distributing Service Profiles on CD or Floppy Disk

You can distribute CDs or floppy disks containing your self-installing Connection Manager package. Connection Manager and the service profile fit on a floppy disk. However if you want to include other programs, such as anti-virus software, you might need more space than a floppy provides so a CD is a better choice.

The benefit of distributing this way is that you can physically give a copy to all users or send them easily through the mail. However, this solution might be costly and has little inherent security.

Distributing Service Profiles by E-mail

You can send a service profile through e-mail to your users. If you choose to send the service profile through e-mail, ensure that users are able to receive .exe files, because not all e-mail systems allow executable files as attachments.

Distributing Service Profiles by Download

You can set up a Web site where users can download the service profile. Desktop users can download to a floppy disk, and portable-computer users can download directly to their computers from a Web site inside your network.

It is also possible to make the service profile available by download from a Web site over the Internet. However, identify any security risks to your organization before posting your service profile on an Internet site.

Pre-installing Service Profiles

You can install the service profile on each client individually. The benefit of this method is that users are not required to install anything themselves, which can reduce user frustration and calls to your help desk. However, this method requires administrator or help desk resources during the initial installation, which might be a large resource hit during the roll out phase of your deployment. This method is useful when there are a small number of client computers or when all of the client computers and devices are controlled by your organization.

Combining Distribution Methods

You can also use a combination of distribution methods. For example, a company could distribute the Connection Manager service profiles on CD to users who work from their own computers from remote locations, provide downloads for local employees who have portable computers, and pre-install the service profile on any new portable computers before distribution.



Previous page
Table of content
Next page
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
Information Dashboard Design: The Effective Visual Communication of Data
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
802.11 Wireless Networks: The Definitive Guide, Second Edition
Quantitative Methods in Project Management
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy