Example: Deploying Remote Access Clients


A large company, Contoso Ltd., is redesigning remote access infrastructure. Contoso decides to use the Connection Manager family of products to provide managed remote access to their company network through both dial-up connections and VPN connections. The new VPN server allows both PPTP and L2TP/IPSec VPN connections.

Contoso contracts with an ISP, A. Datum Corporation, to provide bulk dial-up Internet access. Under the arrangement, A. Datum will provide single sign-on for users using their Contoso credentials. This is accomplished by using a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a Contoso RADIUS server using a realm name agreed to by both A. Datum and Contoso. For more information about deploying a RADIUS proxy and RADIUS server, see "Deploying IAS" in this book.

Contoso has the following primary objectives for providing a remote access solution to its users:

  • Allow local users to connect to the corporate intranet with direct dial using a local phone number, which dials directly into Contoso's remote access servers.

  • Reduce costs by eliminating the need for toll free (1-800) dial-up access numbers for users traveling within the United States. The company has a contract with A. Datum to provide dial-up access numbers to the Internet, which will be used to carry VPN connections to the company.

  • Provide all users with automatic phone book updates when dial-up access numbers change.

    Allow users to connect by making a VPN connection to the corporate Intranet over their existing connections to the Internet, such as digital subscriber line (DSL) and cable modem connections.

The company would also like to improve the connection experience for their users in the following ways:

  • Provide a simplified method of setting up all types of connections on a variety of Windows operating systems.

  • Provide a unified phone book for all access numbers.

  • Provide a customized user interface for the connection client, including custom icons and graphics.

  • Provide a single sign-on experience for double-dial VPN users by using a realm name and a RADIUS proxy.

The Connection Manager family of products provides Contoso with solutions to meet all of these goals.

Contoso Prepares Phone Books

Before Contoso creates the Connection Manager service profile, they create the local phone book file (Contoso.pbk) and the region file (Contoso.pbr). These files contain the local phone numbers that allow users to dial directly into Contoso's corporate intranet.

The company also receives a phone book file (Adatum.pbk), a region file (Adatum.pbr), and an update URL (http://pbupdate.adatum.com) from A. Datum, the ISP. To incorporate the phone numbers from the ISP, Contoso creates a component service profile that it will merge into a top-level profile.

The company creates a phone book that includes all the direct-dial numbers for users to the company. Contoso performs the following steps to create the phone book:

  1. Installs CPS and PBA. For more information about installing and running PBA, see "Providing Connection Manager Phone Book Support" earlier in this chapter.

  2. Runs PBA.

  3. Creates a new phone book named Contoso.

  4. Uses the Region Editor to enter the regions for these numbers.

  5. Adds POP entries and enters the information for each phone number.

  6. Publishes the phone book.

To provide phone book updates, Contoso installs PBS on a computer running a member of the Windows Server 2003 family. The phone books from the ISP are already in the form of a phone book file (Adatum.pbk) and a region file (Adatum.pbr), so Contoso does not have to create any additional phone book files.

Contoso Creates Service Profiles

Contoso uses the "Preparation for Running the CMAK Wizard" worksheet to collect all the information necessary to run the CMAK wizard. This information is used to create a component profile, which includes the phone numbers and the update URL provided by the ISP, and the top-level profile, which is the service profile the company will distribute to its users.

Preparing to Create the Component Profile

A. Datum supplies Contoso with a phone book file (Adatum.pbk) and a region file (Adatum.pbr), as well as a phone book update URL. Contoso uses this information to create a component profile. Contoso also includes the realm name, @contoso.com, agreed to by both Contoso and A. Datum. The realm name identifies the Contoso user and allows A. Datum to forward the RADIUS messages to the RADIUS server for Contoso, as shown in Figure 9.5.

click to expand
Figure 9.5: Double-Dial Using RADIUS Proxy

Figure 9.6 shows the worksheet that Contoso uses to create the component profile.

click to expand
Figure 9.6: Preparation for Running the CMAK Wizard— Component Profile

Important

Figure 9.6 only shows the portions of the "Preparation for Running the CMAK Wizard" worksheet that Contoso customizes to create the component profile. To see the entire blank worksheet to help prepare to run the CMAK wizard, see "Preparation for Running the CMAK Wizard" (DNSRAC_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Preparation for Running the CMAK Wizard" on the Web at http://www.microsoft.com/reskit).

Preparing to Create the Top-Level Profile

Contoso then creates its top-level profile, merging the component profile into the top-level profile, which is the service profile that Contoso will distribute to its users. Additional information about files included in this profile, such as CMProxy.txt and CMRoute.txt, is discussed in the following section.

Figure 9.7 through Figure 9.13 show the worksheet that Contoso uses to create the component profile and complete the CMAK wizard. Additional information about files included in this profile, such as CMProxy.txt and CMRoute.txt, is discussed in the following section.

Important

Figure 9.7 through Figure 9.13 only show the portions of the "Preparation for Running the CMAK Wizard" worksheet that Contoso customizes to create the top-level profile. To see the entire blank worksheet to help you prepare to run the CMAK wizard, see "Preparation for Running the CMAK Wizard" (DNSRAC_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Preparation for Running the CMAK Wizard" on the Web at http://www.microsoft.com/reskit).

click to expand
Figure 9.7: Preparation for Running the CMAK Wizard— Top-Level Profile (page 1)

click to expand
Figure 9.8: Preparation for Running the CMAK Wizard— Top-Level Profile (page 2)

click to expand
Figure 9.9: Preparation for Running the CMAK Wizard— Top-Level Profile (page 3)

click to expand
Figure 9.10: Preparation for Running the CMAK Wizard— Top-Level Profile (page 4)

click to expand
Figure 9.11: Preparation for Running the CMAK Wizard— Top-Level Profile (page 5)

click to expand
Figure 9.12: Preparation for Running the CMAK Wizard— Top-Level Profile (page 6)

click to expand
Figure 9.13: Preparation for Running the CMAK Wizard— Top-Level Profile (page 7)

Based on the decisions to provide routing table updates, automatic proxy configuration, and custom graphics, Contoso creates several files before running the CMAK wizard:

  • A route update file, CMRoute.txt.

    This plain text file includes information required to add or delete routes in the following format:

         Command Destination mask Netmask Gateway metric Metric if Interface 

    Certain parameters can contain the value of default. In those cases, the appropriate information from the client computer is used.

    The file CMRoute.txt contains the following text to make all locations in the address range 192.168.0.0/16 reachable through the VPN connection:

         ADD 192.168.0.0 MASK 255.255.0.0 default METRIC default IF default 

    For more information about including routing table updates, see "Including Routing Table Updates" in Help and Support Center for Windows Server 2003.

  • A proxy setting file, CMProxy.txt.

    This plain text file includes information to ensure that the user has appropriate access to internal and external resources.

    The proxy setting file for Contoso, CMProxy.txt, includes the following information:

         [Automatic Proxy]     AutoProxyEnable=1     [Manual Proxy]     ProxyEnable=1     ProxyServer=Contosoproxy:80     ProxyOverride=<local> 

    For more information about using automatic proxy configuration, see "Using Automatic Proxy Configuration" in Help and Support Center for Windows Server 2003.

  • Bitmap (.bmp) files for each of the custom graphics.

    Contoso creates custom bitmap files for the logon bitmap (330 x 140 pixels) and the phone book bitmap (114 x 309 pixels).

  • Icon (.ico) files for each of the custom icons.

    Contoso creates custom icon files for the program icon (32 x 32 pixels) and the title bar icon (16 x 16 pixels). Contoso leaves the default notification area icon to show the connection status in the notification area.

Contoso Uses CMAK to Create the Service Profiles

After completing these worksheets, the company completes the CMAK wizard using this information.

The company completes the following steps to run the CMAK wizard:

  1. Install CMAK from the Windows Component Wizard.

  2. Create the component profile based on the information gathered in the component profile worksheet (Figure 9.6).

  3. Create the top-level profile, merging the component profile to include the phone book provided by the ISP. The top-level profile is completed by using the information gathered in the top-level profile worksheet (Figure 9.7 to Figure 9.13).

Contoso Tests Its Remote Access Solution

After creating the top-level service profile, Contoso tests its entire remote access solution before rolling it out. To test both the client and server aspects of the remote access solution, Contoso installs the Connection Manager profile onto a computer running each operating system the company supports and runs each possible user scenario. The company tests for the following from the Connection Manager client of each operating system:

  • A VPN connection to the company's VPN remote access server.

  • A direct-dial connection to the company's dial-up remote access server. By reviewing the Connection Manager log file, Contoso also confirms that the phone books are updating from the update URL provided by the company.

  • A double-dial connection to several phone numbers provided by the ISP to ensure that the RADIUS proxy is forwarding the RADIUS messages to the Contoso RADIUS server. By reviewing the Connection Manager log file, Contoso also confirms that the phone books are updating from the update URL provided by A. Datum.

Distributing the Connection Manager Profile

After thoroughly testing the entire remote access solution, Contoso distributes the Connection Manager service profile Contoso.exe to users at the company. Contoso uses a combination of distribution methods: the service profile is made available for download from the company's corporate network, and the service profile is preinstalled onto all new portable computers before distributing them.

The service profile can be downloaded from inside the corporate network and either installed on portable computers or saved to floppy disk and installed later on the user's home computer.

After the user has Contoso.exe on their computer, the user installs and sets up Connection Manager by using the following procedure.

  • To install Contoso.exe

    1. Double-click Contoso.exe.

    2. Click Yes when prompted to install Remote access to Contoso.

    3. Click My use only to make the connection available to only the intended user and not all users of that computer. The user can also choose to add a shortcut to the connection on the desktop, and then click OK.

    4. After the installation is complete, the user selects a primary and backup phone number or chooses to connect over their existing Internet connection.

Tip

The user can create additional settings for home, travel, or other locations. Users create these customized settings by using the New button on the General tab of the Remote access to Contoso Properties dialog box and access them by using the Use settings for list on the Remote access to Contoso dialog box.

  • To select a phone number

    1. Click Properties in the Remote access to Contoso dialog box.

    2. On the General tab of the Remote access to Contoso Properties dialog box, click Dial a phone number to connect.

    3. Click Phone Book to specify a phone number and a backup number.

  • To use an existing connection to the Internet

    1. Click Properties in the Remote access to Contoso dialog box.

    2. On the General tab of the Remote access to Contoso Properties dialog box, click I am already connected to the Internet.

    3. The user clicks OK to return to the Remote access to Contoso dialog box.

    4. Finally, the user enters their credentials and connects to the Contoso intranet.




Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net