Chapter 5: Planning, Implementing, and Maintaining an Internet Connectivity Strategy

Introduction

Internet connectivity is no longer a luxury for most businesses; it is a necessity. Employees use the Internet to exchange e-mail with clients, suppliers, and co-workers in other physical locations; to conduct research via the Web; and to remotely access the local area network (LAN) from home or when on the road. Creating an effective policy for implementing and managing the organization’s Internet connections is an important part of the Windows Server 2003 network administrator’s job.

This chapter is about how to develop the best strategy for connecting your company’s Windows Server 2003 network to the Internet. We’ll discuss connecting the LAN to the Internet using routed connections or translated connections (via Internet Connection Sharing or the Routing and Remote Access Service’s Network Address Translation component). You’ll learn how to use both Internet-based virtual private networks (VPNs) and router-to-router VPNs to provide connectivity to the company’s LAN from remote locations or to connect two branch offices. We’ll discuss the intricacies of demand-dial/on-demand connections and persistent connections, and explain the difference between one-way and two-way initiation. We’ll also show you how to use Remote Access Policies to control VPN connections, and we’ll discuss VPN protocols supported by Windows Server 2003 and how to make VPN connections using either the Point-to-Point Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP). You’ll learn about VPN security and the authentication and encryption protocols that make your virtual network private.

Next, we’ll take a look at the Internet Authentication Service (IAS) and how it can provide centralized user authentication and authorization, centralized auditing and accounting, and extensibility and scalability. You’ll learn about IAS integration with Windows Server 2003 Remote Access and Routing Service (RRAS), and how to control authentication via Remote Access Policies. We’ll show you how to use the IAS Microsoft Management Console (MMC) snap-in and how to implement monitoring of IAS, and we’ll discuss the use of the IAS Software Development Kit (SDK). Then we’ll delve a little deeper into the IAS authentication methods and discuss Remote Authentication Dial-In User Service (RADIUS) access server support, wireless access points (WAPs), and authenticating switches.

In the next section, we’ll walk you through the process of using the Connection Manager Administration Kit (CMAK) to create service profiles, custom actions, and custom help files, as well as VPN support, to make it easier for nontechnical users to connect remotely without needing to do complex configuration. We’ll talk about security issues pertaining to Connection Manager, and show you how to prevent editing of service profile files, how to prevent users from saving their passwords, and how to distribute service profiles securely.