Using Connection Manager

EXAM 70-293 OBJECTIVE 2, 2.3

Connection Manager is a Windows application that enables a client to initiate a dial-up or VPN connection to a server running RRAS. To set up a connection, you need to know whether you are using dial-up, VPN, or another connection type; the phone number or VPN server to connect to; and other information.

Fortunately, if you frequently have clients or employees that need to create a connection to the RRAS server, you can distribute a customized version of Connection Manager that already contains most of the required information to connect to the server. Microsoft distributes the Connection Manager Administration Kit (CMAK), which guides you through the process of customizing Connection Manager and creating a distribution package.

Using CMAK

CMAK works as a Wizard that presents a series of questions about the connection you are using, and then creates a custom service profile that can be used with Connection Manager to easily initiate the connection.

Installing and Running CMAK

CMAK is included with Windows Server 2003. To install CMAK, follow these steps:

1. Select Start | Control Panel | Add or Remove Programs.

2. Select the Add/Remove Windows Components option.

3. Select Management and Monitoring Tools from the list and click Details.

4. Check the box next to Connection Manager Administration Kit, as shown in Figure 5.15.

   
   Figure 5.15: Installing CMAK

5. Click OK, and then click Next to complete the installation. You will need the Windows Server 2003 CD-ROM.

After CMAK is installed, select Start | Programs | Administrative Tools | Connection Manager Administration Kit to launch the Wizard. Exercise 5.08 guides you through the process of using CMAK to create a simple service profile.

Exercise 5.08: Using the Connection Manager Administration Kit

The CMAK prompts you for several items of information. Follow these steps to use CMAK:

1. Select Start | Programs | Administrative Tools | Connection Manager Administration Kit.

2. An introductory window is displayed. Click Next to continue.

3. The next window asks whether you wish to create a new service profile or edit an existing one. Select the New profile option and click Next.

4. You are now prompted for a service name. Enter Test Connection in the Service name text box and test in the File name text box, as shown in Figure 5.16. Then click Next.

   
   Figure 5.16: Specify a Service Name and Filename

5. The next window asks whether you will be using a realm name. This allows you to add a standard prefix or suffix to usernames. Select Do not add a realm name to the user name and click Next to continue.

6. The Merge Profiles window is displayed. This allows you to merge phone numbers or other information from other profiles to the new profile. Click Next to continue.

7. The VPN Support window is displayed. This allows you to specify that a VPN connection will be created. Check the box next to Phone book from this profile and enter server1 in the VPN Server name or IP Address text box, as shown in Figure 5.17. Then click Next.

   
   Figure 5.17: Specify VPN Support

8. The VPN Entries window is displayed. Here, you can choose an existing VPN connection for the profile to support or create a new entry. Click Next to continue.

9. The Phone Book window is displayed. You can select a phone book file to provide access numbers to clients. Disable the Automatically download phone book updates option and click Next.

10. The Dial-up Networking Entries window is displayed. You can choose a current dial-up networking entry to use with the profile or create a new one. Click Next to continue.

11. The Routing Table Update window is displayed. Click Next to continue.

12. The Automatic Proxy Configuration window is displayed. Here, you can specify settings for a proxy server to be used with the connection. Click Next to continue.

13. The Custom Actions window is displayed. Custom actions are described later in this section. Click Next to continue.

14. The Logon Bitmap window is displayed. You can choose a default graphic or your own 330-by-140 pixel graphic to be displayed in the Connection Manager dialog box. Click Next to continue.

15. The Phone Book Bitmap window is displayed. You can choose a default graphic to be displayed in the phone book dialog box or specify a custom 114-by-309 pixel graphic. Click Next to continue.

16. The Icons window is displayed. You can choose custom icons for the connection or use the defaults. Click Next.

17. The Notification Area Shortcut Menu window is displayed. You can choose items to be included in a menu available from the icon in the notification area. This is useful to provide a default list of Internet applications, such as Web browsers or e-mail programs. Click Next to continue.

18. The Help File window is displayed. You can use a custom help file, as described later in this section. Click Next to continue.

19. The Support Information window is displayed. Enter a single line of text that will be displayed in the Connection Manager dialog box and click Next to continue.

20. You can choose whether to include the installation files for Connection Manager with your service profile. Select Install Connection Manager and click Next to continue.

21. In the next window, you can specify an optional text file to be displayed as a license agreement. Click Next to continue.

22. The Additional Files window is displayed. You can specify any files you wish to be included with the distribution. Click Next to continue.

23. The Ready to Build the Service Profile window is displayed, as shown in Figure 5.18. Click Next to begin building the service profile.

    
    Figure 5.18: Ready to Build the Service Profile

24. A final window is displayed after your profile is created. Click Finish to exit the Wizard.

Service Profiles

When you complete the CMAK Wizard, your connection profile is stored as a self-extracting executable file. Any additional files you specified are also included in the distribution directory. CMAK creates a directory for your profile, typically under C:\Program Files\CMAK\Profiles. If you are distributing your customized version of Connection Manager to customers or employees, copy the files in this directory to a floppy disk or CD-ROM, or share the folder and provide them with the network path.

Custom Actions

CMAK supports custom actions, to run programs automatically during the Connection Manager process. This allows you to incorporate any custom software you wish into the Connection Manager. CMAK supports a variety of different actions that execute at different times:

• Pre-init actions Execute when Connection Manager starts.

• Pre-connect actions, pre-dial actions, and pre-tunnel actions Execute before starting a connection, depending on the type of connection in use.

• Post-connect actions Execute after a successful connection.

• On cancel actions Processed when the user cancels the connection.

• On error actions Used when an error occurs while connecting.

Custom Help

You can specify a custom help file for use with Connection Manager from the Help File window in the CMAK Wizard. You can use the default Connection Manager help file as a basis for your custom version. When you install CMAK, the source files for this help file are stored in the C:\Program Files\CMAK\Support\CMHelp folder. You can use any standard help file development tool, such as Microsoft’s Help Workshop, to modify these files and compile the new help file.

VPN Support

CMAK supports VPN connections as well as dial-up connections. You can specify a VPN server, or a list of servers, and the protocols that will be enabled by default in Connection Manager. This makes it easy for clients with existing Internet connections to connect as VPN clients.

Connection Manager Security Issues

Although customizing Connection Manager with CMAK allows you to simplify the process of connecting to your network, it can also create several potential security issues. The following sections discuss some common security concerns when using CMAK and how you can address them.

Preventing Editing of Service Profile Files

You can edit service profiles using the CMAK Wizard, as explained earlier in this chapter. Only administrators can install this tool on other computers, and users must be members of the Power Users group to run an existing installation of CMAK. However, because the profiles created by CMAK are stored as simple text files, anyone who has access to the text file can modify any of its settings with a text editor.

To minimize the risk of users editing the text files, store them in a secure location. However, once you distribute the files to users, keep in mind that savvy users can edit the text files on their own computers. While this does not compromise your network security, realize that the constraints you created using CMAK might not always be followed.

Client Operating System, File System, and Configuration

CMAK can create Connection Manager profiles for a wide variety of Windows operating systems, which vary greatly in the levels of security they provide. Some features of Connection Manager, such as user certificates, are not supported by older versions of Windows. For maximum security, require users to have a more recent operating system.

Preventing Users from Saving Passwords

When a computer is accessible by multiple users, there is always the risk of an unauthorized user using a connection. To minimize this risk, you can prevent users from using the Remember Password option to store the password for the connection on their computers. To disable this feature, set a value of 1 for the HideRememberPassword option in the connection profile. You can do this by selecting Edit Advanced Options from the CMAK Wizard’s final screen or by editing the .cms file in a text editor.

Secure Distribution of Service Profiles

Your service profile might include private information, such as phone numbers, network server addresses and settings, and pre-shared keys. Depending on the level of detail this information includes, you might need to make sure that only authorized users can download or obtain a copy of your customized Connection Manager.