Exam 70-124: Objective 4.3, 4.4: Configuring Network Clients for Secure Remote Access

Now that we have gone through all the steps for setting up your remote access server, we need to take a look at the other side of the equation: setting up a client to connect to the server. In Exercise 9.07, we look at setting up a Windows 2000 client to use a PPTP VPN connection to connect to a Windows 2000 server configured for remote access VPN connections.

Exercise 9.07: Configuring Windows 2000 for Connecting to a PPTP Server

1. Right-click the My Network Places icon from the Desktop, and select Properties.

2. From the Network and Dial-up Connections window, select Make New Connection. The Network Connection wizard (see Figure 9.57) opens.

   
   Figure 9.57: Creating a VPN Connection

3. Select Connect to a private network through the Internet, and click Next to continue.

4. On the Public Network screen, you have the option to have the VPN connection make the initial public network connection for you. Select Do not dial the initial connection, and click Next to continue.

5. On the Destination Address screen (see Figure 9.58), enter the DNS name or IP address of the VPN server you need to connect to. Click Next to continue.

   
   Figure 9.58: Entering the VPN Server DNS Name or IP Address

6. On the Connection Availability screen, select For all users, and click Next to continue.

7. The Completing the Network Connection wizard opens. Enter a descriptive name for the connection and select Finish to complete the configuration. You should see your new VPN connection in the Network and Dial-up Connections window.

8. To test your new connection, double-click the new entry. The Connect Virtual Private Connection screen (see Figure 9.59) opens. Enter the user account and password for an account that is authorized to connect via remote access, and click Connect to open the connection. Under no circumstances should you ever select Save Password for a connection of this type. Not only is the storage of the password weak, but if your system is ever compromised, you give the attacker an open invitation to attack your internal network.

   
   Figure 9.59: Creating a VPN Connection

9. If your connection is successful, you will see the Connection Complete dialog box. If you do not successfully connect, see the "Troubleshooting Remote Access Problems" portion of this chapter to work out the reason the connection failed.

Once you have a connected VPN connection, you can double-click the entry in the Network and Dial-up Connections window. Doing so will open the Connection Status window, which can give you a snapshot of what is happening with the connection.

We have looked at how to set up a Windows 2000 VPN connection, but how would you do it for other operating systems? Let's get the easy one out of the way: For Windows XP, Microsoft's latest desktop operating system, you would do it in the exact same way. The two operating systems use the same installation wizard.

For Windows 98, ME, and Windows NT 4.0 operating systems, you can download the Microsoft L2TP/IPSec VPN Client from www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp.

To install the Microsoft L2TP/IPSec VPN Client, simply run the MSL2TP.EXE installer file on your computer. This installer provides a menu-driven install process for the Microsoft L2TP/IPSec VPN Client. It will also install the Microsoft IPSec VPN Configuration Utility and the Microsoft L2TP/IPSec VPN Client Help file. To access any of these applications, go to Start | Programs | Microsoft IPSec VPN and select the application you want to look at. You can remove the client using the Add or Remove Programs applet in the Control Panel.

If you install the Microsoft L2TP/IPSec VPN Client under Windows 98 or Windows Millennium Edition, you will find a Microsoft L2TP/IPSec VPN Adapter added to the list of installed network adapters and the Microsoft L2TP/IPSec VPN Adapter 1 added to the list of available devices for a dial-up network connection.

If you install the Microsoft L2TP/IPSec VPN Client under Windows NT Workstation 4.0, you will find the RASL2TPM added to the list of devices for remote access and the RASL2TPM (VPNx) added to the list of available devices for a phonebook entry in Dial-Up Networking.

Exam 70-124: Objective 4.5: Using the Connection Manager Administration Kit

This handy utility, the Connection Manager Administration Kit (CMAK), is very badly documented and undersold as an additional tool on a Windows 2000 Server. You no longer have to buy the Internet Explorer Administration Kit in order to be able to distribute fully configured remote access connections for users. These can be customized fully with your own company logos and icons, help desk telephone number prominently displayed, automatically downloading up-to-date phone book entries, launching key applications once the remote connection is established, and so on. Or users can use standard defaults, and you just supply the basic connection details required for the client's dialer program.

The Connection Manager Administration Kit wizard steps you through configuring a service profile, the set of files required to configure remote user's connection details bundled into a self-installing executable file that you distribute to users who need remote access. This service profile will work on any 32-bit Windows platform and requires, in all, about 1MB free hard disk space. Users must have the Connection Manager v1.2 software installed in order to use your configuration options, which can be included in the service profile. If they already have this software installed, the hard disk space required is greatly reduced (requires about 200KB).

The CMAK wizard steps you through the relevant stages of creating a customized connection utility (dialer) for your users. These steps can include adding a help desk telephone number, including your own customized bitmaps and icons, specifying programs to run automatically when connected, including a customized help file, and even adding the PPTP protocol for Windows 9x users. (However, this last capability must first be installed manually on NT4 machines.)The only stipulations are that users have a modem that is at least 9600 baud that and TCP/IP is installed prior to installation.

The last page of the wizard tells you where the self-extracting cabinet file is located so you can distribute it to users-for example, on CD or by allowing users to download from your FTP site. When users run the file, they'll have a choice of creating a Desktop shortcut for their connection or selecting it from their Network and Dial-Up Connections (or equivalent).When you distribute this file to remote users and partners, there will be far less chance of them not connecting to your remote access servers through a misconfigured connection, and it looks very professional because it's all preconfigured and can be branded with your own company image.

However, before using the CMAK, you must ensure that your RRAS and IAS work as designed by manually creating connections and testing your server setup. Once these connections are confirmed as working, you can use these details to define the connections for your users.

This section steps you through the following:

• Manually defining connections

• Using the CMAK

• How users install and use Connection Manager

Manually Creating the Connections

We assume that you successfully installed and configured the interfaces that will be used for your connections; in other words, your modem(s) on the RAS server and Internet connection and the modem on your remote access client.

Windows 2000 makes the process of defining dial-up connections for the client side incredibly easy with the Make New Connection option under Network and Dial-Up Connections. This tool loads the Network Connection wizard, which prompts you for the type of connection required. Choose Dial-up to private network to specify RAS connections or Dial-up to the Internet to specify an ISP connection.

For the RAS connection, you simply need to supply the telephone number of your RAS server's modem. The ISP connection probably will load the Internet Connection wizard; make sure that you select the last option, I want to set up my Internet connection manually, or I want to connection through a local area network (LAN).

After you have created the connections, you can right-click them and select Properties to fine-tune their settings-for example, the redial attempt number and timeout value, whether to include the Windows logon domain in the credentials, authentication requirements, which protocols should be used, and so on. Note that under the VPN connection you'll have Automatic selected under the Networking tab and Type of VPN server I am calling. This means that L2TP/IPSec will be tried first, and then PPTP. If you know users will not use L2TP/IPSec, you can change this setting to Point-to-Point Tunneling Protocol (PPTP) instead to ensure a faster connection.

Once you are happy that all connections are working satisfactorily, you are ready to use the CMAK to distribute these settings to users. If you prefer not to use the CMAK, you can supply information for users on how to create their own connections manually.

Creating a Static Phone Book

The simplest phone book you could create would be one connection-for example, the telephone number of your RAS server or, if you're specifying a VPN connection, you'll specify the telephone number of the ISP (the VPN server details will be added with the Connection Manager Administration Kit).When you have multiple RAS servers and multiple ISPs, you must decide whether to create one big phone book and let the user choose the appropriate connection or deploy multiple phone books with only the relevant connections.

The two files you'll need when specifying a static phone book are the .pbk file and a .pbr file. These files must be in the same directory, share the same base name, and have the same limitation as DOS-based naming formation (no spaces, maximum of eight letters).

The .pbr file refers to a region file that you create manually as a text file. The format of it is simple enough: The first line contains a number that is the number of regions you want to define-for example, if you had only one region (such as London), this would be the number 1. The remaining entries (one to a line) are the names of your regions. See the example for a three-region file:

3 London Paris New York

The format of the phone book is 11 fields, separated by commas and all filled. If a field has no value, it should contain the number 0. Although this file can be created manually by entering the information in a text file, we will discuss an easier way to create a phone book later in the section. The format of this file for each entry is the following:

Index,TAPICountryOrRegionID,StateOrPrvinceID,POPName,AreaCode,PhoneNumber,     MinBaud,MaxBaud,Reserved,ServiceType,DUNEntry

For example, a single entry for the UK (44) uses our first regional number, where the point-of-presence name is Company (this is the text label for this phone number), the area code is 0208, the telephone number is 5441122, only modem access is allowed, and that has the connection name of Company RAS Server, as follows:

1,44,1,Company,0208,5441122,0,0,0,41,Company RAS Server

Save the file with the matching name and the .pbk extension, and you have created your first phone book.

Creating a Dynamic Phone Book

This involves creating a phone book with Phone Book Administrator, then transferring it to an FTP site so users can reference it via your Web service and download new or changed entries when they dial into your company. The Phone Book Administrator and Phone Book Service need to be installed directly from the Windows 2000 Server CD under VALUEADD | MSFT | MGMT | PBA. Run pbainst.exe, which installs the Phone Book Administrator (used to create the phone book entries) and Phone Book Service, which is an IIS5 extension that works with the FTP service so you can FTP connection entries and users can download phone book updates if necessary from your Web site, either automatically using FTP and a correctly configured profile or manually from the site.

You need to have your FTP virtual directory ready and configured to accept your phone book. The PBSData virtual directory is created when Connection Services is installed, but you'll need to enable write access to transfer the phone book and ensure that anonymous access is disabled. For security reasons, consider disabling the write permission between phone book transfers.

Exercise 9.08 walks you through the process of creating your phone book.

Exercise 9.08: Creating a Dynamic Phone Book

1. In the Phone Book Editor utility, click File | New Phone Book and specify the name you want to use (e.g., Company).

2. Make sure your new phone book entry is highlighted, and select Tools | Regions Editor.

3. Click Add, and change New Region to the name of the region you want to use (for example, London), press Enter, and click OK.

4. Click Edit | Add POP (POP stands for point of presence) and you'll see three tabs for Access Information, Settings, and Comments.

5. In the Access Information tab, fill in the details as appropriate. You'll notice that the Region list box contains the region you previously entered.

6. Now go into the Settings tab and specify the information you want to supply. The default POP settings are probably not appropriate for your needs, so you might want to remove the Sign on and Multicast options. The Dial-Up Networking entry is very important-this is the name users will see to identify their connection, so choose it with care.

7. Click OK. You should now see some of your phone book entries in the bottom pane.

8. Click Tools | Publish Phone Book.

9. Within the Publish Phone Book dialog box, click the Options button and define your IIS server details together with credentials (username/password) to use the FTP site.

10. Click OK. You should now see your server details appear on the bottom right of the Publish Phone Book dialog box.

11. Set a directory (or use the default) and click Create.

12. The Post button will now become available. Click Post and you'll be prompted to select your dial-up connection and connect.

Running the CMAK

The CMAK can be found in Administrative Tools and, like most Windows 2000 tools, utilizes a wizard to guide you through the process of creating a service profile. Exercise 9.09 shows you how to create a basic service profile, which creates a self-extracting file you could distribute to users.

Exercise 9.09: Creating a Basic Service Profile

1. On the first page of the CMAK wizard, click Next.

2. On the Service Profile Source dialog box, click Next to create a new service profile.

3. The Service and File Names dialog box prompts for the name of a service profile (which will be displayed in the user's connection dialog box) and the name of the self-extracting distribution file. For simplicity, it's a good practice to use the same name for both. Type these names in and click OK.

4. On the Merged Service Profiles dialog box, click Next.

5. On the Support Information dialog box, type the text information you want displayed on the user's connection dialog box and click Next.

6. On the Realm Name dialog box, you can enter a realm. These are used in conjunction with RADIUS, usually to differentiate groups of users or companies. You would typically use this in conjunction with an ISP service. Click Next to continue.

7. On Dial-Up Networking Entries, click Add and manually type the name you supplied in the phone book. Click OK, and click Next to continue.

8. On the VPN Support dialog box, you can click Next and go to the Next screen if you're specifying a RAS connection.

9. On Connect Actions, unselect all three check boxes and click Next to continue.

10. On Auto-Applications, click Next.

11. On the Logon Bitmap dialog box, click Next.

12. On the Phone Book Bitmap dialog box, click Next.

13. On the Phone Book dialog box, browse for the static phone book (.pbk) you created. By default, this file would have saved in your My Documents folder. Select the .pbk file so that it's displayed, then click Next. If at this point you don't have a corresponding region file in the same directory, you'll be warned and not allowed to continue.

14. On the Icons dialog box, click Next.

15. On the Status-Area-Icon menu, click Next.

16. On the Help File dialog box, click Next.

17. On the Connection Manager Software dialog box, keep the default of selecting the Connection Manager software, and click Next.

18. On the License Agreement dialog box, click Next.

19. On the Additional Files dialog box, click Next.

20. On the Ready to Build the Service Profile screen, click Next.

21. You should now see the command prompt window showing the progress of your cabinet file. At the end you'll see the final page showing you that the Connection Manager Administration Kit Wizard has completed and the location and name of your self-extracting file.

You have now successfully used the Connection Manager to create a custom installation file for installing and configuring a remote access session.

Allowing Users to Use the Connection Manager

When users run the self-extracting service profile, they'll be asked whether the connection should be available for all users (a computerwide setting) or for only that user. They'll also be asked whether to add a shortcut for it on the Desktop.

When the program has installed, users will see a dialog box that displays the name of the service profile on the caption bar and the support information supplied when the service profile was created. Before they can connect, they'll need to go into Properties, where they'll see various tabbed options, depending on the options you chose with the CMAK.

The first time Connection Manager is loaded, users will need to load the phone book; you can't supply the phone book as a default. To make sure users load the phone book, select the top Phone Book button and select the access number. You'll notice on this dialog box that users could choose alternative service types (if you allowed them) and alternative countries or regions and access numbers.

The Internet Logon tab allows users to specify their company logon and password, which no doubt will be different from their ISP logon. The Options tab sets the number of redial attempts (defaults to 3) and the idle disconnection time (10 minutes), which can be between never and 24 hours. Once you configure any options that need to be set, they will remain set the next time Connection Manager is loaded. The user can then simply click Connect.