ConnectionsTasks | Windows Server 2003 in a Nutshell

Connections Tasks

The following tasks apply generally to most types of connections you can create.

Enable or Disable a Connection

Network Connections Folder right-click on connection Enable/Disable

Be sure to notify users before disabling a connection they are using.

Monitor a Connection

You can monitor the status of your connections a couple of ways:

Network Connections Folder Right-click on an active connection Status

Right-click on connection icon in system tray (if present) Status

The General tab displays basic connection statistics. Some connections like VPN also have a Details tab that shows information like the IP address of the remote server, the authentication and encryption methods used, and so on.

You can also monitor the general status of all the connections on your machine by:

Network Connections Folder View Details

Share a Connection

See Advanced under Configure a Dial-up Connection later in this section.

Repair a Connection

If a connection stops working properly, you can try repairing it by:

Network Connections Folder right-click on connection Repair

This may fix simple issues like an expired DHCP lease or missing DNS server IP address. After repairing a connection, check it like this:

Network Connections Folder right-click on connection Status Support Details

If it still doesn't work, open its properties and check its configuration settings.

Configure Remote Access Preferences

For outbound dial-up connections to remote access servers, you can configure your client location information, autodial, and callback settings as follows :

Network Connections Folder Advanced Remote Access Preferences specify your information OK twice

Enabling autodialing starts an outgoing connection on demand when it's required to access the Internet or a remote access server. Callback lets a remote access server call back a remote client attempting to connect, either to avoid having the client pay the charges or to verify the identity of the client by its phone number. You can also enable connection logging here for troubleshooting purposes.

Callback can be enabled on the client, but it must also be required by the server in order for it to be used. The default setting causes a dialog box to be displayed on the client during the initial connection attempt, requesting that the user specify the phone number that the server should use to call the client back. Alternatively, you can require that the server always call the client back at a specified number to confirm the identity of the client by its location. The callback settings configured on the remote access server override any callback settings you configure for the outbound dial-up connection on your client computer. The server can require callback, deny callback, or allow the client to set the callback procedure.To reconfigure location information or add additional locations, use Phone and Modem Options in Control Panel.

Enable Operator-Assisted Dialing

This feature is toggled on or off using:

Network Connections Folder Operator-Assisted Dialing

With this feature on, you can double-click on a connection, pick up the telephone, and manually dial the number or ask the operator to do it. Once the number has been dialed , click Dial, wait for the modem to take control of the line (the modem has gone silent at this point), and hang up.

Bridge Connections

You can easily bridge two or more LAN or high-speed Internet connections. Suppose your server has two NICs connected to different network segments. By bridging these connections, computers on each segment can communicate with each other. To bridge connections:

Network Connections Folder hold down Ctrl and select connections right-click Bridge

Configure Binding Order for Connections

If you have several connections of one type (such as remote access), you can rearrange the order in which they are accessed by network services and which network services they can use. Do this as follows:

Network Connections Folder Advanced Advanced Settings move connections or bindings up or down

Dial-up Connections

The following tasks are for outbound dial-up connections to private networks and the Internet.

Create a Dial-up Connection to the Internet

New Connection Wizard Connect to the Internet Connect using a dial-up modem specify ISP name and phone number specify who can use the connection (only you or anybody) specify credentials enable/disable Internet Connection Firewall (ICF)

If you allow the connection to be used by anybody, you can select the "Use this account name and password when anyone connects to the Internet using this connection" option to use the specified credentials for all users.

Create a Dial-up Connection to a Remote Access Server

New Connection Wizard Connect to the network at my workplace Dial-up connection specify company name and phone number specify who can use the connection (only you or anybody)

An administrator on the remote network must grant remote access permissions for your user account before you can dial up and connect.

Dial a Dial-up Connection

Once a connection has been created, you can dial it by:

Network Connections Folder double-click on connection Dial

Note that the administrator on a remote private network must first grant dial-in permission to a user before the user can connect to a remote access server. See Incoming Connections later in this section for more information.

Disconnect a Dial-up Connection

To disconnect an established connection, you can do one of two things:

Double-click on connection Disconnect

Right-click on connection icon in system tray (if shown) Disconnect

Configure a Dial-up Connection

When you use the New Connection Wizard to create an outbound dial-up connection, you specify only minimal configuration information for the connection. If you need to further configure the connection, open its properties sheet by:

Right-click on connection Properties

The configuration options are the same whether you are configuring a dial-up connection to a private network or to the Internet. The following are some of the more important settings on the five tabs of this properties sheet. Note that some remote access terminology is used in this discussionfor an explanation of PPP, BAP, PAP, CHAP, and similar terms, see Routing and Remote Access later in this chapter. Now I'll describe what each tabbed page of options does.

General

Click the Alternates button on the General tab if you want to assign multiple phone numbers to a connection. You can then have the connection try each number in order until it succeeds in establishing a connection. You can also configure it so that successful numbers are moved to the top of the list for future connection attempts.

Select the checkbox to make the connection icon visible in the system tray, as this simplifies the process of monitoring and terminating the connection. The connection icon blinks when data is being transferred, and you can double-click on it to display the status of the connection or right-click on it to terminate the connection.

If you have more than one modem installed, you have additional options on this tab that let you do the following actions.

Specify which modem or modems will be used for this connection.
Specify the order in which they are used to establish a connection. (If the first modem fails, then the next one in the list is used.)
Specify whether they will all call the same numbers.

Options

The Options tab is where you specify redial attempts and whether the connection should automatically terminate after being idle for a period of time. You can also specify that the connection should automatically redial if it is droppedthis is useful for file transfers using FTP since WS2003 can resume a file transfer without needing to start all over.

If you have more than one modem installed and have enabled at least two of them for this connection on the General tab, you have the additional option of Multiple Devices on the Options tab. This new option can be specified as:

Dial all devices (the default selection): Use this to configure a PPP Multilink dial-up connection. (The remote access server you are dialing must also support PPP Multilink.)
Dial only the first available device: Use this if you want to use multiple modems to provide fault tolerance for your connection.
Dial devices only as needed: Use this to configure a BAP connection for dynamic multilinking. (The remote access server you are dialing must also support BAP.) After you make this selection, click Configure to specify the conditions under which lines are added or dropped to your connection.

Multilink dial-up connections usually don't work if callback is configured on the remote access server. This is because only one callback number can be stored on the server to call the client back, with the result that only the first line in a multilink connection is used. The exception is 2B+D ISDN connections in which both ISDN B channels can have the same number for callback.

Security

The Typical option on the Security tab gives you a series of preconfigured settings for authentication protocols and data encryption schemes. In any case, the remote access client and server will negotiate the highest degree of security for authentication and data integrity that they are both configured to support. The three settings here are (in order of increasing security):

Allow unsecured password (the default setting): Allows any authentication protocol including PAP but doesn't encrypt data
Require secured password: Doesn't allow PAP but can encrypt data
Use smart card: Allows only smart-card authentication and can encrypt data

If you want more granular control over which authentication protocols and data encryption schemes the dial-up client supports, select Advanced (custom settings) Settings. For more information on these various schemes and protocols, see Routing and Remote Access later in this chapter.

Since the default setting allows unsecured passwords to be transmitted over the connection, you may want to change this to provide greater security, especially when connecting to the Internet.

Also on this tab are options for opening an interactive terminal window and running a script during the connection establishment process. These options are usually needed only for legacy SLIP connections.

Networking

On the Networking tab you can specify that the ISP's modem bank or company's remote access server you are dialing into is either PPP or SLIP (it's almost always PPP nowadays). If it is PPP, click Settings to configure advanced PPP features, such as software compression, if they are supported by the server you are calling.

Usually, a dial-up connection to the Internet dynamically obtains a client IP address using DHCP, and this is configured by default for Internet Protocol (TCP/IP). If you need to specify a static IP address for your machine for this connection, you can do so here. Table 4-4 shows which networking components are enabled for Internet versus remote access dial-up connections.

Table 4-4. Network components enabled for outbound dial-up connections

Networking component	Type of dial-up connection
	To a private network	To the Internet
Internet Protocol (TCP/IP)	Yes	Yes
Client for Microsoft Networks	Yes	No
File and Print Sharing for Microsoft Networks	No	No

Advanced

Formerly labeled "Sharing" in W2K Server, the Advanced tab is used to set up Internet Connection Firewall and configuring Internet Connection Sharing:

Internet Connection Firewall (ICF)

Integrated into WS2003 connections is an enhanced firewall feature that you can use to block dangerous traffic from your server. This firewall has been significantly improved over that in W2K Server. To configure ICF:

Advanced tab select Internet Connection Firewall Settings

Services

This tab essentially lets you configure which inbound ports to open on your connection to allow Internet users to access services on your network. For example, if you select Web Server (HTTP), it opens port 80 for inbound traffic. By default, all inbound network traffic is blocked.

Secure Logging

This tab lets you log inbound packets that are either passed through or blocked by your firewall (or both). If you use ICF, you should review your firewall logs regularly.

ICMP

This tab lets you control which kinds of inbound ICMP packets are allowed through your firewall. ICMP packets are often used to probe networks, and a flood of them may be used in a denial-of-service (DoS) attack to prevent legitimate users from accessing services on your network. By default, all inbound ICMP traffic is blocked.

Internet Connection Sharing (ICS)

ICS lets your computer act as a gateway to the Internet so that other computers on your network can access the remote private network or the Internet by dialing up the connection to this server. Using the second checkbox, you can also specify that the connection be dialed automatically when another computer on your network tries to use it, a feature sometimes called on-demand dialing.

ICS is a great feature for the small office/home office (SOHO) environment, but it can cause problems in the enterprise. This is because when you enable this feature, WS2003 automatically reconfigures the TCP/IP settings on the computer to use Automatic Private IP Addressing (APIPA) to assign IP addresses based on a special reserved network ID of 192.168.0.0. As a result, you should not enable ICS on servers in networks that use DNS or DHCP or that have static IP addresses assigned to machines using a different network ID; otherwise , other computers on your network will be unable to communicate with your server. If you want to use ICS for your SOHO, first configure WS2003 computers on your LAN to obtain an IP address automatically using APIPA and then install and configure ICS. See TCP/IP later in this chapter for more information on how to use APIPA.

Direct Computer Connections

Direct computer connections are used mainly for file transfers between two computers over a null-modem (file-transfer) cable when no networking adapters are installed. However, you can share a direct computer connection, which gives you a way of connecting two networks together using a null-modem cable.

Create a Direct Computer Connection

To create a direct computer connection, you first need to configure either a COM port to use a serial RS-232C null-modem cable or a parallel port to use an ECP parallel file-transfer cable:

Control Panel Phone and Modem Options Modems Add select Don't detect my modem select either cable option select Port

Then decide which role your machine will assume:

Host machine

The computer that listens for and responds to direct computer connection attempts from a Guest machine:

New Connection Wizard Set up an advanced connection Connect directly to another computer select Host choose port (LPT or COM) select users allowed to connect

Guest machine

The computer that attempts to initiate a direct computer connection with a Host machine:

New Connection Wizard Set up an advanced connection Connect directly to another computer select Guest choose port (LPT or COM) specify who can use the connection (only you or anybody)

Note that when you create a Host connection, the RRAS service starts and the connection is displayed in the Network Connections folder as an Incoming Connection. However, when you create a Guest connection, it's displayed as a Direct Connection.

Establish a Direct Computer Connection

Make sure the null-modem cable is attached, then go to the Guest computer and do this:

Network Connections Folder double-click on connection Connect

Configure a Direct Computer Connection

Configuring Guest machines is similar to configuring dial-up connections, and the same five tabs are present on the properties sheet. There are a few differences, though:

The General tab lets you choose only which device (COM or LPT port) is used for the connection.
Advanced security settings are used instead of Typical ones used by dial-up connections, and these should generally not be changed.
All default networking services are enabled for this connection.

The properties sheet for Host machines has only three tabs:

General: Here, you can configure the Host to listen for Guests on multiple portsfor example, COM and LPT. You can even use multilink to combine multiple connections from a single Guest machine, though you'd have to create multiple Guest connections on the Guest machine to do this.
Users: Here, you specify which users are allowed to establish direct computer connections with the Host machine. The information displayed depends on whether your machine belongs to a workgroup or domain.
Networking: Like Guest machines, all default networking services are enabled for this connection.

Incoming Connections

We'll focus here on creating incoming connections on a standalone server in a workgroup scenario. In a domain environment, you're more likely to use the Routing and Remote Access Service (RRAS) to create a full-fledged remote access server for your remote clients .

Create an Incoming Connection

New Connection Wizard Set up an advanced connection Accept incoming connections select devices to listen on enable/disable VPN select users allowed to connect Properties allow callback if desired configure networking components for this connection

Note that the devices you can select depend on what's installed on your machine and may include COM and LPT ports (for direct cable connections), modems, ISDN adapters, and so on.

By enabling a VPN for your connection, you allow remote users to connect to your computer over the Internetprovided, of course, that your machine has a public IP address so packets can be routed to it from the Internet. This option is disabled by default for security reasons. If you enable it, Windows automatically configures ICF, but you should check the firewall configuration to make sure it's configured the way you want it.

The main networking component to configure for the connection is TCP/IP. By opening the properties of this component you can:

Have clients use their own IP addresses or assign them using DHCP (the default) or from a pool of addresses
Allow (the default) or deny clients access to other computers on your network

Allow/Deny Dial-in Permission to a User

When creating an incoming connection using the procedure described earlier, you specified the user accounts allowed to connect. By doing so, the remote access permissions for these accounts were set to Allow Access on the Dial-in tab of the properties sheet for each account. If you later want to allow additional users to use the incoming connection or decide to deny access to a user you previously granted it to, do the following:

Computer Management System Tools Local Users and Groups Users right-click on user account Properties Dial-in allow or deny access

You can also change the callback option for the user here.

Configure an Incoming Connection

Right-click on connection Properties

These settings discussed previously under Direct Computer Connection in reference to Host machines.

Internet (Broadband) Connections

In addition to dial-up Internet connections (discussed under Dial-up Connections earlier in this section), you can create two types of broadband Internet connections: always-on (LAN) or on-demand (PPPoE) connections.

Create an Always-on Broadband Internet Connection

First, make sure your DSL router is configured properly, is turned on, and your network cables are attached. Then do this:

New Connection Wizard Connect to the Internet Connect using a broadband connection that is always on

That was easy!

Create an On-Demand Broadband Internet Connection

New Connection Wizard Connect to the Internet Connect using a broadband connection that requires a username and password specify ISP name specify who can use the connection (only you or anybody) specify credentials enable/disable ICF

Configure an On-Demand Broadband Internet Connection

The configuration options here are identical to those for dial-up Internet connections, except all references to modems and phone numbers are removed.

Local Area Connections

Local area connections (typically, Ethernet connections) can't be created manually using the New Connection Wizard. Instead, they're created automatically during Setup or when Windows detects a new network adapter. By selecting them in the Network Connections folder, they can be configured, disabled, enabled, and monitored like other connections, but they can't be deleted unless you remove the network card associated with the connection.

Configure Local Area Connections

To configure networking components and protocols for local area connections, do this:

Control Panel Network Connections select a local area connection Properties General

For information about configuring TCP/IP settings for local area connections, see TCP/IP later in this chapter. To configure firewall settings on your connection, do this:

Control Panel Network Connections select a local area connection Properties Advanced Protect my computer Settings

For wireless LAN (WLAN) connections, you can also configure authentication by:

Control Panel Network Connections select a local area connection Properties Authentication

Virtual Private Network Connection

These are outbound connections that securely tunnel over the Internet to a remote VPN server, such as a WS2003 machine with RRAS configured.

Create a New VPN Connection

First, make sure you have an Internet connection configured on your machine, either dial-up, on-demand broadband, or always-on, as described previously. Also, make sure the VPN server on the remote network is ready and listening so you can test your connection after you create it. Now proceed as follows if you have a dedicated Internet connection:

New Connection Wizard Connect to the network at my workplace Virtual Private Network connection specify company name specify IP address or DNS name of remote VPN server specify who can use the connection (only you or anybody)

If you have a dial-up or on-demand Internet connection, do this instead:

New Connection Wizard Connect to the network at my workplace Virtual Private Network connection specify company name select a dial-up connection specify IP address or DNS name of remote VPN server specify who can use the connection (only you or anybody)

Instead of selecting a dial-up connection to automatically dial when you try to establish your VPN connection, you can choose not to automatically dial a connection. In this case, you have to manually establish your Internet connection before you open your VPN connection.

Configure a VPN Connection

The settings for configuring a VPN connection are the same as those for a dial-up connection to a private network (discussed previously), except for the following differences:

General: Instead of modem settings, you specify the IP address of the remote VPN server on this tab. If you have multiple dial-up or on-demand Internet connections available, you can also specify which one to try first when establishing your VPN connection.
Security: While the default security setting for dial-up connections to private networks is Allow Unsecured Password, the default setting for VPN connections is Require Secured Password with Require Data Encryption also enabled. These settings are necessary because the VPN connection travels over the Internet, which as everyone knows , is a dangerous place (just like the Wild West was in its heyday).

If you enable the option Automatically Use My Windows Name and Password, the credentials of the user currently logged on to your machine are sent to the remote VPN server for authentication.

Networking: File and Print Sharing is enabled for VPN connections (it wasn't for dial-up connections).

Monitor a VPN Connection

Network Connections Folder Right-click on an active VPN connection Status

The General tab shows bytes sent and received since the connection was initiated, as well as other network traffic information. The Details tab shows useful information about the type of server, IP address of server and client, type of authentication protocol used, and so on. Here's an example of what you might see on the Details tab if you were connected to another WS2003 machine configured as a VPN server:

 Server type: PPP Transports: TCP/IP Authentication: MS CHAP V2 Encryption: MPPE 56 Compression: MPPC PPP multilink framing: On Server IP address: 172.16.11.128 Client IP address: 172.16.11.130