Routing and Remote AccessTasks | Windows Server 2003 in a Nutshell

Routing and Remote Access Tasks

The RRAS console is used to configure WS2003 as a remote access server, VPN server, or basic NAT/firewall server. Unless otherwise specified, the tasks in this section assume that you have already opened the Routing and Remote Access console by:

Start Administrative Tools Routing and Remote Access

To create and configure connections, use Network Connections in the Control Panel (see Connections earlier in this chapter for more information).

Configure and Enable Routing and Remote Access

In order to install and use the RRAS on a WS2003 computer so it can accept incoming connections from clients , you must first configure and enable the RRAS:

Right-click on server Configure and Enable Routing and Remote Access

This starts the RRAS Setup Wizard, which prompts you to choose a role for your remote access server. You can select from five different roles:

Remote access (dial-up or VPN)

Network address translation (NAT)

Virtual Private Network (VPN) access and NAT

Secure connection between two private networks

Custom configuration

Once you've walked through the wizard and configured the RRAS, you can perform further configuration using steps outlined later in this topic. If you decide later that you want to change the role of your RRAS server, you can remove the existing configuration and then run the wizard again. To remove the existing configuration of a remote access server:

Right-click on server Disable Routing and Remote Access

Alternatively, you can reconfigure the settings on your server to assume a new role if you have a deep enough understanding of these settings. It's generally easier to rerun the wizard, however.

Let's look at enabling and configuring the RRAS using the wizard for each of the five roles the RRAS supports.

Remote Access (Dial-up or VPN)

Select this option to configure your server as a basic remote access server that can accept incoming connections from dial-up clients using a modem and/or VPN clients over the Internet. To configure a dial-up remote access server, do this:

Dial-up select LAN for remote clients to access (this option is available only on multihomed servers) select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)

To configure a VPN server, first make sure your server has at least two network interfaces and then do this:

VPN select interface connected to Internet enable security using static packet filters select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)

You can also select both options together to create a hybrid VPN/dial-up remote access server.

Network Address Translation (NAT)

Select this option to configure your server as an Internet connection server that connects your private network to the Internet using NAT. You must have a public IP address in order to choose this option. The next steps of the wizard depend on the number of existing network interfaces configured on your machine. If your server has only one interface (for example, the Local Area Connection), then you can use the wizard to create a demand-dial interface to connect to the Internet using either a dial-up modem or dedicated broadband device such as a DSL router. Follow these steps:

Enable security on the selected interface using Internet Connection Firewall (ICF) Create a demand-dial interface using the Demand Dial Interface Wizard

The Demand Dial Interface Wizard lets you choose between creating a dial-up VPN or broadband PPPoE (PPP over Ethernet) interface. If you choose VPN, specify the tunneling protocol used (PPTP or L2TP), the IP address of the remote router, and the connection credentials for the remote router. If you choose PPPoE, you specify the connection credentials for your service provider.

If you already have two interfaces on your machine (Local Area Connection and dial-up or broadband Internet connection), then follow these steps:

Select the network connection with a public IP address and connected to the Internet Enable security on the selected interface using ICF

At this point you can choose between the following two options:

Basic name and address service: The RRAS assigns IP addresses automatically using Automatic Private IP Addressing (APIPA) and forwards DNS queries to your service provider's DNS server.
Set up name and address service later: The RRAS uses Active Directory and DNS/DHCP servers on your network.

The first option is designed mainly for small office/home office (SOHO) use as it assigns IP addresses using APIPA instead of DHCP. Selecting this option does the following:

Configures your server's network adapter with the IP address 192.168.0.1 and subnet mask 255.255.255.0 with no default gateway.
Enables routing on your dial-up port so that computers on your LAN can connect to the Internet through your server. If your Internet connection is not a dedicated connection, such as a leased line, the wizard enables dial-on-demand for the outbound connection on the server.
Adds the NAT routing protocol and binds both the LAN and Internet interfaces on the server to the NAT protocol.

VPN Access and NAT

Select this option to configure your server as a VPN server using NAT. Make sure your server has at least two network interfaces and then do this:

Select interface connected to Internet enable security using static packet filters select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)

The VPN server will accept incoming connections from VPN clients using the WAN miniports (virtual ports) on the server.

Secure Connection Between Two Private Networks

Select this option to configure your server to connect with another network using your server as a router. If your server already has two network interfaces (a LAN and a WAN interface), choose No and, after running the wizard, ensure your WAN interface has suitable IP address settings (and configure routing protocols if required). If demand-dial routing will be used instead (typically for branch office connections) and you need to set up a new demand-dial interface, choose Yes and then follow these steps:

Select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) Demand Dial Interface Wizard starts specify name for remote interface select VPN or PPPoE

If you choose VPN, specify the tunneling protocol used (PPTP or L2TP), the IP address of the remote router, and the connection credentials for the remote router. If you choose PPPoE, you specify the connection credentials for your service provider.

Custom Configuration

Select this option to create a plain vanilla RRAS server with one or more of the following services:

VPN access

Dial-up access

Demand-dial connections

NAT and basic firewall

LAN routing

This starts the RRAS service on the server with all components installed. (See Routing and Remote AccessTools earlier in this chapter to see what the console tree looks like in this case.) You can then manually configure RRAS settings as desired.

Configure RRAS

The following are some of the more common tasks for configuring RRAS servers.

Enable Remote Access

Right-click on server General Remote access server

Selecting this option enables your server to accept connections from both dial-up and VPN clients.

Enable Routing

Right-click on server General Router

You can choose between LAN routing only or LAN and demand-dial routing. LAN routing requires either two network adapters or a network adapter and a dedicated WAN device such as a CSU/DSU. Demand-dial routing requires a network adapter and a dial-up WAN device such as a modem or ISDN terminal adapter.

Note that an RRAS server can be enabled for both remote access and routing roles.

Configure Security on an RRAS Server

Right-click on server Properties Security

You can configure security on a remote access server in a variety of ways. For example, your authentication provider, which determines how remote access clients are authenticated by your server, can be either:

Windows Authentication: Authentication is performed by Active Directory.
RADIUS Authentication: Authentication is performed by a RADIUS server. You can configure a WS2003 system as a RADIUS server by installing the optional Internet Authentication Service (IAS) component of WS2003.

Similarly, your accounting provider (which keeps track of remote access sessions and connection attempts) can be either:

Windows Accounting: Connections are logged in the Remote Access Logs folder.
RADIUS Accounting: Connections are logged by the RADIUS server.

Once you select your authentication and accounting providers, you can also configure which authentication protocols will be supported by your remote access server. Here's how to do this:

Right-click on server Properties Security Authentication Methods

By default, for added security, only MS-CHAP, MS-CHAPv2, and EAP are enabled on an RRAS server. If your clients can use only weaker authentication protocols, you must enable them here.

Configure IP Routing

Remote access servers can grant remote clients access to resources on either the remote access server alone or on any server in the local network. In the second case, the remote access server functions as a network gateway, allowing remote clients to access other servers on the LAN through the remote access server. To enable your server as a network gateway for an IP-based remote access server:

Right-click on server IP Enable IP routing Allow IP-based remote access and demand-dial connections

Configure an IP Address Pool for Clients

Right-click on server IP Static address pool Add specify Start and End IP addresses

You should select addresses whose range forms a standard subnet since there is no option here for specifying the subnet mask. If you specify an address in a subnet that is different from the address of the LAN adapter of the server, you must add static routes to the server's routing table to enable the server to forward packets between the LAN and WAN connections (or you could enable an IP routing protocol on the server instead).

If you are using IPX or AppleTalk instead of IP, the IP tab of the server's properties sheet will be replaced with an IPX or AppleTalk tab.

Configure Logging

To configure which remote access events will be logged in the System log:

Right-click on server Properties Event Logging specify logging level

To configure settings for the IAS log file:

Expand server node select Remote Access Logging right-click on Local File Properties specify log file settings

Enable Multilink

Right-click on server PPP Multilink connections

If you are going to use Multilink (MP or BAP), you also need to specify the phone numbers for your device:

Expand server container right-click on Ports Properties select device Configure Phone number for this device

Enable Remote Access for a Device

Expand server container right-click on Ports Properties select device Configure Remote access connections (inbound only)

The difference between a port and a device is:

Port: A logical communications channel that supports a single point-to-point connection between two computers. A port can be considered a subdivision of a multiport device.
Device: Either hardware (modem, DSL router, and so on) or software (WAN Miniport) that can be used to create a physical or logical point-to-point connection between two computers.

A WAN Miniport is a software driver that acts as a kind of virtual modem bank for VPN connections. When you enable the RRAS, Windows automatically creates 128 WAN Miniport virtual ports with 64 of PPTP type and 64 of L2TP type. These virtual ports are used to accept incoming connections from VPN clients. You can increase the number of virtual ports up to 1,000 to support more simultaneous connections from VPN clients by:

Expand server container right-click on Ports Properties select WAN Miniport ( type ) Configure specify Maximum ports reboot

When a remote VPN client connects to your remote access server to establish a VPN connection with the server, it uses the highest-numbered virtual port available. The client first tries to connect to an L2TP port (which requires the client to have a digital certificate installed that the server can recognize) and, if this fails, it uses PPTP instead.

Configure a Remote Access Policy

You can either edit the existing default remote access policy or delete it and create a new one. To create a new remote access policy:

Right-click on Remote Access Policies container New Remote Access Policy Use the wizard to set up a typical policy for a common scenario specify a name for the policy select an access method (VPN, dial-up, wireless, or Ethernet) select users or groups to grant access choose authentication methods to use choose encryption levels (VPN or dial-up only)

The exact options in the wizard vary with the access method you select. An alternative approach is to set up a custom policy:

Right-click on Remote Access Policies container New Remote Access Policy Custom policy specify a name for policy add new conditions or edit existing ones choose whether to grant or deny remote access based on the policy Edit Profile

When adding conditions to your policy, you can choose from numerous options. Some of the more common conditions you add might be:

Calling Station ID: Specifies the remote client's phone number for callback-verification purposes
Day and Time Restrictions: Indicates which days of the week and times of the day the policy will be applied
Windows-Groups: Specifies which WS2003 domain-based (global or universal) groups the user must belong to in order for the policy to be applied

When deciding whether to grant or deny remote access based on your policy, remember that you can create multiple remote access policies with some granting access and others denying it. Policies are evaluated one at a time in the order in which they are listed until a policy is found that matches (doesn't conflict with) the user account and client connection settings.

The last step, Edit Profile, is optional and allows you to configure settings on six tabs:

Dial-in Constraints: You can restrict the duration of user sessions if you have limited dial-in ports on your remote access server. It's also good to configure the connection to disconnect automatically if it is idle for more than about five minutes.
IP: You should generally leave the IP Address Assignment Policy set to "Server settings define policy." Configuring packet filters is an extra layer of complexity that should be done carefully ; otherwise, connections may be accepted, but users will not be able to access the resources they need on the remote corporate network.
Multilink: Multilink settings can be left at "Default to server settings." If you are short of modems, you can disable Multilink using this profile setting.
Authentication: Try to specify only the most secure authentication protocols that your remote clients can negotiate. Select only Unauthenticated Access for direct computer connections using null-modem cables.
Encryption: The encryption schemes you select here can be negotiated by the server with the client. If your clients are WS2003 computers and use VPN connections, then deselect No Encryption and Basic Encryption, leaving only Advanced selected. This will enable MPPE 56 to be used for data encryption.
Advanced: These settings are typically used when RADIUS is implemented on your network and should not be modified for basic remote access.

Click Finish to create your new remote access policy. To further edit the policy, double-click on it. If you have multiple policies created, right-click on them and select Move Up or Move Down to change the order in which they are matched.

Grant Remote Access Permission to a User

Active Directory Users and Computers select domain or OU right-click on a user Properties Dial-in Allow access

You can choose to control access through a remote access policy only if you have all domain controllers running WS2003that is, if you are running in native mode. The same is true for assigning a static IP address to a remote access client.

Manage Remote Access Clients

Expand server node select Remote Access Clients right-click on a user

You have two options:

Select Disconnect to immediately disconnect the remote VPN client. No warning message appears on the client's machine.
Select Send Message to send a brief message to the clientfor example, to warn the client that you are about to disconnect it. A dialog box will pop up on the client to display this message. You can also select Send To All to send a message to all connected clientsfor example, when you are going to take the VPN server offline for maintenance.

Monitor Connected Clients

If you select the Remote Access Clients container for your server in the console tree, the details pane displays the names of connected clients in the form domain\username , the time since the user connected, and the number of ports in use by the user (which is 1 unless it is a multilink connection). Note that the information in the details pane doesn't refresh automatically by default, so you should do the following:

Right-click on root node toggle Auto Refresh on right-click again on root node Refresh Rate specify refresh interval in seconds

You can display further information about a connected client by:

Right-click on user Status

This displays the username connected, bytes in and out and other network-traffic information, and the IP address given to the client. (If you have created a static IP pool on the server, then IP addresses are assigned to clients in round- robin order starting with the lowest available address, and a client that disconnects and then reconnects is assigned the next higher address above its previously assigned one.)

You can also select the Ports container for your server in the console tree and then right-click on an active port to view the status of the connection or disconnect the port.

Add a Server

You can manage additional RRAS servers by:

Right-click on Server Status Add Server select server

Monitor RRAS

Select the Server Status node in the console tree to view the state of each server and the number of ports in use in the contents pane. Make sure the Details view is selected from the menu.