لطفا منتظر باشید ...
Publisher| Routing and Remote AccessTasks |
server, VPN server, or basic NAT/firewall server. Unless otherwise
specified, the tasks in this section assume that you have already
opened the Routing and Remote Access console by:Start
Administrative Tools Routing and Remote Access
|
Configure and Enable Routing and Remote Access
In order to install and
use the RRAS on a WS2003 computer so it
can accept incoming connections from clients, you must first
configure and enable the RRAS:Right-click on server
Configure and Enable Routing and Remote Access This starts the RRAS Setup Wizard, which prompts you to choose a rolefor your remote access server. You can select from five different
roles:
- Remote access (dial-up or VPN)
- Network address translation (NAT)
- Virtual Private Network (VPN) access and NAT
- Secure connection between two private networks
- Custom configuration
Once you've walked through the wizard and configured
the RRAS, you can perform further configuration using steps outlined
later in this topic. If you decide later that you want to change the
role of your RRAS server, you can remove the existing configuration
and then run the wizard again. To remove the existing configuration
of a remote access server:Right-click on server
Disable Routing and Remote Access Alternatively, you can reconfigure the settings on your server toassume a new role if you have a deep enough understanding of these
settings. It's generally easier to rerun the wizard,
however.Let's look at enabling and configuring the RRAS
using the wizard for each of the five roles the RRAS supports.
Remote Access (Dial-up or VPN)
Select this option to configure
your server as a basic remote access server that can accept incoming
connections from dial-up clients using a modem and/or VPN clients
over the Internet. To configure a dial-up remote access server, do
this:Dial-up
select LAN for remote clients to access (this option is available only on multihomed servers) select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)To configure a VPN server, first make sure your server has at leasttwo network interfaces and then do this:VPN
select interface connected to Internet enable security using static packet filters select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)You can also select both options together to create a hybridVPN/dial-up remote access server.
Network Address Translation (NAT)
Select this option to
configure your
server as an Internet connection server that connects your private
network to the Internet using NAT. You must have a public IP address
in order to choose this option. The next steps of the wizard depend
on the number of existing network interfaces configured on your
machine. If your server has only one interface (for example, the
Local Area Connection), then you can use the wizard to create a
demand-dial interface to connect to the Internet using either a
dial-up modem or dedicated broadband device such as a DSL router.
Follow these steps:Enable security on the selected interface using Internet Connection Firewall (ICF)
Create a demand-dial interface using the Demand Dial Interface WizardThe Demand Dial Interface Wizard lets you choose between creating adial-up VPN or broadband PPPoE (PPP over Ethernet) interface. If you
choose VPN, specify the tunneling protocol used (PPTP or L2TP), the
IP address of the remote router, and the connection credentials for
the remote router. If you choose PPPoE, you specify the connection
credentials for your service provider.If you already have two interfaces on your machine (Local Area
Connection and dial-up or broadband Internet connection), then follow
these steps:Select the network connection with a public IP address and connected to the Internet
Enable security on the selected interface using ICFAt this point you can choose between the following two options:- Basic name and address service
The RRAS assigns IP addresses automatically using Automatic Private
IP Addressing (APIPA) and forwards DNS queries to your service
provider's DNS server.- Set up name and address service later
The RRAS uses Active Directory and DNS/DHCP servers on your network.
The first option is designed mainly for small office/home office
(SOHO) use as it assigns IP addresses using APIPA instead of DHCP.
Selecting this option does the following:
- Configures your server's network adapter with the IP
address 192.168.0.1 and subnet mask 255.255.255.0 with no default
gateway. - Enables routing on your dial-up port so that computers on your LAN
can connect to the Internet through your server. If your Internet
connection is not a dedicated connection, such as a leased line, the
wizard enables dial-on-demand for the outbound connection on the
server. - Adds the NAT routing protocol and binds both the LAN and Internet
interfaces on the server to the NAT protocol.
VPN Access and NAT
Select this option to configure your server as a VPN server using
NAT. Make sure your server has at least two network interfaces and
then do this:Select interface connected to Internet
enable security using static packet filters select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses) select server that authenticates remote clients (either the RRAS server itself or a RADIUS server)The VPN server will accept incoming connections from VPN clientsusing the WAN miniports (virtual ports) on the server.
Secure Connection Between Two Private Networks
Select this option to configure your server to connect with another
network using your server as a router. If your server already has two
network interfaces (a LAN and a WAN interface), choose No and, after
running the wizard, ensure your WAN interface has suitable IP address
settings (and configure routing protocols if required). If
demand-dial routing will be used instead (typically for branch office
connections) and you need to set up a new demand-dial interface,
choose Yes and then follow these steps:Select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses)
Demand Dial Interface Wizard starts specify name for remote interface select VPN or PPPoEIf you choose VPN, specify the tunneling protocol used (PPTP orL2TP), the IP address of the remote router, and the connection
credentials for the remote router. If you choose PPPoE, you specify
the connection credentials for your service provider.
Custom Configuration
Select this option to create a plain vanilla RRAS server with one or
more of the following services:
- VPN access
- Dial-up access
- Demand-dial connections
- NAT and basic firewall
- LAN routing
This starts the RRAS service on the server with all components
installed. (See Routing and Remote
AccessTools earlier in this chapter to see what the
console tree looks like in this case.) You can then
manually
configure RRAS settings as desired.
Configure RRAS
The following are some of the more common tasks for configuring RRAS
servers.
Enable Remote Access
Right-click on server
General Remote access serverSelecting this option enables your server to accept connections from both
dial-up and VPN clients.
Enable Routing
Right-click on server
General RouterYou can choose between LAN routing only or LAN and demand-dial
routing. LAN routing requires either two network adapters or a
network adapter and a dedicated WAN device such as a CSU/DSU.
Demand-dial routing requires a network adapter and a dial-up WAN
device such as a modem or ISDN terminal adapter.
|
Configure Security on an RRAS Server
Right-click on server
Properties SecurityYou can configure security on a remote
access server in a variety of ways. For example, your authentication
provider, which determines how remote access clients are
authenticated by your server, can be either:
- Windows Authentication
Authentication is performed by Active Directory.- RADIUS Authentication
Authentication is performed by a RADIUS server. You can configure a
WS2003 system as a RADIUS server by installing the optional Internet
Authentication Service (IAS) component of WS2003.
Similarly, your accounting provider (which keeps track of remote
access sessions and connection attempts) can be either:
- Windows Accounting
Connections are logged in the Remote Access Logs folder.- RADIUS Accounting
Connections are logged by the RADIUS server.
Once you select your authentication and accounting providers, you can
also configure which authentication protocols will be supported by
your remote access server. Here's how to do this:Right-click on server
Properties Security Authentication MethodsBy default, for added security, only MS-CHAP, MS-CHAPv2, and EAP areenabled on an RRAS server. If your clients can use only weaker
authentication protocols, you must enable them here.
Configure IP Routing
Remote access servers can grant
remote clients access to resources on
either the remote access server alone or on any server in the local
network. In the second case, the remote access server functions as a
network gateway, allowing remote clients to access other servers on
the LAN through the remote access server. To enable your server as a
network gateway for an IP-based remote access server:Right-click on server
IP Enable IP routing Allow IP-based remote access and demand-dial connectionsConfigure an IP Address Pool for Clients
Right-click on server
IP Static address pool Add specify Start and End IP addressesYou should select addresses whose range forms a standard subnet sincethere is no option here for specifying the subnet mask. If you
specify an address in a subnet that is different from the address of
the LAN adapter of the server, you must add static routes to the
server's routing table to enable the server to
forward packets between the LAN and WAN connections (or you could
enable an IP routing protocol on the server instead).
|
Configure Logging
To configure which remote
access
events will be logged in the System log:Right-click on server
Properties Event Logging specify logging levelTo configure settings for the IAS log file:Expand server node select Remote Access Logging right-click on Local File Properties specify log file settingsEnable Multilink
Right-click on server
PPP Multilink connectionsIf you are going to use Multilink (MP or BAP), you also need tospecify the phone numbers for your device:Expand server container
right-click on Ports Properties select device Configure Phone number for this deviceEnable Remote Access for a Device
Expand server
container
right-click on Ports Properties select device Configure Remote access connections (inbound only)The difference between a port and a device is:- Port
A logical communications channel that supports a single
point-to-point connection between two computers. A port can be
considered a subdivision of a multiport device.- Device
Either hardware (modem, DSL router, and so on) or software (WAN
Miniport) that can be used to create a physical or logical
point-to-point connection between two computers.
A WAN Miniport is a software driver that acts as a kind of virtual
modem bank for VPN connections. When you enable the RRAS, Windows
automatically creates 128 WAN Miniport virtual ports with 64 of PPTP
type and 64 of L2TP type. These virtual ports are used to accept
incoming connections from VPN clients. You can increase the number of
virtual ports up to 1,000 to support more simultaneous connections
from VPN clients by:Expand server container
right-click on Ports Properties select WAN Miniport (type) Configure specify Maximum ports rebootWhen a remote VPN client connects to your remote access server toestablish a VPN connection with the server, it uses the
highest-numbered virtual port available. The client first tries to
connect to an L2TP port (which requires the client to have a digital
certificate installed that the server can recognize) and, if this
fails, it uses PPTP instead.
Configure a Remote Access Policy
You can either edit the
existing
default remote access policy or delete it and create a new one. To
create a new remote access policy:Right-click on Remote Access Policies container
New Remote Access Policy Use the wizard to set up a typical policy for a common scenario specify a name for the policy select an access method (VPN, dial-up, wireless, or Ethernet) select users or groups to grant access choose authentication methods to use choose encryption levels (VPN or dial-up only)The exact options in the wizard vary with the access method youselect. An alternative approach is to set up a custom policy:Right-click on Remote Access Policies container
New Remote Access Policy Custom policy specify a name for policy add new conditions or edit existing ones choose whether to grant or deny remote access based on the policy Edit ProfileWhen adding conditions to your policy, you can choose from numerousoptions. Some of the more common conditions you add might be:
- Calling Station ID
Specifies the remote client's phone number for
callback-verification purposes- Day and Time Restrictions
Indicates which days of the week and times of the day the policy will
be applied- Windows-Groups
Specifies which WS2003 domain-based (global or universal) groups the
user must belong to in order for the policy to be applied
When deciding whether to grant or deny remote access based on your
policy, remember that you can create multiple remote access policies
with some granting access and others denying it. Policies are
evaluated one at a time in the order in which they are listed until a
policy is found that matches (doesn't conflict with)
the user account and client connection settings.The last step, Edit Profile, is optional and allows you to configure
settings on six tabs:
- Dial-in Constraints
You can restrict the duration of user sessions if you have limited
dial-in ports on your remote access server. It's
also good to configure the connection to disconnect automatically if
it is idle for more than about five minutes.- IP
You should generally leave the IP Address Assignment Policy set to
"Server settings define policy."
Configuring packet filters is an extra layer of complexity that
should be done carefully; otherwise, connections may be accepted, but
users will not be able to access the resources they need on the
remote corporate network.- Multilink
Multilink settings can be left at "Default to server
settings." If you are short of modems, you can
disable Multilink using this profile setting.- Authentication
Try to specify only the most secure authentication protocols that
your remote clients can negotiate. Select only Unauthenticated Access
for direct computer connections using null-modem cables.- Encryption
The encryption schemes you select here can be negotiated by the
server with the client. If your clients are WS2003 computers and use
VPN connections, then deselect No Encryption and Basic Encryption,
leaving only Advanced selected. This will enable MPPE 56 to be used
for data encryption.- Advanced
These settings are typically used when RADIUS is implemented on your
network and should not be modified for basic remote access.
Click Finish to create your new remote access policy. To further edit
the policy, double-click on it. If you have multiple policies
created, right-click on them and select Move Up or Move Down to
change the order in which they are matched.
Grant Remote Access Permission to a User
Active Directory Users and Computers
select domain or OU right-click on a user Properties Dial-in Allow accessYou can choose to control access through a remote access policy
only if you have all domain controllers running WS2003that is,
if you are running in native mode. The same is true for assigning a
static IP address to a remote access client.
Manage Remote Access Clients
Expand server node
select Remote Access Clients right-click on a userYou have two options:- Select Disconnect to
immediately disconnect the remote VPN
client. No warning message appears on the client's
machine. - Select Send Message to send a brief message to the clientfor
example, to warn the client that you are about to disconnect it. A
dialog box will pop up on the client to display this message. You can
also select Send To All to send a message to all connected
clientsfor example, when you are going to take the VPN server
offline for maintenance.
Monitor Connected Clients
If you select the Remote
Access Clients container for your server in the console tree, the
details pane displays the names of connected clients in the form
domain\username , the time since the user
connected, and the number of ports in use by the user (which is 1
unless it is a multilink connection). Note that the information in
the details pane doesn't refresh automatically by
default, so you should do the following:Right-click on root node
toggle Auto Refresh on right-click again on root node Refresh Rate specify refresh interval in secondsYou can display further information about a connected client by:Right-click on user StatusThis displays the username connected, bytes in and out and othernetwork-traffic information, and the IP address given to the client.
(If you have created a static IP pool on the server, then IP
addresses are assigned to clients in round-robin order starting with
the lowest available address, and a client that disconnects and then
reconnects is assigned the next higher address above its previously
assigned one.)
|
Add a Server
You can manage additional RRAS servers by:Right-click on Server Status
Add Server select serverMonitor RRAS
Select the Server Status node in the console tree to view the state
of each server and the number of ports in use in the contents pane.
Make sure the Details view is selected from the menu.
