WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] - نسخه متنی

Chris Aschauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Cover

Acknowledgments

Introduction

Document Conventions

Resource Kit Compact Disc

Resource Kit Support Policy

Part I: Overview

Chapter 1 -- Introducing Windows 2000 Professional

Quick Guide to Using Windows 2000 Professional

Overview

Deployment and Installation

Configuration and Management

Networking

Interoperability

Performance Monitoring

Troubleshooting

Accessibility

Where to Find More Information in this Book

Additional Resources

Chapter 2 -- Using Windows 2000 Professional with Windows 2000 Server

Quick Guide to Using Windows 2000 Professional with Windows 2000 Server

Centralized Deployment

Centralized Administration

Advanced Security

Robust Networking Infrastructure

Interoperability with Other Networks

Additional Resources

Part II: Deployment and Installation

Chapter 3 -- Deploying Windows 2000 Professional

Quick Guide to Deploying Windows 2000 Professional

Mapping Your Needs to Windows 2000 Professional

Planning Your Deployment

Determining a Preferred Client Configuration

Assessing Your Current Network Infrastructure

Determining a Client Connectivity Strategy

Determining Implementation Methods

Testing Your Deployment Plan

Conducting a Pilot

Preparing for the Rollout

Chapter 4 -- Installing Windows 2000 Professional

Quick Guide

What's New

Planning Your Installation

Running Setup

Post-Installation Tasks

Additional Resources

Chapter 5 -- Customizing and Automating Installations

Quick Guide to Customizing and Automating Installations

Overview of Customizing and Automating Installations

Step 1: Plan

Step 2: Prepare

Step 3: Customize

Step 4: Deploy

Additional Resources

Chapter 6 -- Setup and Startup

Quick Guide to Setup and Startup

Phases of Setup

Windows 2000 Professional Startup Process

Plug and Play Device Detection

Installing a Multiple-Boot Operating System

Installing Service Packs

Removing Windows 2000 Professional from Your Computer

Troubleshooting Windows 2000 Professional Setup

Part III: System Configuration and Management

Chapter 7 -- Introduction to Configuration and Management

Quick Guide to Workstation Configuration and Management

What's New

Managing Windows 2000 Professional in a Windows 2000 Server Environment

Managing Windows 2000 Professional in a Non-Windows 2000 Environment

Managing Users and Groups

Group Policy

Management Tools

Managing Windows 2000 Professional in a Multilanguage Environment

Making Windows 2000 Professional More Accessible

Chapter 8 -- Customizing the Desktop

Quick Guide to Customizing the Desktop

Overview of Desktop Customization and Configuration

Defining Desktop Administration Standards

Implementing Custom Desktops in a Windows 2000 Server Network

Implementing Custom Desktop Configurations in Non-Windows 2000 Server Networks

Using Group Policy Settings for Desktop Control

Desktop Shortcuts and Icons

Active Desktop and Wallpaper Settings

Start and Programs Menus

Customizing the Taskbar and Toolbars

Limiting Access to Display Options

Screen Saver Group Policy Settings

Restoring the Original Configuration

Choosing a New User Interface

Troubleshooting

Additional Resources

Chapter 9 -- Managing Files, Folders, and Search Methods

Quick Guide to Files, Folders, and Search Methods

What's New

Windows 2000 Server Network Advantages

Working with Files and Folders

Customizing Folders

Using Offline Files and Folders

Searching for Files, Folders, and Network Resources

Troubleshooting

Additional Resources

Chapter 10 -- Mobile Computing

Mobile Computing Quick Guide

What's New

Setting Up a Portable Computer

Configuring Offline Files for Portable Computers

Configuring Power Management

Managing Hardware on Portable Computers

Security Considerations for Portable Computers

Folder Redirection and Configuring Roaming User Profiles

Hardware Issues Related to Portable Computers

Chapter 11 -- Multimedia

Quick Guide to Multimedia

What's New

Optimizing Workstations for Multimedia

Using Multimedia Effectively

Troubleshooting Multimedia

Additional Resources

Chapter 12 -- Telephony and Conferencing

Quick Guide to Telephony and Conferencing

Overview of Telephony and Conferencing

Configuring Telephony and Conferencing

Troubleshooting

Additional Resources

Chapter 13 -- Security

Quick Guide to Security

What's New

Planning for Security

User Authentication

Security Groups, User Rights, and Permissions

Security Policy

Security Templates

Remote Access

Internet Protocol Security

Encrypting File System

Public Key Technology

Protecting User Data on Portable Computers

Additional Resources

Chapter 14 -- Printing

Quick Guide to Printing

What's New

Finding Printers

Installing Printers

Configuring Printers

Creating and Sending Print Jobs

Monitoring and Managing Print Jobs

Printer Pooling

Printing Concepts

Troubleshooting Printing Problems

Additional Resources

Chapter 15 -- Scanners and Cameras

Quick Guide to Scanners and Cameras

What's New

Installing Scanners and Cameras

Configuring Scanners and Cameras

Scanner and Camera Concepts

Troubleshooting

Chapter 16 -- Fonts

Quick Guide to Fonts

What's New

Installing Fonts

Managing Installed Fonts

Character Set Types

Supported Code Pages

Troubleshooting Font Problems

Chapter 17 -- File Systems

Quick Guide to File Systems

Overview of Windows 2000 File Systems

File System Comparisons

FAT

NTFS

Compact Disc File System

Universal Disk Format

Using Long File Names

File System Tools

Chapter 18 -- Removable Storage and Backup

Quick Guide to Removable Storage

Overview of Removable Storage

Administering Removable Storage

Troubleshooting Removable Storage

Overview of Backups

Establishing a Backup Plan

Backing Up System State Data

Using the Backup Tool

Chapter 19 -- Device Management

Quick Guide to Device Management

What's New

Device Tree

Plug and Play

Device Installation

Configuring Device Settings

Troubleshooting Device Management

Additional Resources

Chapter 20 -- Power Management

Quick Guide to Power Management

Overview of Power Management

Power Management Features

Understanding the Advanced Configuration and Power Interface

Using the Power Management Interface

Troubleshooting Power Management

Additional Resources

Part IV: Network Configuration and Management

Chapter 21 -- Local and Remote Network Connections

Quick Guide to Local and Remote Network Connections

Overview of Local and Remote Network Connections

Creating, Configuring, and Monitoring Connections

Remote Network Security

Group Policies for Network and Dial-up Connections

Internet Connection Sharing

Internet Connection Sharing Scenario: Connecting Your Branch Office's Intranet to the Internet

Troubleshooting

Chapter 22 -- TCP/IP in Windows 2000 Professional

TCP/IP Configuration Quick Guide

Overview of Windows 2000 TCP/IP

Install TCP/IP

Configure IP Address Assignment

Configure TCP/IP Name Resolution

Configure Multihoming

Configure Local IP Routing Table

Configure Internet Connection Sharing

Configure IP Security and Filtering

Configure Quality of Service

Perform TCP/IP Troubleshooting

Additional Resources

Chapter 23 -- Windows 2000 Professional on Microsoft Networks

Quick Guide to Windows 2000 Professional on Microsoft Networks

Overview of Microsoft Networking

Configure Transport Protocols

Join Network Environment

Confirm Group Membership

Troubleshooting Microsoft Networking

Part V: Network Interoperability

Chapter 24 -- Interoperability with NetWare

Quick Guide to NetWare Interoperability

Overview of Windows 2000 Professional and NetWare Connectivity

Client Service and Gateway Service

Configuring Client Service for NetWare

Accessing NetWare Resources

NetWare Administration Through Windows 2000 Professional

Windows 2000 Professional and NetWare Security

NWLink

Troubleshooting Windows 2000 Professional and NetWare Connectivity

Chapter 25 -- Interoperability with UNIX

Quick Guide to UNIX Interoperability

Overview of Windows 2000 Professional and UNIX Connectivity

Planning and Installing Services for UNIX on Windows 2000 Professional

Configuring Services for UNIX on Windows 2000 Professional

Tools

Troubleshooting

Chapter 26 -- Interoperability with IBM Host Systems

Quick Guide to Interoperability with IBM Host Systems

Overview of Interoperability with IBM Host Systems

DLC Protocol

SNA Server Client and Components

Network Management Integration

Windows 2000 Professional and IBM Host Security

Troubleshooting

Part VI: Performance Monitoring

Chapter 27 -- Overview of Performance Monitoring

Quick Guide to Monitoring Performance

Performance Monitoring Concepts

Monitoring Tools

Starting Your Monitoring Routine

Analyzing Monitoring Results

Investigating Bottlenecks

Troubleshooting Problems with Performance Tools

Monitoring Remote Computers

Monitoring Legacy Applications

Integrating the System Monitor Control into Office and Other Applications

Chapter 28 -- Evaluating Memory and Cache Usage

Quick Guide to Monitoring Memory

Overview of Memory Monitoring

Determining the Amount of Installed Memory

Understanding Memory and the File System Cache

Establishing a Baseline for Memory

Investigating Memory Problems

Resolving Memory and Cache Bottlenecks

Additional Resources

Chapter 29 -- Analyzing Processor Activity

Quick Guide to Monitoring Processors

Overview of Processor Monitoring and Analysis

Establishing a Baseline for Processor Performance

Recognizing a Processor Bottleneck

Processes in a Bottleneck

Threads in a Bottleneck

Advanced Topic: Changing Thread Priority to Improve Performance

Eliminating a Processor Bottleneck

Additional Resources

Chapter 30 -- Examining and Tuning Disk Performance

Quick Guide to Monitoring Disks

Disk Monitoring Concepts

Configuring the Disk and File System for Performance

Working with Disk Counters

Establishing a Baseline for Disk Usage

Investigating Disk Performance Problems

Resolving Disk Bottlenecks

Evaluating Cache and Disk Usage by Applications

Part VII: Troubleshooting

Chapter 31 -- Troubleshooting Tools and Strategies

Quick Guide to Troubleshooting

General Troubleshooting Strategy

Startup and Recovery Tools

Maintenance and Update Tools

System File and Driver Tools

Applications Tools

Networking Tools

Troubleshooting Procedures

Chapter 32 -- Disk Concepts and Troubleshooting

Quick Guide to Disk Concepts

Basic and Dynamic Disks

Disk Sectors Critical to Startup

Troubleshooting Disk Problems

Additional Resources

Chapter 33 -- Windows 2000 Stop Messages

System Messages

Stop Messages

Troubleshooting Stop Messages

Hardware Malfunction Messages

Additional Resources

Appendix A -- Accessibility for People with Disabilities

Quick Guide to Accessibility for People with Disabilities

Overview of Accessibility in Windows 2000 Professional

Customizing Computers for Accessibility

Setting Accessibility Options by Type of Disability

Configuring Accessibility Features

Adding Third-Party Products and Services

Additional Resources

Appendix B -- Sample Answer Files for Windows 2000 Professional Setup

Answer File Format

Answer File Keys and Values

Sample Answer Files

Additional Resources

Appendix C -- Hardware Support

Overview of Hardware Support

Universal Serial Bus

IEEE 1394

Supporting Other Buses

New and Enhanced Hardware Support

Troubleshooting Hardware Support Components

Additional Resources

Glossary

3

5

8

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W
توضیحات
افزودن یادداشت جدید







Remote Access


Using the Routing and Remote Access service, you can connect to your network by phone. This section deals only with the remote access security features of Routing and Remote Access. Remote access by its nature is an invitation to intruders; so Windows 2000 provides multiple security features to permit authorized access while limiting opportunities for mischief.

How Remote Access Works


A client dials a remote access server on your network and is granted access to the network if:


    The request matches one of the remote access policies defined for the server.

    The user's account is enabled for remote access.

    Client/server authentication succeeds.


After the client has been identified and authorized, access to the network can be limited to specific servers, subnets, and protocol types, depending on the remote access profile of the client. Otherwise, all services typically available to a user connected to a local area network (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.

Authentication


Authentication establishes user identity and ensures that only the intended users will be granted remote access to your resources.

Secure User Authentication


Secure user authentication is obtained through the encrypted exchange of user credentials. This is possible with the PPP remote access protocol using either the Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2, Challenge Handshake Authentication Protocol (CHAP), or Shiva Password Authentication Protocol (SPAP) authentication protocols. The remote access server can be configured to require a secure authentication method. If the remote access client cannot perform the required secure authentication, the connection is denied.

Mutual Authentication


Mutual authentication authenticates both ends of the connection through the encrypted exchange of user credentials. This is possible with the PPP remote access protocol using either the EAP-Transport Level Security (EAP-TLS) or MS-CHAP version 2 authentication protocols. During mutual authentication, the remote access client authenticates itself to the remote access server, and then the remote access server authenticates itself to the remote access client.

It is possible for a remote access server to not request authentication from the remote access client. However, in the case of a Windows 2000 remote access client configured for only MS-CHAP version 2 or only EAP-TLS, the remote access client will force the mutual authentication of the client and server. If the remote access server does not respond to the authentication request, the connection is terminated by the client.

For more information about authentication, see "User Authentication" earlier in this chapter.

Implementing Secure Remote Access


Windows 2000 provides a channel for secure remote access using virtual private networks (VPNs).

Enabling Remote Access


To enable remote access for a Windows 2000 Professional computer, make a virtual private network (VPN) connection. For more information about how to do so, see Windows 2000 Professional Help.

To enable remote access, users must have dial-in permissions in the domain they will remotely accessing.

For more information about remote access and installing and configuring the remote access server, see Windows 2000 Server Help. For more information about remote access authentication, see "Remote Access Server" in the Microsoft® Windows® 2000 Server Resource Kit Internetworking Guide.

Considerations About Remote Access


Remote access permissions are ineffective if there is no appropriate remote access policy in place for the remote access server.

Windows 2000 supports the following authentication options for remote access:


    Standard Point-to-Point Protocol (PPP) challenge and response authentication methods based on user name and passwords.

    Standard PPP authentication methods offer limited security.

    Custom Extensible Authentication Protocol (EAP) authentication methods.

    EAP modules can be developed or provided by third parties to extend the authentication capabilities of PPP. For example, you can use EAP to provide stronger authentication using token cards, smart cards, biometric hardware, or one-time password systems.

    EAP Transport Layer Security (EAP-TLS) authentication based on digital certificates and smart cards.

    EAP-TLS provides strong authentication. Users' credentials are stored on tamper-proof smart cards. You can issue each user one smart card to use for all logon needs.


It is recommended that your network security plan include strategies for remote access and authentication, including the following information:


    Logon authentication strategies to be used.

    Remote access strategies by using Routing and Remote Access and virtual private networks.

    Certificate Services needed to support user logon authentication by digital certificates.

    Process and strategies to enroll users for logon authentication certificates and remote access.

    Whether to use callback with remote access, to help eliminate impersonation attacks.


Remote Access Policies on Servers


Remote Access requires there be a server configured to accept remote access requests. Such Windows 2000-based servers are governed by security policies that determine their remote access behavior. These policies establish whether a server accepts requests for remote access and, if so, during what hours of what days, what protocols are used, and what types of authentication are required.

For more information about configuring Remote Access Policies on a server, see the Windows 2000 Deployment Planning Guide.

Elements of Secure Remote Access


Because remote access is designed to transparently connect a remote access client to a network and its potentially sensitive data, security of remote access connections is an important consideration. Windows 2000 remote access offers a wide range of security features including secure user authentication, mutual authentication, data encryption, callback, and caller ID.

Data Encryption


Data encryption converts data sent between the remote access client and the remote access server into a form that is unreadable to eavesdroppers. Remote access data encryption only provides data encryption on the communications link between the remote access client and the remote access server. If end-to-end encryption is needed, use IPSec to create an encrypted end-to-end connection after the remote access connection has been made.

NOTE


IPSec can also be used for encrypting a Layer Two Tunneling Protocol (L2TP) virtual private network connection. For more information, see "Virtual Private Networking" in the Windows 2000 Internetworking Guide.

Data encryption on a remote access connection is based on a secret encryption key known to the remote access server and remote access client. This shared secret key is generated during the user authentication process.

Data encryption is possible over dial-up remote access links when using the PPP remote access protocol and the EAP-TLS or MS-CHAP authentication protocols. The remote access server can be configured to require data encryption. If the remote access client cannot perform the required encryption, the connection attempt is rejected.

Windows 2000, Microsoft Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support the Microsoft Point-to-Point Encryption Protocol (MPPE). MPPE uses the Rivest-Shamir-Adleman (RSA) RC4 stream cipher and either 40-bit, 56-bit, or 128-bit secret keys. MPPE keys are generated from the MS-CHAP and EAP-TLS user authentication processes.

Callback


With callback, the remote access server calls the remote access client after the user credentials have been verified. Callback can be configured on the server to call the remote access client back at a number specified by the user of the remote access client during the time of the call. This allows a traveling user to dial-in and have the remote access server call them back at their current location, saving phone charges. Callback can also be configured to always call the remote access client back at a specific location, which is the secure form of callback.

Caller ID


Caller ID can be used to verify that the incoming call is coming from a specified phone number. Caller ID is configured as part of the dial-in properties of the user account. If the caller ID number of the incoming connection for that user does not match the configured caller ID, the connection is denied.

Caller ID requires that the caller's phone line, the phone system, the remote access server's phone line, and the Windows 2000 driver for the dial-up equipment all support caller ID. If a caller ID is configured for a user account and the caller ID is not being passed from the caller to the Routing and Remote Access service, then the connection is denied.

Caller ID is a feature designed to provide a higher degree of security for network that support telecommuters. The disadvantage of configuring caller ID is that the user can only dial-in from a single phone line.

Remote Access Account Lockout


The remote access account lockout feature is used to specify how many times a remote access authentication fails against a valid user account before the user is denied remote access. Remote access account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. Malicious users on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the malicious user sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases. With remote access account lockout enabled, a dictionary attack is thwarted after a specified number of failed attempts.

The remote access account lockout feature does not distinguish between malicious users who attempt to access your intranet and authentic users who attempt remote access but have forgotten their current passwords. Users who have forgotten their current password typically try the passwords that they remember and, depending on the number of attempts and the MaxDenials setting, might have their accounts locked out.

If you enable the remote access account lockout feature, a malicious user can deliberately force an account to be locked out by attempting multiple authentications with the user account until the account is locked out, thereby preventing the authentic user from being able to log on.

Remote access account lockout variables include the following:


    The number of failed attempts before future attempts are denied.

    After each failed attempt, a failed attempts counter for the user account is incremented. If the user account's failed attempts counter reaches the configured maximum, future attempts to connect are denied.

    A successful authentication resets the failed attempts counter when its value is less than the configured maximum. In other words, the failed attempts counter does not accumulate beyond a successful authentication.

    How often the failed attempts counter is reset.

    You must periodically reset the failed attempts counter to prevent inadvertent lockouts due to normal mistakes by users when typing in their passwords.


The remote access account lockout feature is configured by changing settings in the Windows 2000 registry on the computer that provides the authentication. If the remote access server is configured for Windows authentication, modify the registry on the remote access server computer. If the remote access server is configured for Remote Authentication Dial-In User Service (RADIUS) authentication and Windows 2000 Internet Authentication Service (IAS) is being used, modify the registry on the IAS server computer.

To enable account lockout, you must set the MaxDenials entry in the registry (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccessParametersAccountLockout) to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out. By default, MaxDenials is set to 0, which means that account lockout is disabled.

To modify the amount of time before the failed attempts counter is reset, you must set the ResetTime (mins) entry in the registry (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccessParametersAccountLockout) to the required number of minutes. By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).

To manually reset a user account that has been locked out before the failed attempts counter is automatically reset, delete the following registry subkey that corresponds to the user's account name:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccessParametersAccountLockoutdomain name:user name

NOTE


The remote access account lockout feature is not related to the Account locked out setting on the Account tab on the properties of a user account and the administration of account lockout policies using Windows 2000 group policies.

For information about how to establish secure remote access connections or for more information about VPN connections, see Windows 2000 Professional Help.

Remote Access Tunneling Protocols


Windows 2000 uses the Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Internet Protocol security (IPSec) to create VPNs. For more detailed information about VPNs and their protocols, see the Microsoft® Windows® 2000 Server Resource Kit Internetworking Guide.

PPTP

The Point-to-Point Tunneling Protocol (PPTP) encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork, such as the Internet or a private intranet. PPTP is documented in RFC 2637.

The PPTP uses a TCP connection known as the PPTP control connection to create, maintain, and terminate the tunnel and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames as tunneled data. The contents of the encapsulated PPP frames can be encrypted or compressed or both.

PPTP assumes the availability of an IP internetwork between a PPTP client (a VPN client using the PPTP tunneling protocol) and a PPTP server (a VPN server using the PPTP tunneling protocol). The PPTP client might already be attached to an IP internetwork that can reach the PPTP server, or the PPTP client might have to dial into a network access server (NAS) to establish IP connectivity as in the case of dial-up Internet users.

Authentication that occurs during the creation of a PPTP-based VPN connection uses the same authentication mechanisms as PPP connections, such as Extensible Authentication Protocol (EAP), Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP), CHAP, Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP). PPTP inherits encryption or compression, or both, of PPP payloads from PPP. For Windows 2000, either EAP-Transport Level Security (EAP-TLS) or MS-CHAP must be used in order for the PPP payloads to be encrypted using Microsoft Point-to-Point Encryption (MPPE).

MPPE provides only link encryption, not end-to-end encryption. End-to-end encryption is data encryption between the client application and the server hosting the resource or service being accessed by the client application. If end-to-end encryption is required, IPSec can be used to encrypt IP traffic from end-to-end after the PPTP tunnel is established.

L2TP

Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the Internet Engineering Task Force (IETF) mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is documented in RFC 2661.

L2TP encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or ATM networks. Currently, only L2TP over IP networks is defined. When sent over an IP internetwork, L2TP frames are encapsulated as User Datagram Protocol (UDP) messages. L2TP can be used as a tunneling protocol over the Internet or over private intranets.

L2TP assumes the availability of an IP internetwork between a L2TP client (a VPN client using the L2TP tunneling protocol and IPSec) and a L2TP server (a VPN server using the L2TP tunneling protocol and IPSec). The L2TP client might already be attached to an IP internetwork that can reach the L2TP server, or the L2TP client might have to dial into a NAS to establish IP connectivity as in the case of dial-up Internet users.

Authentication that occurs during the creation of L2TP tunnels must use the same authentication mechanisms as PPP connections such as EAP, MS-CHAP, CHAP, SPAP, and PAP.

For Internet-based L2TP servers, the L2TP server is an L2TP-enabled dial-up server with one interface on the external network, the Internet, and a second interface on the target private network.

/ 335