Overview of Local and Remote Network Connections
Network and Dial-up Connections combines functionality found in Windows 98 and Windows NT 4.0 Dial-up Networking, with features that were formerly configured in the Network Control Panel, such as network protocol and service configuration. Each connection in the Network and Dial-up Connections folder contains a set of features that creates a link between your computer and another computer or network. System-wide configuration settings that were formerly configured in the Network Control Panel, such as network protocol configuration, are now established per-connection and are accessed by right-clicking a connection in the folder, and then selecting Properties. All of the connection's settings are configured in its properties. As a result, there is no longer a need for the Network Control Panel.
All of the connections that appear in the Network and Dial-up Connections folder contain a set of features that you can use to create a link between your computer, and another computer or network. These features are used to establish end-to-end connectivity, and, for those connections configured for remote access, to define authentication negotiation and data encryption rules. For example, a dial-up connection might be configured with the following settings:
A standard modem, capable of 56 kilobits per second (Kbps), for dialing.
A phone number to dial.
Any encrypted authentication protocol. Your computer will negotiate with the server to decide whether to use Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP), or Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2).
Data encryption required.
TCP/IP protocol enabled, with the address obtained automatically.
When you double-click this connection, it dials the number by using the specified modem. The connection only allows the session to continue if the remote access server uses one of the specified encrypted authentication methods, and if the remote access server agrees to encrypt data. When connected, the remote access server assigns the connection a unique IP address. This ensures a unique and non-conflicting address for the connection, so that remote network resources, such as file shares, can be accessed. A dial-up connection's properties provide all of the parameters required to dial the connection, negotiate password and data handling rules, and provide remote network connectivity.
You can modify a local area connection at any time, but you cannot create one. A local area connection is created for each network adapter detected by the Plug and Play service.
Five types of connections can be created in the Network and Dial-up Connections folder. A permanent local area connection is automatically created for each network adapter that Plug and Play detects. You can also create dynamic connections, including dial-up, VPN connections, direct connections, and incoming connections. Except for local area connections, these other types of connections are created by double-clicking Make New Connection in the Network and Dial-up Connections folder. If you upgraded from Windows NT 4.0 or Windows 98, each Dial-up Networking phonebook entry is automatically converted into the appropriate connection type in the Network and Dial-up Connections folder.
Local area connections are created automatically. The network adapter is detected, the connection is created and placed in the Network and Dial-up Connections folder, and so on. By default, clients, protocols, and services are installed with a local area connection.
NOTECertain conditions, such as a malfunctioning network adapter card, can keep your connection from appearing in the Network and Dial-up Connections folder.
Table 21.1 provides an example of each type of connection, and the possible communication methods you can use to establish connectivity.
Table 21.1 Connection Types
| Connection Type | Communication Method | Example |
|---|---|---|
| Dial-up connections | Modem, Integrated Services Digital Network (ISDN), X.25 | Connect to a corporate network or the Internet by using dial-up access. |
| Local area connections | Ethernet, Token Ring, cable modem, digital subscriber line (DSL), Fiber Distributed Data Interface (FDDI), IP over Asynchronous Transfer Mode (ATM), IrDA, wireless, wide area network (WAN) technologies (T1, Frame Relay) | Typical corporate user. |
| Virtual private network (VPN) connections | VPNs, over Point-to-Point Tunneling Protocol (PPTP) or Layer Two Transfer Protocol (L2TP), to corporate networks or the Internet | Connect securely to a corporate network over an existing connection to the Internet. |
| Direct connections | Serial cabling, infrared link, DirectParallel cable | Synchronize information between a handheld Windows CE computer and a desktop computer. |
| Incoming connections | Dial-up, VPN, or direct connections | Allow other computers to dial into this computer. |
Deploying Managed Connections Using Connection Manager and the Connection Manager Administration Kit
Windows 2000 Server includes a set of tools that enables a network manager to deliver preconfigured connections to network users. These tools are the Connection Manager Administration Kit (CMAK) and Connection Point Services (CPS). A related feature, the Connection Manager dialer, is included in Windows 2000 Professional.
Connection Manager is a client dialer with several advanced features over basic dial-up networking. A network manager can tailor the appearance and behavior of connection made with Connection Manager by using CMAK. By using it, an administrator can develop client dialer and connection software that allows users to connect to the network by using only the connection features that the administrator defines for them. In addition, CMAK allows the administrator to create a phone book that is available to each user when the user runs the Connection Manager. This phone book support allows the administrator to define local and remote connections to your network by using a network of dial-up access points, such as those available through Internet service providers worldwide. If the administrator requires secure connections over the Internet, users can also use Connection Manager to establish virtual private network (VPN) connections.
Connection Manager is brandable, meaning that you can customize the installation package that you deliver to your customers, so that Connection Manager reflects the identity of your organization; you determine which functions and features you want to include and how Connection Manager appears to your customers. You can do this by using the Connection Manager Administration Kit (CMAK) wizard to build custom service profiles.
A service profile consists of all of the files required by Connection Manager to run the installation file, which then enables users to establish connections with your service. You can maximize or minimize the identification of your service or organization, depending on what you decide to include in a service profile. For example, you can include custom corporate logos or other graphics, custom icons, and your own online Help. You can also add autoapplications, specify actions to run before, during, and after a connection, and customize other features available in Connection Manager.
With Connection Point Services (CPS), you can automatically distribute and update custom phonebooks to your users. These phonebooks contain one or more Point of Presence (POP) entries, with each POP entry supplying a telephone number that provides dial-up access to an Internet access point. The phonebooks provide users with complete POP information, so they can connect to different Internet access points rather than being restricted to a single POP during travel.
Without the ability to update phonebooks (a task CPS handles automatically), users typically must contact technical support to be informed of changes in POP information, and to reconfigure their client dialer software.
To secure dial-up, VPN, and direct connections, various levels of password authentication and data encryption can be enforced. In addition, callback options can increase dial-up security. Advanced settings, such as Autodial and callback preferences, network identification, and binding order, are configured from the Advanced menu in the Network and Dial-up Connections folder. Optional networking components, such as SNMP Services, can also be installed from the Advanced menu.
As an administrator, you can apply local Group Policy settings to your Network and Dial-up Connections users. These settings affect to what extent your users can or cannot manipulate their connections. Additionally, tools such as Connection Manager can be used to deploy customized versions of dial-up connections for your users.
Diagnostic tools such as Point-to-Point Protocol (PPP) logging, modem diagnostics, and the Netdiag tool can be used to troubleshoot connections. For more information about troubleshooting, see "Troubleshooting Tools" later in this chapter.
In addition to the improvements upon the features and functionality available in Windows NT 4.0 and Windows 98 Dial-up Networking, new networking component functionality in Network and Dial-up Connections automatically installs and configures networking components and devices, such as network adapters, modems, and protocols.
New features introduced with Network and Dial-up Connections enable the following tasks:
Sharing a single Internet connection among your branch office network.
Using the L2TP protocol in conjunction with IPSec to establish and use secure Windows 2000 virtual private network (VPN) connections.
Enabling your computer to function as a dial-in server by creating an Incoming connection.
Dynamic multilink connections for dialing multiple devices as you need them.
Network and Dial-up Connections unifies local and remote networking into a single folder. Whether you are configuring connectivity to a corporate local area network (LAN), a dial-up Internet service provider (ISP), or granting rights so that others can connect to your computer, these tasks are completed by creating or modifying individual connections. For example, your corporate LAN connection and your dial-up ISP connection are defined with different TCP/IP addresses. In previous versions of Windows operating systems, these functions required modifying settings in Dial-up Networking and the Network Control Panel. In Network and Dial-up Connections, the TCP/IP addresses are assigned to each connection.
Table 21.2 compares how and where specific tasks are accomplished between Windows NT 4.0, Windows 98, and Windows 2000.
Table 21.2 New Ways to Do Familiar Tasks
| Task | Windows 2000 Network and Dial-Up Connections | Windows NT 4.0 | Windows 98 |
|---|---|---|---|
| Configure connectivity to a corporate local area network. | Local area connection | Network Control Panel | Network Control Panel |
| Allow others to connect to my computer by modem, VPN, or direct cabling. | Incoming connections | Feature not available | Install Dial-up Server in Dial-up Networking |
| Configure TCP/IP. | Connection properties, Networking tab | Network Control Panel, Protocols tab | Network Control Panel |
| Add a client, service, or protocol. | Connection properties, Networking tab | Network Control Panel | Network Control Panel |
| Add optional networking components, for example, Simple Network Management Protocol (SNMP) service or the TCP/IP Print Server. | Advanced menu, Optional Networking Components | Network Control Panel, Services tab | Feature not available |
| Monitor connections. | Right-click active connection, click Status. | Dial-up Monitor | Right-click active connection, click Status |
| Enable sharing of my files. | Connection properties, Networking tab, enable File and Print Sharing for Microsoft Networks | Server Service in Network Control Panel | Network Control Panel, File and Print Sharing |
| Configure bindings. | Advanced menu in Network and Dial-up Connections | Network Control Panel, Bindings tab | Network Control Panel, TCP/IP properties |
| Change computer name or domain. | Advanced menu, Network Identification | Network Control Panel | Network Control Panel |
| Configure an adapter. | Connection properties, General tab | Network Control Panel | Network Control Panel |
| Configure bindings. | Advanced menu, Advanced Settings | Network Control Panel, Bindings tab | Network Control Panel |
Windows 2000 has automated the configuration of many networking components and devices, with functionality unified into a single folder. Modems and COM ports are automatically detected and configured. In addition, TCP/IP includes enhancements that make it a better transport protocol for networking in high bandwidth LAN and WAN environments.
Autoconfiguration of Networking Components and Devices
The Network and Dial-up Connections folder is installed by default, so the feature is immediately available for your users. In Windows NT 4.0, the Remote Access Service (RAS) must be installed before remote connectivity can be established. In Windows 98, the Dial-up Server had to be installed separately to enable incoming connectivity. Where devices previously might have been manually installed and configured, the Plug and Play service now automatically detects and enumerates devices, such as modems and COM ports.
TIPIn Windows NT 4.0, some modems had to be set to legacy mode to work. For the same modem to automatically be detected by Windows 2000, set the modem to Plug and Play mode.
Table 21.3 demonstrates how networking support in Windows 2000 Professional has improved upon Windows NT 4.0 and Windows 98.
Table 21.3 Comparing Networking Support
| Windows 2000 Professional | Windows NT 4.0 | Windows 98 |
|---|---|---|
| Network and Dial-up Connections installed by default. | Must install Remote Access Service (RAS). | Dial-up Networking installed by default, but must install Dial-up Server to create incoming connectivity. |
| Modem detected and configured by Plug and Play. | Must install modem in Modems in Control Panel. | Modem detected and configured by Plug and Play. |
| COM port detected and enumerated by Plug and Play. | Must configure COM port. | COM port detected and enumerated by Plug and Play. |
| Protocol change does not require restart. | Restart when RAS is installed or protocol changes. | Protocol change requires restart. |
| VPN connections can be configured to automatically dial a connection to the ISP before establishing the VPN connection. | VPN connections may require activating two connections. | VPN connections may require activating two connections. |
Unified Networking Configuration
The functionality of the Network Control Panel and Dial-up Networking has been combined into the single Network and Dial-up Connections folder.
Because all services and communication methods are configured within each connection, you do not need to use external components to configure connection settings. For example, the settings for a dial-up connection include features to be used before, during, and after connecting. These include the modem used to dial, the type of password encryption to be used upon connecting, and the network protocols to use on the remote network after you connect. Connection status, which includes the duration and speed of a connection, is viewed from the connection itself; you do not need to use an external status tool. For more information about configuring a connection, see "Creating, Configuring, and Monitoring Connections" later in this chapter.
In addition, you do not have to restart your computer, as you did when you installed RAS in Windows NT 4.0 or added or changed a protocol.
Windows 2000 Professional's TCP/IP is the default protocol installed by Setup. It includes several performance enhancements, new features, and services that make it a better transport protocol for networking in high-bandwidth LAN and WAN environments and makes Windows 2000 Professional Internet-ready. Some of these features are self-adjusting, such as TCP window size, and others require configuration, such as Quality of Service (QoS).
Using the Internet Connection Sharing (ICS) feature, all of the clients on your branch office network can use the same connection to access the Internet. For more information, see "Internet Connection Sharing" and "Internet Connection Sharing Scenario: Connecting Your Branch Office's Intranet to the Internet" later in this chapter.
Windows NT 4.0 and Windows 98 enabled you to use the Point-to-Point Tunneling Protocol to access a private network through the Internet or other public network by using a VPN connection. Windows 2000 also enables you to use the Layer Two Tunneling Protocol (L2TP) for the same purpose. L2TP is an industry-standard Internet tunneling protocol with roughly the same functionality as PPTP. The Windows 2000 implementation of L2TP is designed to run natively over IP networks. The Microsoft implementation of L2TP does not support native tunneling over X.25, Frame Relay, or ATM networks.
Based on the Layer Two Forwarding (L2F) and PPTP specifications, L2TP can be used to set up tunnels through intervening networks. Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which in turn encapsulate IP, AppleTalk, Internetwork Packet Exchange (IPX), or NetBIOS Extended User Interface (NetBEUI) protocols, thereby allowing users to remotely run applications that are dependent upon specific network protocols. Figure 21.1 shows an L2TP tunnel through an intervening network.
Figure 21.1 L2TP Tunneling
With L2TP, the computer running Windows 2000 Server that you are logging on to performs all security checks and validations. Data encryption is enabled using IPSec, a strong encryption mechanism, which makes it much safer to send information over non-secure networks. For more information about IPSec, see "IPSec" later in the chapter.
NOTEVPNs use encryption depending on the type of server to which they are connecting. If the VPN connection is configured to connect to a PPTP server, then Microsoft Point-to-Point Encryption (MPPE) is used. If the VPN is configured to connect to an L2TP server, then IPSec encryption methods are used. If the VPN is configured for an Automatic server type, which is the default selection, L2TP and its associated IPSec encryption, are attempted first, then PPTP and its associated MPPE encryption are attempted.
For more information about VPNs, see Windows 2000 Help.
Internet Protocol security (IPSec) provides machine-level authentication, as well as data encryption, for VPN connections that use L2TP. IPSec negotiates a secure channel of communication between your computer and its remote tunnel server before an L2TP connection is established, which secures both the user authentication phase—including user name and passwords—and the data phase. For more information about IPSec, see "Data Encryption" later in this chapter.
Dynamic Multiple Device Dialing
Network and Dial-up Connections can dynamically control the use of multilinked lines. The Network and Dial-up Connections feature uses PPP Multilink dialing over multiple ISDN, X.25, or modem lines and the use of Bandwidth Allocation Protocol (BAP). Multilink combines multiple physical links into a logical bundle and the resulting aggregate link increases your connection bandwidth. To dial multiple devices, both your connection and your remote access server must have Multilink enabled. BAP enables the dynamic use of multiple-device dialing by allocating lines only as they are required, thereby limiting communications costs to the bandwidth requirements. You can realize a significant efficiency advantage by doing this. The conditions under which extra lines are dialed, and underused lines are disconnected, are configured through the Options property page of a dial-up connection. For more information, see Windows 2000 Help.
By creating an incoming connection, a computer running Windows 2000 Professional can act as a remote access server. You can configure an incoming connection to accept the following connection types: dial-up (modem, ISDN, X.25), virtual private network (VPN) (PPTP, L2TP), or direct (serial, infrared). On a computer running Windows 2000 Professional, an incoming connection can accept up to three incoming calls, up to one of each of these types. This can be an effective, low-cost option in a small environment, such as a remote sales office to which the corporate network occasionally needs to dial in to upload sales data.