| Routing and Remote AccessTasks |
The RRAS console is used to configure WS2003 as a remote access server, VPN server, or basic NAT/firewall server. Unless otherwise specified, the tasks in this section assume that you have already opened the Routing and Remote Access console by:
Start
|
In order to install and use the RRAS on a WS2003 computer so it can accept incoming connections from clients, you must first configure and enable the RRAS:
Right-click on server
This starts the RRAS Setup Wizard, which prompts you to choose a role for your remote access server. You can select from five different roles:
Once you've walked through the wizard and configured the RRAS, you can perform further configuration using steps outlined later in this topic. If you decide later that you want to change the role of your RRAS server, you can remove the existing configuration and then run the wizard again. To remove the existing configuration of a remote access server:
Right-click on server
Alternatively, you can reconfigure the settings on your server to assume a new role if you have a deep enough understanding of these settings. It's generally easier to rerun the wizard, however.
Let's look at enabling and configuring the RRAS using the wizard for each of the five roles the RRAS supports.
Select this option to configure your server as a basic remote access server that can accept incoming connections from dial-up clients using a modem and/or VPN clients over the Internet. To configure a dial-up remote access server, do this:
Dial-up
To configure a VPN server, first make sure your server has at least two network interfaces and then do this:
VPN
You can also select both options together to create a hybrid VPN/dial-up remote access server.
Select this option to configure your server as an Internet connection server that connects your private network to the Internet using NAT. You must have a public IP address in order to choose this option. The next steps of the wizard depend on the number of existing network interfaces configured on your machine. If your server has only one interface (for example, the Local Area Connection), then you can use the wizard to create a demand-dial interface to connect to the Internet using either a dial-up modem or dedicated broadband device such as a DSL router. Follow these steps:
Enable security on the selected interface using Internet Connection Firewall (ICF)
The Demand Dial Interface Wizard lets you choose between creating a dial-up VPN or broadband PPPoE (PPP over Ethernet) interface. If you choose VPN, specify the tunneling protocol used (PPTP or L2TP), the IP address of the remote router, and the connection credentials for the remote router. If you choose PPPoE, you specify the connection credentials for your service provider.
If you already have two interfaces on your machine (Local Area Connection and dial-up or broadband Internet connection), then follow these steps:
Select the network connection with a public IP address and connected to the Internet
At this point you can choose between the following two options:
Basic name and address service
The RRAS assigns IP addresses automatically using Automatic Private IP Addressing (APIPA) and forwards DNS queries to your service provider's DNS server.
Set up name and address service later
The RRAS uses Active Directory and DNS/DHCP servers on your network.
The first option is designed mainly for small office/home office (SOHO) use as it assigns IP addresses using APIPA instead of DHCP. Selecting this option does the following:
Configures your server's network adapter with the IP address 192.168.0.1 and subnet mask 255.255.255.0 with no default gateway.
Enables routing on your dial-up port so that computers on your LAN can connect to the Internet through your server. If your Internet connection is not a dedicated connection, such as a leased line, the wizard enables dial-on-demand for the outbound connection on the server.
Adds the NAT routing protocol and binds both the LAN and Internet interfaces on the server to the NAT protocol.
Select this option to configure your server as a VPN server using NAT. Make sure your server has at least two network interfaces and then do this:
Select interface connected to Internet
The VPN server will accept incoming connections from VPN clients using the WAN miniports (virtual ports) on the server.
Select this option to configure your server to connect with another network using your server as a router. If your server already has two network interfaces (a LAN and a WAN interface), choose No and, after running the wizard, ensure your WAN interface has suitable IP address settings (and configure routing protocols if required). If demand-dial routing will be used instead (typically for branch office connections) and you need to set up a new demand-dial interface, choose Yes and then follow these steps:
Select method for assigning IP addresses to clients (either DHCP or from a specified range of addresses)
If you choose VPN, specify the tunneling protocol used (PPTP or L2TP), the IP address of the remote router, and the connection credentials for the remote router. If you choose PPPoE, you specify the connection credentials for your service provider.
Select this option to create a plain vanilla RRAS server with one or more of the following services:
This starts the RRAS service on the server with all components installed. (See
Routing and Remote AccessTools earlier in this chapter to see what the console tree looks like in this case.) You can then manually configure RRAS settings as desired.
The following are some of the more common tasks for configuring RRAS servers.
Right-click on server
Selecting this option enables your server to accept connections from both dial-up and VPN clients.
Right-click on server
You can choose between LAN routing only or LAN and demand-dial routing. LAN routing requires either two network adapters or a network adapter and a dedicated WAN device such as a CSU/DSU. Demand-dial routing requires a network adapter and a dial-up WAN device such as a modem or ISDN terminal adapter.
|
Right-click on server
You can configure security on a remote access server in a variety of ways. For example, your authentication provider, which determines how remote access clients are authenticated by your server, can be either:
Windows Authentication
Authentication is performed by Active Directory.
RADIUS Authentication
Authentication is performed by a RADIUS server. You can configure a WS2003 system as a RADIUS server by installing the optional Internet Authentication Service (IAS) component of WS2003.
Similarly, your accounting provider (which keeps track of remote access sessions and connection attempts) can be either:
Windows Accounting
Connections are logged in the Remote Access Logs folder.
RADIUS Accounting
Connections are logged by the RADIUS server.
Once you select your authentication and accounting providers, you can also configure which authentication protocols will be supported by your remote access server. Here's how to do this:
Right-click on server
By default, for added security, only MS-CHAP, MS-CHAPv2, and EAP are enabled on an RRAS server. If your clients can use only weaker authentication protocols, you must enable them here.
Remote access servers can grant remote clients access to resources on either the remote access server alone or on any server in the local network. In the second case, the remote access server functions as a network gateway, allowing remote clients to access other servers on the LAN through the remote access server. To enable your server as a network gateway for an IP-based remote access server:
Right-click on server
Right-click on server
You should select addresses whose range forms a standard subnet since there is no option here for specifying the subnet mask. If you specify an address in a subnet that is different from the address of the LAN adapter of the server, you must add static routes to the server's routing table to enable the server to forward packets between the LAN and WAN connections (or you could enable an IP routing protocol on the server instead).
|
To configure which remote access events will be logged in the System log:
Right-click on server
To configure settings for the IAS log file:
Expand server node
Right-click on server
If you are going to use Multilink (MP or BAP), you also need to specify the phone numbers for your device:
Expand server container
Expand server
container
The difference between a port and a device is:
Port
A logical communications channel that supports a single point-to-point connection between two computers. A port can be considered a subdivision of a multiport device.
Device
Either hardware (modem, DSL router, and so on) or software (WAN Miniport) that can be used to create a physical or logical point-to-point connection between two computers.
A WAN Miniport is a software driver that acts as a kind of virtual modem bank for VPN connections. When you enable the RRAS, Windows automatically creates 128 WAN Miniport virtual ports with 64 of PPTP type and 64 of L2TP type. These virtual ports are used to accept incoming connections from VPN clients. You can increase the number of virtual ports up to 1,000 to support more simultaneous connections from VPN clients by:
Expand server container
When a remote VPN client connects to your remote access server to establish a VPN connection with the server, it uses the highest-numbered virtual port available. The client first tries to connect to an L2TP port (which requires the client to have a digital certificate installed that the server can recognize) and, if this fails, it uses PPTP instead.
You can either edit the existing default remote access policy or delete it and create a new one. To create a new remote access policy:
Right-click on Remote Access Policies container
The exact options in the wizard vary with the access method you select. An alternative approach is to set up a custom policy:
Right-click on Remote Access Policies container
When adding conditions to your policy, you can choose from numerous options. Some of the more common conditions you add might be:
Calling Station ID
Specifies the remote client's phone number for callback-verification purposes
Day and Time Restrictions
Indicates which days of the week and times of the day the policy will be applied
Windows-Groups
Specifies which WS2003 domain-based (global or universal) groups the user must belong to in order for the policy to be applied
When deciding whether to grant or deny remote access based on your policy, remember that you can create multiple remote access policies with some granting access and others denying it. Policies are evaluated one at a time in the order in which they are listed until a policy is found that matches (doesn't conflict with) the user account and client connection settings.
The last step, Edit Profile, is optional and allows you to configure settings on six tabs:
Dial-in Constraints
You can restrict the duration of user sessions if you have limited dial-in ports on your remote access server. It's also good to configure the connection to disconnect automatically if it is idle for more than about five minutes.
IP
You should generally leave the IP Address Assignment Policy set to "Server settings define policy." Configuring packet filters is an extra layer of complexity that should be done carefully; otherwise, connections may be accepted, but users will not be able to access the resources they need on the remote corporate network.
Multilink
Multilink settings can be left at "Default to server settings." If you are short of modems, you can disable Multilink using this profile setting.
Authentication
Try to specify only the most secure authentication protocols that your remote clients can negotiate. Select only Unauthenticated Access for direct computer connections using null-modem cables.
Encryption
The encryption schemes you select here can be negotiated by the server with the client. If your clients are WS2003 computers and use VPN connections, then deselect No Encryption and Basic Encryption, leaving only Advanced selected. This will enable MPPE 56 to be used for data encryption.
Advanced
These settings are typically used when RADIUS is implemented on your network and should not be modified for basic remote access.
Click Finish to create your new remote access policy. To further edit the policy, double-click on it. If you have multiple policies created, right-click on them and select Move Up or Move Down to change the order in which they are matched.
Active Directory Users and Computers
You can choose to control access through a remote access policy only if you have all domain controllers running WS2003that is, if you are running in native mode. The same is true for assigning a static IP address to a remote access client.
Expand server node
You have two options:
Select Disconnect to immediately disconnect the remote VPN client. No warning message appears on the client's machine.
Select Send Message to send a brief message to the clientfor example, to warn the client that you are about to disconnect it. A dialog box will pop up on the client to display this message. You can also select Send To All to send a message to all connected clientsfor example, when you are going to take the VPN server offline for maintenance.
If you select the Remote Access Clients container for your server in the console tree, the details pane displays the names of connected clients in the form
domain\username , the time since the user connected, and the number of ports in use by the user (which is 1 unless it is a multilink connection). Note that the information in the details pane doesn't refresh automatically by default, so you should do the following:
Right-click on root node
You can display further information about a connected client by:
Right-click on user
This displays the username connected, bytes in and out and other network-traffic information, and the IP address given to the client. (If you have created a static IP pool on the server, then IP addresses are assigned to clients in round-robin order starting with the lowest available address, and a client that disconnects and then reconnects is assigned the next higher address above its previously assigned one.)
|
You can manage additional RRAS servers by:
Right-click on Server Status
Select the Server Status node in the console tree to view the state of each server and the number of ports in use in the contents pane. Make sure the Details view is selected from the menu.