How to use remote Assistance How to Use SCP Using Connection Manager Securing Remote Access and VPN

Service Routing and Remote Access Service Remote Server Management Remote Administration Remote Access Security Planning a Remote Access Strategy Implementing Remote Access Security Configuring Remote Access Servers Configuring Remote Access Clients

Start Here How to use remote Assistance

What Is Remote Assistance
Remote Assistance is a program in Windows that allows a user to connect to another user's computer and communicate with that user, share files, and take control of the user's computer if given permission. Remote Assistance is most widely used by computer technicians because it allows them to access a customer's computer and fix problems without having to actually visit the customer in person. This is exceptionally good for computer repair stores that take customers abroad as it can potentially save the customer the hassle of shipping the computer to the technician or the technician having to travel to the customer. While Remote Assistance does not allow users to fix all problems remotely, users are able to fix virtually all software-related issues and show customers and friends how to perform certain tasks whether they are in the same city or halfway around the world.

Using Remote Assistance

Remote Assistance is a rather straightforward software and is extremely easy to use. Users will need to start by downloading, installing, and running Windows Messenger or Windows Live Messenger in order to use the software. In Windows Live Messenger, users can find Remote Assistance through the "Activities" tab found at the top of the page when having a conversation with any user. Remote Assistance opens in its own user interface and allows users to keep IM and voice communications open while using the application. Remote Assistance allows users to toggle between several options that range between seeing one user's screen and actually controlling that user's screen. While the controlling user is able to control the receiving user's mouse, files, settings, and programs within the Remote Assistance window, everything outside of the window will belong exclusively to the controlling user and cannot be controlled or seen by the receiving user. Users should be careful about who they allow to control their computer as it can be rather difficult to forcefully end a Remote Assistance session, the only concrete method being to actually unplug the receiving computer so that the Remote Assistance connection is broken immediately.

Virus Protection
A common use of Remote Assistance is virus protection. Virus protection in Remote Assistance works in the same way that normal virus protection works but instead of applying it directly to the host computer, the controlling user downloads an antivirus program through the receiving user's browser and installs it on their computer. The program can then be used

and manipulated in any way that it could otherwise be used but is controlled remotely by the controlling user. Control can then be returned to the receiving user once he/she has been shown how to operate the software. Common antivirus programs include Spyware Terminator, Malwarebytes' Antimalware, and Spybot Search and Destroy. For those users who wish to enjoy the benefits of Remote Assistance without using this specific software, the following programs are available.

Team Viewer
TeamViewer is a free program that allows users to share pictures and other media files, control remote computers and servers, and host presentations and meetings by sharing access to a host computer. TeamViewer can bypass firewalls and ships as a small application that can be used by either user to share access to his/her computer or control another user's computer. TeamViewer is available at http://www.teamviewer.com/index.aspx .

ShowMyPC
ShowMyPC is a free, open source, community-based VNC application that uses an SSH protocol to provide data encryption and reliability. ShowMyPC allows remote users to access a computer with a temporary password that is provided to the receiving user. This password is then given to the remote user in order to create a secure connection between the two computers and allow the remote user to access the recipient user's computer. ShowMyPC is available at http://www.showmypc.com/ .

How to Use SCP

What Is SCP
SCP, or Secure Copy, is a protocol made for sharing files in a secure manner. SCP is similar to FTP, but is designed more for security and authentication than easy access. The SCP protocol runs on port 22 and uses both BSD RCP and SSH to protect the files that are being transferred. Some users speculate about the fact that SCP is just a combination of the two aforementioned protocols and does not constitute a protocol in and of itself. While SCP is widely used, it is now being replaced by the SFTP protocol which is basically just FTP routed through the SSH protocol for encryption.

How Does SCP Work

SCP works in a similar way to FTP. In SCP, the client gathers information together based on what the user has selected, forwards the information through an SSH protocol, and then transfers the files to a server. Likewise, the client can download files by requesting information from the server. The server then gathers the requested files and transfers them to the client. While uploads are based on SCP protocol, downloads are completely server-driven which means the user could potentially download malicious files or unencrypted information. Because of this, users should be careful about what they transfer.

SCP VS FTP
SCP has several advantages and disadvantages when compared to FTP. For example, SCP is a non-interactive command-line tool while FTP is a highly interactive user interface. SCP encrypts files and verifies user authentication while FTP has no security features whatsoever and freely transmits the user's username, password, and server address over an unsecured protocol. SCP is often used to transfer batch files in scripts while FTP is mostly used by novice users who simply wish to upload and download files to and from their own server. While SCP and FTP each have their own benefits, a separate protocol known as FTPS provides the benefits of each of these protocols as it is easy to use and also encrypts files while they are being transferred between the host computer and the server.

The SCP Program

While SCP generally refers to the protocol being used in an SCP client, "SCP Program" refers to the actual command line that offers this service. The SCP Program can be used on both the client-side as well as the server-side for transferring files in either direction. The SCP Program is a simple tool and does not provide a user interface. Because of this, the SCP Program is recommended for only advanced users. Novice users can still take advantage of the SCP protocol in a much friendlier environment, however, by using the WinSCP software.

WinSCP
WinSCP is a free, open source graphical user interface for the FTPS, FTP, and SCP protocols. As WinSCP was specifically designed for the Windows Operating System, it is able to integrate itself with Windows in order to allow the user to simply drag and drop files into the user interface. Once the user does this, the files are uploaded to the server of

the user's choice and sent over a secure connection to provide maximum encryption and data authentication. WinSCP is available in multiple languages and can be found at http://winscp.net/eng/docs/introduction .

Using Connection Manager

Connection Manager Overview
If you want to configure clients to connect to a RRAS server, you can use the Connection Manager to do this. Using the network connection properties to configure clients to connect to a RRAS server works well in situations where you need to configure a small number of clients, and when the default security settings are being utilized. Connection Manager is a Windows application and client dialer included in Windows 2000, Windows XP Professional, and Windows Server 2003 that you can use to allow a client to establish virtual private network (VPN) connections and dial-up connections to a RRAS server. The advanced features of Connection Manager enable you to pass preconfigured connections to network users. These advanced features are evident in the Connection Manager Administration Kit (CMAK) and Connection Point Services (CPS). Both local connections and remote connections to the service provider through a network of access points are supported by Connection Manager. As mentioned, for secure connections over the Internet, VPN connections can be established using Connection Manager. With the Connection Manager Administration Kit (CMAK), you can perform the following functions: Configure a large numbers of clients by creating an executable file which can be deployed to your users by means of a distribution package. Manage dial-up and VPN Connection Manager service profiles. Customize Connection Manager to suit the requirements of your organization. Configure system policies for connections. Configure restrictions for connections. Configure executable files that run automatically when a user attempts to establish a connection. Import existing connection settings so that they can be modified, and then distribute these modifications.

When users run the distribution package, or executable file, a dial-up connection or VPN connection using the required authentication methods and security settings is established. It is even possible to automatically distribute the executable file by using a Group Policy object. Any modifies to security settings can be done at a later stage by running the Connection Manager Administration Kit (CMAK) once more, and then simply distributing the executable file for users to run. The main advantages and features

of Connection Manager are listed here:

Users can run more than one Connection Manager service profile at the same time. Connection Manager can also be used when users share computers. A user does not need to provide user credentials for each connection. You can customize the following components within Connection Manager so that it reflects the identity of the organization: o Icons and graphics o o Help Phone book information

Messages

Users can run more than one Connection Manager service profile at the same time. The Connection Manager Administration Kit (CMAK) Wizard can be used to automatically create a service profile so that users can run Connection Manager to establish VPN and dial-up connections. The service profile takes the form of an executable file which can be distributed using either of the following methods: o o Download to the client. Distributed via compact disc.

You can include custom functionality or programs that execute during the connections process. For instance, you can run a program when the user logs on, and when the user logs off. You can configure monitored applications to automatically disconnect once the application is closed. Connection logging, terminal window support and enhanced ISDN support are a few additional features of Connection Manager. Access points can be used to save commonly utilized connection settings. Connection Manager includes help for Access Points and Dialing Rules.

Planning for Creating New Connection Manager Service Profiles

The Connection Manager Administration Kit (CMAK) Wizard consists of a number of steps or pages that need to be completed to create a new Connection Manager service profile. You therefore need to plan upfront which items are going to be specified when you run the CMAK Wizard. The online CMAK Guide specifies six phases for creating a new Connection Manager service profile. This process is detailed here:

Planning phase: Typical issues that should be determined in the planning phase are:
o o o Determine the connection which should be established. Determine which customizations you want - graphics, Phone book information, and so forth. Determine which programs should be applied at the connection establishment process.

Developing custom elements phase: This is when you should create all custom graphics, icons, and all
other elements which you want to include for the new Connection Manager service profile.

Running the CMAK Wizard phase: The Connection Manager Administration Kit (CMAK) Wizard is initiated
and run to create the new Connection Manager service profile for the connection.

Preparing for delivery phase: The new Connection Manager service profile can be distributed via CDROM,
floppy disk, Web site, or a network share. It can also be downloaded to the client.

Testing phase: It is important to test all new packages before users are allowed to download these packages. Providing support phase: It is recommended that you define a support strategy once the new Connection
Manager service profile is distributed to users.

Addressing Connection Manager Security Concerns

Because the Connection Manager Administration Kit (CMAK) Wizard enables Administrators to configure connection properties for creating connections to the network, a few a security loopholes can be accidentally created as well. A few

common Connection Manager security concerns are listed here:

There is the risk of an unauthorized user establishing a connection and using it. This can basically occur when a computer can be accessed by multiple users. For users to run the existing installation of CMAK, they have to belong to the Power Users group. The service profiles created by the CMAK Wizard are text files. Because of this, a user that has access to the text files can simply use a text editor to change the text files created by the CMAK Wizard. When a Connection Manager service profile includes confidential information, there is a threat that an unauthorized user can intercept this information and exploit it.

A few strategies that

can be used to address Connection Manager security concerns are listed below:

You can require that users utilize the more current Windows operating systems that support the user certificates feature of Connection Manager. Ensure that only those users who are authorized can download and obtain the Connection Manager service profile. For a computer that is utilized by more than one user, ensure that users cannot utilize the Remember Password feature to store the password for the connection. To disable the Remember Password feature, configure the HideRememberPassword option. The HideRememberPassword option can be accessed in the last page of the CMAK Wizard by clicking Edit Advanced Options.

Using the Connection Manager Administration Kit (CMAK) Wizard

The Connection Manager Administration Kit (CMAK) is implemented through the CMAK Wizard. The CMAK Wizard is used to create an executable file which can be distributed to users so that they can establish virtual private network (VPN) connections and dial-up connections to a RRAS server. When a user runs the executable file, the security settings and other settings specified when the CMAK Wizard was run is used to establish the connection. The information that you need to supply when you run the CMAK Wizard is summarized here:

Service Profile Source; indicate either of the following actions:

o o Create a new Connection Manager service profile Modify an existing Connection Manager service profile

Service And File Names; provide the following details:

o o A name for the service profile. A file name for the profile folder and files.

Realm Name; if required, provide a realm name. With Microsoft Internet Authentication Service Commercial
Edition, realm names can be utilized for authentication.

Merging Profile Information; you can merge the settings of an existing service profile(s) into the new
Connection Manager service profile which you are creating, or in the service profile which you are editing.

VPN Support; enables you to specify a VPN connection for the service profile which you are configuring. For
client o o o IP address assignment, the following methods exist: Define a DNS server. Define a WINS server. Define that the server assigns IP addresses when the connection is established.

Phone Book; set whether a phone book is to be created with the service profile being created or edited. Phone Book Updates; define the method which will be used to pass phone book updates to clients. You can
specify a Connection Point Services server by means of a URL. The Windows Server 2003 Connection Point Services (CPS) feature can be used to create and update phone books.

Dial-Up
book.

Networking Entries; define the dial-up networking entries for the phone numbers in the address

Routing Table Update; to update the Routing Table. A file containing routing table information is then
included.

Automatic
settings.

Proxy Information; enables you to specify options which will be used to configure proxy

Custom Actions; define actions to occur at the following events:

o o o Prior to the connection being established. Once the connection is established. Before the connection is terminated.

Logon

Bitmap; set the bitmap that should appear in the Logon dialog box.

Phone Book Bitmap; set the bitmap that should appear in the Phone Book dialog box. Icons; set the icons which should be displayed for Connection Manager on your clients. 6

Notification Area Shortcut Menu; define the shortcut menu which is displayed when the status area
is right-clicked by users.

icon

Help file; define the Help file for users by:

o o Creating a custom Help file. Using the default Help file.

Support Information; define the support information for the service profile being created or edited. Connection Manager Software; for users to utilize the service profile they must have Connection Manager
installed. For users that do not have the Connection Manager installed, you can specify that Connection Manager software be added with the service profile you are creating or editing. Here, the user will perform the following actions: o o o Download the package. Install the Connection Manager. Run the Connection Manager service profile.

License Agreement; you can require users to accept a license agreement by including it in a text file. Additional Files; for adding any other files with the Connection Manager service profile being created or edited.

With the CMAK, custom actions are supported. Through custom actions, you can configure that certain programs should automatically run when the Connection Manager process occurs. The different actions which you can specify to run during the Connection Manager process are summarized here:

Pre-init actions; run when the Connection Manager initiates. Pre-connect actions; run prior to the connection being established. Pre-dial actions; run prior to the connection being established. Pre-tunnel actions; run prior to the connection being established. Post-connect actions; run after the connection is successfully established. On cancel actions; run when the user cancels a connection. On error actions; run when there is an error during the connection establishment process.

How to install the CMAK

1. Open
Control Panel.

2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components. 3. The Windows Components Wizard starts. 4. Click Management and Monitoring Tools, and then click Details. 5. In the Management and Monitoring Tools dialog box, select the checkbox for Connection Manager Administration Kit. 6. Click OK. Click Next. Click Finish. To start the Connection Manager Administration Kit (CMAK) Wizard, 1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to initiate the CMAK Wizard.

How to create a new Connection Manager service profile

1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to initiate the CMAK Wizard. 2. The CMAK Wizard starts. 3. Click Next on the CMAK Wizard Welcome screen. 4. On the Service Profile Selection page, click the New profile option. Click Next. 5. On the Service And File Names page, enter a name for the service in the Service Name text box, and enter a file name in the File name text box. This name will be used for the connection and it will also be displayed in the various installation dialog boxes of Connection Manager. Click Next. 6. On the Realm Name page, leave the default setting of Do Not Add A Realm Name To The User Name enabled. Click Next. 7. On the Merging Profile Information page, you can merge information from other existing profiles to add to this profile. Click Next. 8. On the VPN Support page, you can set that a VPN connection be established. Click the Phone Book From This Profile checkbox. In the Enter the VPN Server Name or IP Address section of the page, select one of the following options:

1.
Always Use the Same VPN Server option OR Allow The User To Choose A VPN Server Before Connecting option.

1. Click Next. 2. On the VPN Entries page, perform either of these actions:

o o

Create a new VPN entry. Specify an existing VPN connection for the profile

11. Click Next. 12. On the Phone Book page, disable the Automatically Download Phone Book Updates checkbox, and then click Next. 13. On the Dial-Up Networking Entries page, perform either of these actions o o Create a new dial-up networking entry. Specify an existing dial-up networking entry for the profile.

13. Click Next. 14. On the Routing Table Update page, click Next. 15. On the Automatic Proxy Configuration, set any settings for a proxy server that should be utilized with the connection, and then click Next. 16. On the Custom Actions page, click Next. 17. On the Logon Bitmap page, specify your own graphics or accept the default graphic and then click Next. 18. On the Phone Bok Bitmap page, specify your own graphic or select a default graphic, and then click Next. 19. On the Icons page, select your icons for the connection or use the default settings. Click Next. 20. On the Notification Area Shortcut Menu page, specify the items which should be displayed on the shortcut menu, and then click Next. 21. On the Help File page, specify your custom Help file. Click Next. 22. On the Support Information page, provide your support details in the Support Information text box, and then click Next. 23. On the Connection Manager Software page, you can select the Install Connection Manager option if users do not have the Connection Manager installed. Click Next. 24. On the License Agreement page, specify the text file that includes the license agreement, and then click Next. 25. On the Additional Files page include all other files which should be added with the new service profile. Click Next. 26. On the Ready To Build The Service Profile page, click Next to start the creation of the new service profile. 27. The CMAK Wizard creates the new customized Connection Manager service profile. 28. Click Finish.

How to deploy CMAK packages

When you have completed all the necessary pages of the CMAK Wizard, the Connection Manager service profile is created. The connection package is compressed as well. The final screen of the CMAK Wizard displays the location of your newly Connection Manager service profile. The service profile is by default stored in the following directory: C:\Program Files\CMAK\Profiles directory. The directory is automatically created for the service profile by CMAK.

To distribute the new service profile package files, use either of these methods: Copy the files in the CMAK directory to a:

o o o

CDROM Floppy disk. Web site

Share the CMAK directory and provide users with the path information.

Securing Remote Access and VPN Service

Remote Access and VPN Server Security Issues
Remote Access Servers (RAS) provides access to the network for remote users. The different types of remote access connections are Dial-in remote access, VPN remote access, and Wireless remote access. Dial-in remote access uses modems, servers running the Routing and Remote Access (RRAS) service, and the Point-to-Point (PPP) protocol to enable remote users to access the network. VPN remote access provides secure and advanced connections through a non-secure network. VPN access uses encryption to create the VPN tunnel between the remote access client and the corporate network. Wireless users connect to the network by connecting to a wireless access point (WAP). Wireless networks do not have the inbuilt physical security of wired networks, and are more prone to attacks from intruders. To secure wireless networks and wireless connections, administrators can require all wireless communications to be authenticated and encrypted. There are a number of wireless security technologies that can be used to protect wireless networks.

Basic security measures for securing remote access servers are listed here:
Physically secure your remote access servers. Apply and maintain a strong virus protection solution. Software patches should be kept up to date. The NTFS file system should be utilized to protect data on the system volume.

All unnecessary services and applications not being utilized on your remote access servers should be uninstalled. Secure the well-known accounts: Administrator account, Guest account. To protect remote access servers from unauthorized access, enforce the use of strong passwords. You can use either of these methods to secure traffic between a remote access server and remote users: o o o Signing Encryption Tunneling IP traffic.

IPSec filters can be used to protect confidential

Consider using smart cards to further enhance your security access strategy.

10

Monitor remote access server activity.

Additional security measures for securing remote access servers are listed below:
You can create and configure remote access policies. Remote access policies can be used to restrict remote connections once they have been authorized You can create and configure remote access profiles. You can configure remote access authentication methods. You can configure encryption levels to secure remote access communication. You can control access through the Dial-in Properties of an individual user account that remote access clients use to connect to the network You can use Remote Authentication Dial-In User Service ( and accounting for your remote access infrastructure. RADIUS) to provide authentication, authorization,

You can raise the domain functional level to provide additional security features for your remote access infrastructure.

Using Authentication and Encryption Methods to Secure Access to Remote Access and VPN Servers
There are a number of different authentication methods supported by Windows Server 2003 Routing and Remote Access Service (RRAS) which you can configure to authenticate remote users when they attempt to connect to remote access servers:

Unencrypted Password (PAP); uses plain text passwords and no encryption. PAP is only provided as an
authentication method for those clients that do not support any more secure authentication methods.

Shiva Password Authentication Protocol (SPAP); a simple password authentication protocol which
provides no real authentication. SPAP is an insecure authentication protocol.

Encrypted Authentication (CHAP); a challenge-response authentication protocol used for PPP connections.
This authentication method utilizes the passwords of users for authentication.

Microsoft Encrypted Authentication (MS-CHAP); one encryption key is used for sent messages and
received messages, thereby making this method a weaker authentication method than MS-CHAPv2.

Microsoft Encrypted Authentication Version 2 (MS-CHAPv2); provides mutual authentication for

network and dialup authentication through the use of encrypted passwords. MS-CHAPv2 is one of the more secure authentication methods to use to control remote access connections to your remote access servers.

Extensible Authentication Protocol (

EAP) enables RRAS to use authentication protocols provided by

Windows 2000 and Windows Server 2003 together with third-party authentication protocols such as smart cards. EAP offers mutual authentication, and provides for the negotiation of encryption methods.

11

To configure an authentication method, 1. Click Start, Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, select the remote access server, and then click the Action menu to select the Properties command. 3. Switch to the Security tab. 4. Click the Authentication Methods button. 5. The Authentication Methods dialog box opens. 6. Specify the authentication method you want to use. To disable the weaker password based authentication methods, 1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, select the remote access server that you want to configure, and then click the Action menu to select the Properties command. 3. Switch to the Security tab. 4. Click the Authentication Methods button. 5. The Authentication Methods dialog box opens. 6. Clear the Microsoft Encrypted Authentication (MS-CHAP) checkbox. 7. Clear the Encrypted Authentication (CHAP) checkbox. 8. Clear the Shiva Password Authentication Protocol (SPAP) checkbox. 9. Clear the checkbox for Unencrypted Password (PAP) checkbox. 10. Click OK. To secure VPN remote access connections, consider configuring either of these levels of encryption: Basic encryption, this level should not be used because a weak 40-bit key is used for encryption. Strong encryption; a 56-bit key is used for encryption. Strongest encryption; a128-bit key is used for encryption.

12

Using Remote Access Policies and Remote Access Profiles to Secure Remote Access
Remote access policies can be used to specify which users are allowed to establish connections to remote access
servers. Remote access policies enable Administrators to restrict user access, based on the actual user, group membership, and time of day. You can also use remote access policies to control which authentication protocols and encryption methods clients utilize. After a connection is established to a remote access server, you can through remote access policies also configure restrictions for the connection. Remote access profiles contains a set of properties that are applied to remote access connections that match the conditions specified in the remote access policy. Through remote access profiles, you can specify what actions should occur once the connection is authorized by the remote access server. To control connections to remote access servers through remote access policy, 1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, expand the domain that contains the user account that you want to enable remote access for. 3. Select the Users container. 4. In the right pane, locate the user account that you want to configure. 5. Right-click the specific user account and then select Properties from the shortcut menu. 6. Click the Dial-in tab. 7. In the Remote Access Permission area, click the Control Access Through Remote Access Policy option. 8. Click OK.

Routing and Remote Access Service

Routing and Remote Access Service Overview
The Routing and Remote Access service (RRAS) is a multi- protocol software router integrated in Windows 2000 and Windows Server 2003 that provides connectivity for remote users and remote offices to the corporate network. RRAS make it possible for remote users to perform their tasks as though they are actually physically connected to the corporate network. A remote access connection enables services such as file and print sharing to be available to remote users. To access network resources, remote access clients can use standard Windows tools. The Routing and Remote Access service (RRAS) includes integrated support for the following dynamic routing protocols:

Routing Information Protocol (RIP) version 2 Open Shortest Path First (OSPF)

Routing and Remote Access service can be configured for:

13

LAN-to-LAN routing LAN-to-WAN routing Virtual private network (VPN) routing Network Address Translation (NAT) routing Routing features, including o IP multicasting o Packet filtering o Demand-dial routing o DHCP relay

A computer running Windows 2000 Server or Windows Server 2003 with Routing and Remote Access service enabled and configured is called a remote access server. A remote access server provides the following two types of remote access connectivity:

Dial-up networking (DUN) Virtual private networking

The Routing and Remote Access features are summarized below:

Router discovery, defined in RFC 1256 provides the means for configuring and discovering default gateways. Router discovery makes it possible for clients to: o Dynamically discover routers. o Use alternate or backup routers when necessary, for instance when a network failure occurs.

Router discovery consists of the following types of packets o

Router solicitations: A router solicitation is sent by a host on the network when it needs to be configured with a default gateway. When a router solicitation is sent on the network, each router responds with a router advertisement. The host then selects a router as its default gateway. This is the router that has the highest preference. A host can send a router solicitation to the following addresses: Local IP broadcast address Limited broadcast address Internet Protocol (IP) multicast address (all routers) Router advertisements: Routers on the network send a router advertisement in respond to a router solicitation packet, indicating that the router can be configured as the host's default gateway. To send a router advertisement, the router uses an ICMP message. A router advertisement can be sent to the following addresses: Local IP broadcast address (all hosts) Limited broadcast address Multicast routing through a multicast proxyprovides multicast for remote access users, thereby extending multicast support further than the true multicast router. Network Address Translation (NAT), defined in RFC 1631 translates private addresses to Internet IP addresses that can be routed on the Internet. Remote Access Policies (RAPs): RAPs are used to grant remote access permissions. You can configure RAPs from: o Routing and Remote Access console o Internet Authentication Service Manager

14

Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of Cisco with Point-toPoint Tunneling Protocol (PPTP) of Microsoft. L2TP is a Data-link protocol that can be used to establis Virtual Private Networks (VPNs). Internet Authentication Service (IAS), a Remote Authentication Dial-In User Service ( RADIUS) server, provides remote authentication, authorization and accounting for users that are connecting to the network through a network access server ( NAS) such as Windows Routing and Remote Access.

The Windows Server 2003 Routing

and Remote Access service console, the graphical interface for managing

RRAS, can be used to configure remote access server-end configuration options, including the following:

Remote access connectivity, through o Dial-Up Networking (DUN) o Virtual private networking Network address translation (NAT) Virtual Private Network (VPN) access Secure connectivity between two private networks Routing protocol configuration DHCP Relay configuration Remote access policy (RAP) options Remote access logging Custom configuration options

Understanding Dial-Up Networking (DUN)

Dial-up networking (DUN) allows a remote access client to establish a dial-up connection to a port on a remote access server. The configuration of the DUN server determines what resources the remote user can access. Users that connect through a DUN server, connect to the network much like a standard LAN user accessing resources. The dial-up networking (DUN) connection methods are summarized below:

Plain old telephone service (POTS): In the initial days of dial-up networking, phone lines were used to establish the dial-up connection. With POTS, the amount of data that was passed was initially limited because analog components caused signal loss. This has since improved with the connections between phone offices becoming all digital connections paths. Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and includes features such as caller ID, call forwarding, and fast call setup times. Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP negotiation process to enable devices to establish a TCP/IP connection over a serial connection. The device that initiates the establishment of the TCP/IP connection is called the client. The device that obtains the request to establish the connection is referred to as the server. The following protocols operate above the PPP to enable the PPP negotiation process: o Link Control Protocol (LCP); LCP deals with the establishment of the lower PPP connection. LCP is used for two devices to initially come to agreement on establishing a PPP link. o Challenge Handshake Authentication Protocol (CHAP); used to enable the client to authenticate the server. o Callback Control Protocol (CBCP); used to negotiate callback specific operations, such as whether callback is permitted, and if and when it should occur. o Compression Control Protocol (CCP); used to negotiate and determine whether compression is required, and the type of compression that should be used. o IP Control Protocol (IPCP); used to negotiate the IP parameters that should be used for the PPP connection. o Internet Protocol (IP); IP makes it possible for IP datagrams to be exchanged over the connection.

15

Understanding Virtual Private Networking

Virtual Private Networks (VPN's) provide secure and advanced connections through a non-secure network by providing data privacy. Private data is secure in a public environment. VPNs fall into the following categories:

Remote access Intranet access Extranet access

Remote access VPNs provides a common environment where many different sources such as intermediaries, cients and off-site employees can access information via web browsers or email. Many companies supply their own VPN connections via the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPN's are implemented over extensive shared infrastructures. Email, database and office applications use these secure remote VPN connections. Remote access VPNs offer a number of advantages, including:

Third parties oversee the dial up to the network. New users can be added with hardly any costs and with no extra expense to the infrastructure. Wan circuit and modem costs are eliminated. Remote access VPN's call to local ISP numbers. VPN's can be established from anywhere via the Internet. Cable modems enable fast connectivity and are relatively cost efficient. Information is easily and speedily accessible to off-site users in public places via Internet availability and connectivity.

Tunneling is the concept used to describe a method of using an internetwork infrastructure to transfer a payload. IPSec tunnel mode enables IP payloads to be encrypted and encapsulated in an IP header so that it can be sent over
the corporate IP internetwork or Internet. IPSec protects, secures and authenticates data between IPSec peer devices by providing per packet data authentication. IPSec peers can be teams of hosts, or teams of security gateways. Data flows between IPSec peers are confidential and protected. Tunnel mode is used when a host wants to connect or gain access to a network controlled by a gateway. The source and destination addresses are encrypted. The original IP datagram is left in tact. The original IP header is copied and moved to the left and becomes a new IP header. The IPSec header is inserted between these two headers. The original IP datagram can be authenticated and encrypted. IPSec supports the following:

Unicast IP datagrams High-Level Data-Link Control (HDLC) ATM Point-to-Point Protocol (PPP) Frame Relay serial encapsulation Generic Routing Encapsulation (GRE) IP-in-IP (IPinIP) Encapsulation Layer 3 tunneling protocols.

The process that occurs to establish a VPN connection is outlined below:

16

1. The VPN client accesses the Internet, and then sends a VPN connection request to the VPN server to establish a secure connection. 2. Based on the VPN protocol used, the client authenticates itself to the VPN server. If authentication fails, the connection is terminated. 3. If the client is authenticated, the client and server start a negotiation process. During negotiation, the client and server agree on the encryption algorithm, and parameters that should be used for the VPN connection. 4. The VPN session or connection is established.
The process that occurs to convert an IP datagram to a Point-to-Point Tunneling Protocol (PPTP) packet is outlined below:

1. Data is created by an application for a specific remote host. 2. At the client end, the data then becomes an IP datagram. This is done by adding a TCP header and IP header to the data. At this point the packet contains all the information needed to be transmitted by IP. 3. The client then establishes a connection through PPP to add the PPP header to the IP datagram. At this stage the packet becomes a PPP frame. 4. The following step in the process is for the VPN to encrypt the PPP frame. This ensures that the data is sent over the Internet in an undecipherable format. 5. A Generic Routing Encapsulation (GRE) header is added to the encrypted payload, to indicate that the packet is an encapsulated PPTP packet. 6. The PPTP stack adds an IP header to indicate the destination address of the VPN server. 7. The packet is then routed to the VPN server.
A better method than using PPTP tunneling is L2TP/IPSec tunneling:

1. 2. 3. 4.

A secure encrypted session is established between the client and server. At this stage the client establishes a L2TP tunnel to the server. The server then sends the client an authentication challenge. The client responds to the server's challenge, and uses encryption when it sends its challenge response. 5. The server then verifies that the challenge response received by the client is valid. If the response is valid, the connection is accepted.

Installing the Routing and Remote Access Service

How to enable Routing and Remote Access using the Manage Your Server Wizard

1. 2. 3. 4. 5.

Click Start, and then click Manage Your Server. Select the Add or remove a role option. The Configure Your Server Wizard starts. On the Preliminary Steps page, click Next. A message appears, informing you that the Configure Your Server Wizard is detecting network settings and server information. 6. When the Server Role page appears, select the Remote Access/VPN Server option and then click Next. 7. On the Summary of Selections page, click Next. 8. The Welcome to the Routing and Remote Access Server Setup Wizard page is displayed.
How to install the Routing and Remote Access Services

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access management console.

17

2. In the console tree, select the remote access server that you want to configure. Select the Action menu, and then select the Configure and Enable Routing and Remote Access. Alternatively, you can rightclick the server that you want to configure, and then select Configure and Enable Routing and Remote Access from the shortcut menu. 3. The Routing and Remote Access Server Setup Wizard initiates. 4. On the initial page of the Routing and Remote Access Server Setup Wizard, click Next. 5. On the Configuration page, select the Remote Access (Dial-Up Or VPN) option and then click Next. 6. On the Remote Access page, select either the VPN server checkbox, or the dial-up server checkbox, or both of these checkboxes. Click Next. 7. When the Macintosh Guest Authentication page is displayed, click the Allow Unauthenticated Access For All Remote Clients option if you want the RRAS server to accept anonymous remote access. Click Next. 8. On the IP Address Assignment page, accept the default setting of Automatically, or select the From A Specified Range Of Addresses button. Click Next. 9. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option, and then click Next. 10. On the Summary page, click Finish. 11. The RRAS service starts.
The Routing

And Remote Access console is the graphical user interface used to manage and configure routing properties.
To access the Routing And Remote Access console,

1. Click Start, Administrative Tools, and then click Routing And Remote Access.
If Routing And Remote Access is only configured for LAN routing, then the following primary nodes are present in the console tree of the RRAS console:

Network Interfaces IP Routing node

node

If you want to add a dial-up connection, VPN connection or PPPoE connection to the Routing And Remote Access console, you have to manually add it to the Network Interfaces node. If you have already enabled the Routing And Remote Access Service, and you add a new network adapter, then you have to manually add the new network adapter to the IP Routing node. How to manually add a dial-up connection, VPN connection or PPPoE connection

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, select the Network Interfaces node. 3. Right-click the Network Interfaces node and then select New Demand-Dial Interface from the shortcut menu. 4. The Demand Dial Interface Wizard starts. 5. Follow the prompts of the Demand Dial Interface Wizard to manually add the dial-up connection, VPN connection or PPPoE connection.
How to manually add a new network adapter

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.

18

2. In the console tree, select General, right-click General, and then select New Interface from the shortcut menu. 3. Select the Interface that you want to add. Click OK.

Configuring the Routing And Remote Access Service Properties

Routing And Remote Access Service properties are configured in the Routing And Remote Access console, using the RRAS server's Properties dialog box. The configuration settings that you can configure through the properties sheet of the remote access server include:

Configure the server to allow remote connections Routing Demand-dial Point-to-Point Protocol (PPP) options Authentication settings Client address assignment Logging options

To access the Properties dialog box of the remote access server to configure RRAS properties

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, select the remote access server that you want to configure, and then select Properties from the Action menu; OR right-click the server in the console tree and then select Properties from the shortcut menu.
The remote access server's Properties dialog box contains the tabs listed below. The configuration settings that you can configure on each of these tabs for the remote access server are explained as well.

General tab: The settings on the General tab enable you to configure the Routing And Remote Access Service as a: o LAN router o Demand-dial router o Remote access server Security tab: The configuration security settings that you can configure on the Security tab are: o Authentication methods o Preshared keys for Internet Protocol Security (IPSec) o Connection request logging IP tab: The IP tab is used to configure routing properties to route IP packets over LAN connections, remote access connections, or demand-dial connections. The options available are the Enable IP Routing checkbox, and the Allow IP-Based Remote Access And Demand Dial Connections checkbox. The IP Address Assignment section of the IP tab is used to configure the manner in which the IP addresses are assigned to remote access clients. The available options are the Dynamic Host Configuration Protocol (DHCP) option and the Static Address Pool option. If you select the Static Address Pool option, you have to specify the address range that the Routing And Remote Access service will use to assign addresses to remote access clients. The last setting on the IP tab is the Enable Broadcast Name Resolution checkbox, which is enabled by default. PPP tab: The options available on the PPP tab are used to configure PPP specific options. Each option on the tab is by default enabled: o Multilink Connections; when enabled multilink connections are allowed from remote access clients.

19

Dynamic Bandwidth Control Using BAP Or BACP; when enabled multilink connections either add or drop PPP connections based on the available bandwidth. o Link Control Protocol (LCP) Extensions; when enabled advanced PPP features are supported. o Software Compression; when enabled the RRAS can perform compression of the PPP data. i>Logging tab: On this tab, you can configure Routing And Remote Access logging options: o Log errors only o Log errors and warnings o Log all events o Do not log any events
o

You can also enable the option to log additional information for debugging purposes.

Configuring General IP Routing Properties

There are a few Routing And Remote Access service features that apply to IP routing on the whole. These IP routing features are configured using the Properties dialog box of the General sub in the Routing And Remote Access console. The General node can be found within the IP Routing node in the console tree. To open the Properties dialog box of the General node

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the IP Routing node. 3. Right-click the General node, and then select Properties from the shortcut menu. 4. The General Properties dialog box contains three tabs: Logging tab, Preference Levels tab, and Multicast Scopes tab. 5. The General Properties dialog box contains three tabs: Logging tab, Preference Levels tab, and Multicast Scopes tab. o Logging tab: The options available on the Logging tab pertain to IP routing events that are recorded in the Event log. The options available on the Logging tab are: Log Errors Only Log Errors And Warnings Log The Maximum Amount Of Information Disable Event Logging o Preference Levels tab: The options available on the Preference Levels tab are used to position the priority of routes which were obtained from a number of sources. o Multicast Scopes tab: The tab is used to configure multicasting.

How to control multilink for incoming connections

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click the server that you want to work with, and then click Properties from the shortcut menu. 3. The server Properties dialog box opens. 4. Switch to the PPP tab. 5. Select the Multilink Connections checkbox to allow multilink connections from remote access clients. 6. If you do not want to allow multilink connections, simply disable the Multilink Connections checkbox. 7. If you select the Multilink Connections checkbox, it is recommended that you enable the Dynamic Bandwidth Control Using BAP Or BACP checkbox. This allows the server to add or drop PPP connections based on the rise and fall in available bandwidth. 8. Click OK.

20

How to configure incoming connections that use the IP protocol

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click the server that you want to work with, and then click Properties from the shortcut menu. 3. The server Properties dialog box opens. 4. Click the IP tab. 5. Verify that the Enable IP Routing checkbox is selected or enabled. 6. Next, verify that the Allow IP-Based Remote Access And Demand Dial Connections checkbox is selected. 7. If the server Properties dialog box has an IPX tab, click the IPX tab. Clear the Allow IPX-Based Remote Access And Demand-Dial Connections checkbox. 8. If the server Properties dialog box has an AppleTalk tab, click the AppleTalk tab. Clear the Enable AppleTalk Remote Access checkbox. 9. If the server Properties dialog box has a NetBEUI tab, click the NetBEUI tab. Clear the Allow NetBEUIBased Remote Access Clients To Access checkbox. 10. Click OK.

Remote Server Management

An Overview on Remote Server Management
In enterprises that need a secure environment; servers and desktops are usually managed remotely. Administration is hardly performed by logging on to the local console. Remote management or administration is not a new notion, and is used largely to manage servers and desktops. Windows Server 2003 includes a few technologies which can be used for the administration of remote client computers, and to remotely manage servers. These include:

Microsoft Management Console snap-ins can be used to connect to a remote system and manage the
remote system.

Web Interface for Remote Administration can be used to manage a server through a Web browser on a
remote computer.

Remote Desktop For Administration: The Terminal Services service enables Remote Desktop For
Administration and Remote Assistance. The Terminal Services service is automatically installed on Windows Server 2003, and can be set up to support Remote Desktop For Administration. Through Remote Desktop For Administration, Terminal Services can be used as a management tool. Two simultaneous remote connections are possible.

Remote Assistance: The Remote Assistance feature enables a client or user to request assistance from
another user, normally an administrator or technician who is referred to as an expert. The expert is able to connect to the user's computer and view and control the user's desktop, to provide assistance is solving the user's issue.

Using Microsoft Management Console snap-ins to Remotely Manage Computers

The main administrative tools in Windows Server 2003 are MMC consoles which contain one or multiple tools, known as snap-ins. Snap-ins are specialized administration tools used for performing certain tasks which are added to an MMC

21

console. Some MMC snap-ins can be used to manage the local computer, and remote computers. This means that you can create custom MMC consoles to manage local and remote servers. The MMC is made up of a console tree pane, a details pane, MMC menus and a MMC toolbar. An MMC console can be also be configured so that nobody is able to change it. A MMC console which has no added snap-ins is basically a blank sheet or an empty MMC to which you can add administration tools or snap-ins. The console root would eventually include all the snap-ins which you add. Each snapin that you add to an MMC adds its own unique MMC menu and MMC toolbar items. The types of snap-ins that exist are:

Stand-Alone Snap-Ins: These are snap-ins which are provided by an application's developer for specific
tasks. For instance, Administrative Tools for Windows Server 2003 are single snap-ins, or a collection of snap-ins used for a specific set of tasks.

Extension Snap-Ins: These are snap-ins which operates together with a stand-alone snap-in(s). The
extension snap-ins operates with a stand-alone snap-in, based on the functionality associated with that particular stand-alone snap-in.

The MMC consoles can be saved in two modes, namely Author mode or User mode. The mode which the console is saved in determines what nodes in the console tree can be accessed, determines the snap-ins which can be added to the console, and the windows which can be created.

Author mode: This is the default mode in which a console is saved. It allows full access to the MMC, and the
capability to change all aspects of the MMC, including the following: o o o o o View the console tree Save the console Add and remove snap-ins Create windows, tasks, and taskpads views Change options on the console

User mode: You can choose to save the console in user mode if you want to distribute an MMC. The user
modes which you can choose between are listed below: o User mode - Full Access: Users are able to access the console tree, navigate between snap-ins, and open window. They have full access to the windowing commands. Users are however unable to add and remove snap-ins. o User mode - Limited Access, Multiple Windows: Users are able to view multiple windows in the console tree, but can only access those portions of the console that existed when it was saved. o User mode - Limited Access, Single Windows: Users are able to view a single window in the console tree, but can only access those portions of the console that existed when it was saved.

A few common menu items added by the majority of snap-ins are listed below:

22

File menu: Items on this menu allow you to perform the tasks listed below:
o o o o o Create a new console Add or remove snap-ins from the console Open an existing console Specify options for saving the console Open recently utilized consoles

Action menu: Items on this menu allow you to perform the tasks listed below:
o o o o Export option Import option Configuration option Help features for the snap-in

View menu: Include options which allow you to customize certain attributes of the console. Favorites menu: Include the options which allows you to add saved consoles, and organize them. Window menu: Includes options for navigating through and viewing the console, such as opening a new
windows and child windows.

Help menu: The Help menu contains the MMC general help menu, and the help menu specific to the added
snap-ins.

How to create a customized MMC console 1. Click Start, Run, and enter mmc in the dialog box. Click OK. 2. Select Add/Remove Snap-In from the File menu. 3. When the Add/Remove Snap-In dialog box opens, click Add. 4. This opens the Add Standalone Snap-in dialog box which displays the list of available snap-ins which you can add to the MMC. 5. Select the snap-in which you want to add, and then click Add. 6. On the Select Computer dialog box, select the computer which the snap-in would manage. You can choose to manage the Local Computer or Another Computer. Click Finish 7. Click Close in the Add Standalone Snap-In dialog box.

23

8. Click OK in the Add/Remove Snap-In dialog box. 9. The snap-in which you selected on the Add Standalone Snap-in dialog box now appears in the console tree. 10. Click Save from the File menu to save the MMC. 11. Enter a name for the MMC in the File Name box. 12. Click Save. 13. The saved console can now be accessed via the Administrative Tools Menu. How to connect to and manage a remote computer When you create a customized MMC console, and add snap-ins to it, you can choose that the MMC console be used to manage a remote computer. You can for the majority of snap-ins change the management focus of the particular snap-in. The account you use has to though have sufficient privileges on the target remote computer. To do this, 1. In the console tree pane, right-click the snap-in, and select one of the following options from the shortcut menu: o o o Connect To Another Computer Connect To Domain Connect To Domain Controller

A console typically used to connect to and manage a remote computer is the Computer Management console. The Computer Management console is a preconfigured MMC console. The console is available on both client and server computers to perform Administrative tasks, and can be accessed from the Administrative Tools Menu. The Computer Management nodes and the snap-ins which are available under each node are:

System Tools node, contains the following snap-ins

o o o o o Event Viewer, used to display and view event logs Shared Folders, used view shared folders and open files Local Users and Groups, used to manage local users and groups Performance Logs and Alerts, used to set up performance logs Device Manager, used to manage hardware

Storage node, contains the following snap-ins

o Removable Storage, used to manage devices which have removable media

24

o o

Disk Defragmenter, used to the defragment local disks Disk Management, used to configure and manage disk volumes and partitions.

Services and Applications node, contains the following snap-ins

o o o o o o Services, used to manage services Indexing Service, used to configure the indexing service WMI Control, used to configure WMI (Windows Management Instrumentation) DHCP, used to configure the DHCP service DNS, used to configure the DNS service Routing and Remote Access, for managing remote access and routing

To manage a remote computer using the Computer Management console, 1. Click Start, right-click My Computer, and select Manage from the shortcut menu. 2. Right-click Computer Management in the console tree, and select Connect To Another Computer from the shortcut menu.

3. Enter the name or

IP address of the computer in the Another computer box, or click the Browse button to

browse for the remote computer on the network. 4. Click OK. 5. After the connection is established with the remote computer, you can perform the necessary administrative tasks on the particular computer.

Using Web Interface for Remote Administration for Remote Server Management
The Web Interface for Remote Administration tool of Windows Server 2003 can be used to manage servers from another location using a Web browser. The Web Interface for Remote Administration tool is not supported for domain controllers. It is installed on Windows Server 2003 Web Edition by default. Before you can use the Web Interface for Remote Administration tool, you first have to install Web Interface for Remote Administration on your servers, and configure them correctly. After this, it is merely a matter of pointing the Web browser to your server's IP address, and you can then manage it from any location. The requirements for accessing a server over the Internet are: Web Interface for Remote Administration must be installed on the servers. The server must have a valid external IP address. The external IP address is not needed if you are going to be accessing the server over the corporate network.

25

Port 8098 on the server must be used for communication over the Internet connection. It is recommended to use Internet Explorer version 6.0 or later for remote administration.

How to install Web Interface for Remote Administration on your servers

1. Open

Control Panel, and double-click Add Or Remove Programs.

2. Click Add/Remove Windows Components to open the Windows Components Wizard. 3. In the Windows Components Wizard, select Application Server and then click Details. 4. In the Application Server dialog box, select Internet Information Services (IIS) and then click Details. 5. In the Internet Information Services (IIS) dialog box, select World Wide Web Service and then click Details.

6. In the World Wide Web Service dialog box, click the Remote Administration (
7. Click OK in the Internet Information Services (IIS) dialog box. 8. Click OK in the Application Server dialog box. 9. Click Next in the Windows Components Wizard to start the installation 10. When prompted, insert the Windows Server 2003 installation CD. 11. When the installation has completed, click Finish.

HTML) checkbox. Click OK.

How to access and administer a server using the Web Interface for Remote Administration tool 1. Open Internet Explorer.

2. Browse to

https://Servername:8098

3. After the connection is established, you are displayed with a Welcome page. 4. Using the Web interface, you can perform a few common administration tasks, including administering network settings and local user accounts.

Using Remote Desktop For Administration to Remotely Manage Computers

Remote Desktop For Administration tool can be used to remotely manage servers running Windows 2000 or Windows Server 2003. It allows you to manage servers from any location, without actually affecting server performance, and with no additional licensing requirements. Two simultaneous remote administration sessions are supported. The Terminal Services service enables Remote Desktop For Administration. The Terminal Services service is installed on Windows Server 2003 by default. It is also preconfigured to support Remote Desktop For Administration.

26

Remote Desktop for Administration has to be enabled on each end of the connection before you can use. Remote Desktop for Administration is enabled in the System Properties on the server. To enable Remote Desktop for Administration, 1. Click Start, Control Panel, and then double-click System. 2. When the System Properties dialog box opens, click the Remote tab. 3. Select the Allow users to connect remotely to this computer checkbox. Members of the local Administrators group are now able connect. 4. If you want to specify additional users to connect remotely to the computer, click the Select Remote Users button. 5. In the Remote Desktop Users dialog box, enter the names of the users who should be able to connect to the computer. 6. Click OK. The next step in enabling remote administration using Remote Desktop For Administration connections, is to configure the Remote Desktop Connection for remote administration. Remote Desktop Connection must be configured on the workstations or servers which you are going to be used to manage the other servers. To open Remote Desktop Connection, 1. Click Start, Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options to reveal the tabs on which you can configure settings. 3. The tabs available on the Remote Desktop Connection dialog box are listed below: o General tab, Display tab, Local Resources tab, Programs tab, and Experience tab

You can configure the settings listed below on the General

tab:

You enter the name or the IP address of the server that you want to connect to, and manage on the General tab. You can also specify the local or domain account credentials which you want used for authentication.

You can configure the settings listed below on the Display

tab:

You can configure display settings that control the size of the Remote Desktop Connection window, color and depth on the Display tab. You can also set whether the connection bar should be displayed when in full screen mode.

You can configure the settings listed below on the Local

Resources tab:

The options which can be selected in the Remote Computer Sound area of the tab are:

27

o o o

Bring to this computer: Selecting this option redirects audio output from the server to the client. Do not play: Audio is disabled at each end of the connection. Leave at remote computer: Selecting this option results in audio output being played back at the server.

The options which can be selected in the Keyboard area of the Local Resources tab are: o o o On the local computer: Choose this option to switch applications on the local computer. On the remote computer: Choose this option to switch applications on the remote computer. In full screen mode only: When selected, the remote system carries out keystroke combinations when the remote session has encompassed the whole display on the client workstation.

The options which can be selected in the Local Devices are of the Local Resources tab allow you to specify what local devices should be connected to when you are logged on to the remote computer. You can select between the following o o o Disk Drives Printers Serial Ports

You can configure the settings listed below on the Programs tab. These settings specify the programs that should execute when a Remote Desktop for Administration session starts. Enable the Start the following program on connection checkbox, and then enter the program's file name and path in the Program path and file name box. Enter the working directory for the program in the Start in the following folder box.

You can configure the settings listed below on the Experience tab. These settings are specific to improving the performance of the Remote Desktop for Administration connection. You can choose to allow the features listed below on the remote computer: o o o o o Desktop background Show window contents while dragging Menu fading and sliding Themes Bitmap caching

28

The Remote Desktop Connection client is installed by default on Windows XP workstations and Windows 2003 Servers. Remote Desktop Connection client is supported for Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP Professional and Windows Server 2003. How to use Remote Desktop Connection to remotely manage a server, 1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. The Computer box displays the name of the computer that you last connected to. 3. Choose the computer which you want to connect to, using the Computer drop down box. 4. Click Connect. How to optimize a connection to a remote server on a slow, congested network 1. Click Start, Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options to reveal the tabs on which you can configure settings. 3. Click the Experience tab. 4. Select the Custom option from the Choose your connection speed to optimize performance box. 5. Clear the Themes checkbox. 6. Ensure that the Reconnect if connection is dropped checkbox is enabled. 7. Click OK. How to add the Remote Desktops Snap-in to a MMC, and use it for remote administration The Remote Desktops MMC snap-in can be used to manage Remote Desktop sessions with Terminal Servers and Windows Server 2003 servers. Once you have added the Remote Desktops snap-in to a MMC, you can use it to establish Terminal Services connections to Windows 2003 servers and Terminal Servers. To add the Remote Desktops snap-in to a MMC, 1. Click Start, Run, enter mmc in the dialog box, and click OK. 2. Click Add/Remove Snap-in from the File menu. 3. When the Add/Remove Snap-In dialog box opens, click Add. 4. When the Add Standalone Snap-in dialog box opens, select Remote Desktops and then click Add. 5. Click Close in the Add Standalone Snap-In dialog box

29

6. Click OK in the Add/Remove Snap-In dialog box. 7. The Remote Desktops snap-in which you selected on the Add Standalone Snap-in dialog box now appears in the console tree. 8. Click Save from the File menu to save the MMC. 9. Enter a name for the MMC in the File Name box. 10. Click Save. 11. The saved console can now be accessed via the Administrative Tools Menu. How to configure a connection in the Remote Desktops snap-in 1. After you have added the Remote Desktops snap-in to a MMC, right-click the Remote Desktops node in the console tree, and click Add New Connection from the shortcut menu. 2. Enter the IP address, fully qualified domain name (FQDN), or NetBIOS name of the server to which you want to connect in the Server Name Or IP Address text box. 3. In the Connection Name text box, enter a name for the connection. 4. Enable the Connect To Console checkbox if you want to connect to the console of the server. 5. Enter your name in the User Name text box, enter your password in the Password textbox, and enter the domain name in the Domain text box. 6. Enable the Save Password checkbox to save the password that you have entered. 7. Click OK to save the connection.

Using Remote Assistance for Remote Management

The Remote Assistance feature is a dependant on the Terminal Services service, and is automatically installed when Windows Server 2003 is installed. Remote Assistance enables a user (novice) at one computer to request assistance via Windows Messenger or e-mail from a user (expert) at another computer on the local network, or over the Internet. Once the expert receives a request for remote assistance, the expert can remotely connect to the computer of the novice. This means, that when the remote assistance session is established, the novice and the expert can simultaneously control the computer. The Remote Assistance feature is extremely useful if you want to troubleshoot user problems, or connect to a remote computer to change configuration settings or install new software. You have to though enable and configure Remote Assistance first. In order for a computer to receive remote assistance, the computer must be running Windows XP or Windows Server 2003. The computer must also be enabled to use Remote Assistance. To enable a computer to use Remote Assistance, use one of the processes listed below:

Control Panel: Use the steps listed below to enable a computer to use Remote Assistance 30

1. Open the System Properties dialog box in Control Panel. 2. Click the Remote tab. 3. Click the Allow Remote Assistance invitations to be sent from this computer checkbox. 4. Click the Advanced button. 5. When the Remote Assistance Settings dialog box opens, click the Allow this computer to be controlled remotely checkbox. 6. Click OK.

Group Policy: To enable Remote Assistance using Group Policy,

1. Open the GPO linked to the site, or domain that contains the computer using the Group Policy Object Editor console. 2. Expand the Computer Configuration node, Administrative Templates node, System node, and click the Remote Assistance node. 3. Double-click the Solicited Remote Assistance policy. 4. When the Solicited Remote Assistance Properties dialog box opens, select Enabled. 5. Use the settings in the Permit remote control of this computer section of the dialog box to specify whether a client on a remote workstation computer is able to control the server. 6. Click OK

A user can request remote assistance using one of the methods listed below: Windows Messenger E-mail Save the request to a file

The Windows Messenger tool is a chat application which you can download and install, for free. To download the Windows Messenger tool, 1. Open the Help and Support Center 2. Click the Download Windows Messenger link. 3. When a Web page appears, click Download Now. 4. On the Save As dialog box, click Open

31

5. After the download is completed, click Yes in the Security Warning dialog box. 6. Click Yes to accept the license agreement, and start the installation of the Windows Messenger tool. 7. After the installation, the Windows Messenger window opens, giving you the option to sign in. 8. Click the Click here to sign in link. 9. This starts the .NET Passport Wizard. 10. Click Next on the initial screen of the wizard.

11. Click the No. I would like to open an

12. Click the I Agree button

MSN

Hotmail e-mail account option, and click Next.

13. Click Continue to open the Associate your .NET Passport with your Windows user account? Page. 14. Click Next. Click Finish. To send a remote assistance request using the Windows Messenger Tool, you have to first add contacts or users from whom you will be requesting remote assistance. 1. Click the Add a Contact link in the Windows Messenger window. 2. To search for a contact, click the Search for a contact option. Click Next. 3. Enter the criteria which should be used to search for the contact. Click Next. 4. When the search results are displayed, choose the contact you wish to add. Click Next. 5. Click Finish. How to request remote assistance using e-mail 1. Open the Help and Support Center. 2. Click Remote Assistance located under the Support area. 3. Click the Invite someone to help you link. 4. Enter the name of the expert which you want to request remote assistance from in the Type your assistant's first name: text box. Click Continue. 5. In the Set the invitation to expire section, specify the validity period for the invitation. 6. If you want the expert to provide a password to access the invitation, leave the Require the recipient to use a password checkbox enabled.

32

7. Enter the password in the Type password and Confirm password text boxes.

8. Click the Create

Email Invitation button.

How to initiate Remote Assistance from your computer to a user's computer 1. Open the Help and Support Center 2. Click Tools and click Help And Support Center Tools 3. Click Offer Remote Assistance 4. Enter the name or IP address of the computer that you want to offer remote assistance to. 5. Click Connect 6. If prompted, select a user session. 7. Click Start Remote Assistance. 8. At this point, a message appears on the user's desktop, indicating that an administrator wants to initiate a Remote Assistance session. 9. Once the user accepts remote assistance, the Remote Assistance session is established.

Remote Administration
Remote Administration Overview
When it comes to administering servers and desktops in secure organizations or large organizations, administrators would typically be found performing remote administration. This basically means that administrators would be using the Microsoft Management Console snap-ins or support tools remotely, to administer servers. For instance, through the Microsoft Management Console snap-ins, you have the option of connecting to remote systems. In fact, most administrative tasks which you can perform locally, you can perform remotely. With the introduction of Windows Server 2003, came increased support for remote administration. This entailed support to use the Microsoft Management Console snap-ins, Remote Desktop For Administration, Remote Assistance, and Web Interface for Remote Administration to perform remote administration. The tools which are most likely used for system administration are the graphical user interface (GUI) based tools. These tools include the Connect To Another Computer option which allows you to specify which computer you want to connect to. The main GUI based tools used to administer systems remotely are listed here: Microsoft Management Console snap-ins Remote Administration ( HTML) tool

Remote Desktop For Administration

33

Remote Assistance Administration Tools Pack

Remote Administration through Microsoft Management Console snap-ins

The Microsoft Management Console (MMC) is the administrative framework for most of the graphical user interface (GUI) based tools which can be used to manage computers both locally and remotely. The MMC makes it possible for administrators to specify which snap-ins should be added to a MMC console. Third-party administrative tools that supply snap-ins can also be added to MMC consoles. After you have added your snap-ins, you can define different administrative views in the console by adding windows for each snap-in. You can also configure a MMC console so that no other individuals can modify the console. This is done by saving the console in one of the available modes. The mode which you choose for saving the MMC console affects a number of important aspects of the MMC console: The snap-ins that you can add to the MMC console. The windows that you can create. The nodes that are displayed in the MMC console tree.

The modes you can select between when saving a MMC console are listed here: Full mode; provides full access to the MMC. All areas of the console can be changed. Full mode allows you to add and remove snap-ins as well. User mode (full access); provides full access to the windowing commands but excludes the capability of adding and removing snap-ins. User mode (limited access - multiple windows); provides access to those elements of the specific MMC which existed when saved. Only new windows can be created, and previous windows cannot be closed. User mode (limited access - single windows); provides a view to only the console as it existed when saved. No new windows can be created.

To remotely administer a computer through a MMC console, you must have the necessary administrative rights to access and manage the specific remote computer. How to create a customized MMC console 1. Click Start, click Run, enter mmc and then click OK 2. A blank MMC console which has no snap-ins opens. 3. From the File menu, click Add/Remove Snap-In. 4. The Add/Remove Snap-In dialog box opens.

5. You can leave the default setting of Console

Root in the Snap-Ins Added To box unchanged. Click Add

34

6. Select the snap-in you want to add to the MMC by double-clicking it. 7. To close the Add/Remove Snap-In dialog box, click OK 8. The snap-in you added is displayed at the Console Root. How to create a customized remote MMC console 1. Click Start click Run, enter mmc and then click OK 2. Click the Select Add/Remove Snap-In command from the File menu 3. Click Add in the Add/Remove Snap-In dialog box. 4. Select the snap-in that you want to add, and then click Add 5. Select the Another Computer in the In the This Snap-In Will Always Manage area. 6. Click Browse to select the computer for the snap-in when the Select Computer dialog box opens. 7. Click OK. How to add the Remote Desktops snap-in to a MMC console 1. Open a blank console 2. From the File menu, select Click Add/Remove Snap-in. 3. In the Add/Remove Snap-In dialog box, click the Add button. 4. Select Remote Desktops and then click Add. 5. Click Close and then click OK in the Add/Remove Snap-In dialog box. 6. If you want to be able to open the Remote Desktops console can now opened from the Administrative Tools Menu, click the File menu item and then select the Save command. 7. In the File Name box, provide a name for the MMC. 8. Click Save.

How to remotely administer a system using the Computer Management console

You can use the Computer Management console to perform management tasks on remote systems. Computer Management is available on both client and server computers. The Computer Management console contains the following primary nodes:

35

The System Tools ins.

node contains the Event Viewer, Performance Logs And Alerts, and Device Manager snap-

The Storage node contains the Removable Storage and Disk Management snap-ins which are used to manage storage devices and local disks. The Service and Applications node snap-ins is used to perform server-end administration tasks.

To remotely administer a system using the Computer Management console 1. Click Start, right-click My Computer, and then select Manage from the shortcut menu. 2. Right-click Computer Management in the console tree, and select Connect To Another Computer from the shortcut menu.

3. Provide the

IP address of the remote computer in the Another computer box.

4. Alternatively, click Browse to locate the remote computer on the network. 5. Click OK to connect to and administer the remote computer.

Remote Administration through the Remote Administration (HTML) tool

You can use the Remote Administration (HTML) tool if you want to manage your servers using a Web browser. If the Remote Administration (HTML) tool is installed, you can connect to an IIS 6.0 Web server through the Remote Administration Web site. A few requirements have to be met though before you can use the Remote Administration (HTML) tool to manage a server over the Internet: If you are not running the Windows Server 2003 Web Edition, you have to install the Remote Administration (HTML) tool on the server. The server must have a valid external IP address.

Port 8098 should be used for communication.

How to install the Remote Administration (HTML) tool

1. Open

Control Panel.

2. Double-click Add Or Remove Programs. 3. Click Add/Remove Windows Components. 4. The Windows Components Wizard initiates 5. Select Application Server and then click the Details button.

36

6. Select Internet Information Services (IIS) and then click Details. 7. Select World Wide Web Service and then click Details. 8. Enable the Remote Administration (HTML) checkbox. Click OK. 9. Click Next in the Windows Components Wizard to install the Remote Administration (HTML) tool. 10. Click Finish. 11. Ta access and administer a server over the Internet, open Internet Explorer.

12. Browse to

https://server name:8098

13. Once the connection to the server is created, you can use the Web interface to remotely administer the server

Remote Administration through Remote Desktop For Administration

The emote Desktop For Administration mode of Terminal Services enables you to remotely manage a Windows Server 2003 server. Remote Desktop for Administration is installed by default when you install the operating system but it is not enabled by default. You have to enable Remote Desktop for Administration at each connection end prior to using it. The Remote Desktop Connection (RDC) utility is the client-end software used to access a server in the context of Remote Desktop For Administration. You can configure remote desktop connections to Windows servers and workstations. In Windows 2000 Server, you have to install and configure Terminal Services in remote access mode to set up remote desktop connections. Remote Desktop Connection is by default installed with Windows XP and Windows Server 2003. You can however install Remote Desktop Connection on previous Windows Operating Systems ( OSs) such as Windows 2000, Windows NT, Windows ME, Windows 98, and Windows 95. The RDC utility is backward compatible, and can therefore interact with Terminal Services in Windows XP, Windows 2000 and Windows NT 4 Terminal Server Edition. How to enable Remote Desktop for Administration 1. Open Control Panel 2. Double-click System. 3. Click the Remote tab. 4. Select the Allow users to connect remotely to this computer checkbox. 5. To enable additional users to connect remotely to the computer, click the Select Remote Users button. 6. Provide the names of the users who are allowed to connect to the computer. 7. Click OK. How to grant users rights to create remote connections to remotely administer servers 1. Open the Computer Management console.

37

2. In the console tree, expand the Systems Tools node, Local Users and Groups node, and then expand the Groups node. 3. Right-click Remote Desktop Users, and then select Add to Group from the shortcut menu. 4. Click the Add button 5. Select the user who should be added to the Remote Desktop Users group. 6. Click OK. How to remotely administer a server using Remote Desktop for Administration 1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. The Computer box displays the name of the computer that was last connected to. 3. Select the computer which you want to connect to in Computer drop down box. 4. Click Connect. How to optimize remote connections 1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click the Options button. 3. Click the Experience tab. 4. Select the Custom option from the Choose your connection speed to optimize performance box. 5. Clear the Themes checkbox. 6. Ensure that the Reconnect if connection is dropped checkbox is enabled. 7. Click OK.

Remote Administration through Remote Assistance

Remote Assistance makes use of the TCP/IP protocol to establish a connection between two computers so that a user at one computer can request assistance from a user located at another computer. Remote Assistance uses Terminal Services and the RDP protocol to enable administrators to monitor and control desktops of remote computers, send and receive files from a remote computer and to communicate with a user located at the remote computer. To establish connections to a remote computer, a local area network ( LAN) connection or Internet connection can be used. Solicited remote access occurs when a user creates a Remote Assistance invitation and then sends the invitation to the remote assistant. With Unsolicited remote access, remote assistance is offered without the person offering

38

remote assistance receiving a Remote Assistance invitation. Windows Messenger or an e-mail client can be used to send a Remote Assistance invitation to request remote assistance. Remote Assistance is automatically installed when Windows Server 2003 is installed. For a computer to receive remote assistance, the computer must be running Windows XP or Windows Server 2003, with the Remote Assistance feature enabled. You can use Group Policy to configure settings for Remote Assistance. The Solicited Remote Assistance policy and Offer Remote Assistance policy can be used to configure Remote Assistance through Group Policy: Enable and disable Remote Assistance. Enable users to send Remote Assistance invitations Enable s user to allow remote control to another individual.

How to send a Remote Assistance invitation (e-mail) 1. Click Start, and then open Help and Support Center 2. Click Remote Assistance. 3. Click Invite someone to help you. 4. Enter the name of the expert in the Type your assistant's first name text box, and then click Continue. 5. On the following screen, specify the expiration time and date for the invitation. 6. Leave the Require the recipient to use a password option enabled. 7. Provide a password in the Type password and Confirm password text boxes.

8. Once the password is verified, the Create

Email Invitation button is enabled.

9. Click the Create Email Invitation button to send the invitation. How to send a Remote Assistance invitation (Windows Messenger) 1. Click Start, click Help and Support Center 2. Click the Invite a friend to connect to your computer with Remote Assistance option. 3. Click the Invite someone to help you option. 4. In the Use Windows Messenger section on the following screen, click the Sign In button. 5. Provide a valid email address and password to log on to Windows Messenger. 6. Click OK. 7. The Windows Messenger dialog box opens.

39

8. Select Tools, Ask for Remote Assistance, and then select the email address of the individual from which you want to request assistance. 9. A message to request remote assistance is transmitted to the individual. 10. When the individual accepts the remote assistance request, the user is informed through a message. 11. The Remote Assistance console is displayed on the computer of the expert. 12. A message indicating that an answer is pending is displayed. 13. The user can click Yes to enable the expert to view the desktop of the computer. How to provide unsolicited remote assistance 1. Open the Help and Support Center 2. Click Tools to view computer information located under Pick a task. 3. Click Offer Remote Assistance. 4. The Offer Remote Assistance screen opens. 5. Provide the IP address of the computer that you want to provide Remote Assistance to. 6. Click Connect. 7. A message indicating that remote assistance has been offered is shown on the computer of the novice. How to manage Remote Assistance invitations 1. Open Help and Support Center. 2. Click Remote Assistance 3. Click View Invitation Status. 4. The information displayed on each Remote Assistance invitation is displayed. The information shown includes the name of the person that the invitation was sent to, the date and time that the invitation expires, and the status of the invitation. 5. Choose the invitation and click the Details, Expire, Resend, or Delete button.

Remote Access Security

Remote Access Security Overview
To protect your corporate data from attacks from intruders and from being accessed by unauthorized users, you need to plan for and implement remote access security. You should authenticate remote access clients attempting to establish a

40

remote connection with the remote access server. To secure connections to the corporate network, you can configure properties that either allow remote access or deny remote access. You can also specify authorization using the source number or destination phone number as the basis. There are a number of strategies that you can use to secure remote access connections: Control access through the Dial-in Properties of an individual user account. This is the account that remote access clients utilize to connect to the network. Create and configure remote access policies. Create and configure remote access profiles. Configure remote access authentication and encryption. RADIUS) to provide authentication, authorization,

You can use Remote Authentication Dial-In User Service ( and accounting for your remote access implementation.

Configure advanced security features such as smart cards, callback security. Raise the domain functional level to provide additional security features for your remote access implementation.

Planning Remote Access Security

You should include planning of remote access security when planning your over-all remote access solution. A few issues that need to be clarified are listed below: Not all users in an organization require remote access. You should therefore identify those users that need remote access and configure only these users to have remote access. Authentication can be used to restrict remote access to only those users that are specified for remote access. You can use remote access policies to define the requirements (conditions) that users must match to obtain remote access. In addition, not all users need to access the entire network. You should restrict access to the remote access server for those users that only need to access the remote access server to complete their tasks. Because all users do not need to have access to all resources, you can use permissions to allow different users, different levels of remote access. Users can also be restricted to specific applications only. You do this by configuring that uses specific protocols and port numbers only. packet filters to allow traffic

For dial-in access, you would want to control which users are able to remotely access the network: You can allow or disallow remote access for individual users. You can configure individual user access through the Properties dialog box of a specific user, on the Dial-in tab. The Active Directory Users and Computers management console is the tool used to access the Properties dialog box of a specific user account. You can allow or disallow remote access by configuring remote access policies. This method allows you to specify remote access rights based on various criteria, such as users, group, and time of day. The settings specified on

41

the Properties dialog box of a specific user, on the Dial-in tab dictates whether a user is affected by remote access policies. The different settings on the Dial-in tab of the Properties dialog box of a particular user are: o Allow Access; the user is allowed to remotely access the network. The remote access policies are not included in the decision. o o Deny Access: the user is denied permission to remotely access the network. Control Access Through Remote Access Policy; the remote access policies dictate whether or not the user is allowed remote access. Remote access policies can also be used to further restrict remote connections after they have been authorized by the Routing and Remote Access Service (RRAS), based on the following: o o o o o Idle timeout time setting Maximum session time setting IP packet filters Encryption strength IP addresses for PPP connections and static routes

When planning a VPN remote access strategy, the security specific requirements that you need to clarify are discussed next. The placement of the VPN servers could dictate that you implement additional security measures. If you place VPN server on the private internal network, the firewall has to allow traffic to the VPN server.

If you place the VPN server on the perimeter network, you need to do the following: o On the VPN server, configure inbound and outbound filters that allow VPN traffic to and from the Internet interface of the VPN server. o On the firewall, configure it to allow traffic from the VPN server.

You would also need to determine which VPN protocols to utilize. You can support the use of one or both of the VPN protocols: Point-to-Point Tunneling Protocol (PPTP)

Layer Two Transport Protocol (L2TP).

The factors to consider when deciding on which VPN protocol to use are: The requirements of the remote access clients: Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 support PPTP

42

Only Windows 2000, Windows XP and Windows Server 2003 support L2TP. Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed for the mutual authentication of the VPN server and the client. Certificates need to be installed on the VPN server and VPN clients. In addition to this, user authentication needs protocols such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol Transport Layer Security ( EAPTLS). IPSec requirement: L2TP can be used with IPSec to provide encryption. If you need authentication for the VPN server and the client, then you need to be able to support L2TP. Only L2TP over IPSec can provide data integrity.

The following section examines the differences between the VPN protocols, and when each protocol should be implemented: PPTP should be implemented when the following statements are true: o o o You need to support legacy Windows clients. Client-togateway connectivity or network-to-network connectivity is a requirement.

The VPN must move over a firewall or perimeter server that performs NAT. The only VPN protocol that can pass through NAT is PPTP.

L2TP should be implemented when the following statements are true: o o o o All client computers have installed computer certificates. Client-to-gateway connectivity or network-to-network connectivity is a requirement. You want to use an IPSec tunnel. The server is not located behind a firewall or a perimeter server that performs NAT.

IPSec tunnel mode should be implemented when the following statements are true: o o o o Certificate based authentication is being used. Certificates are issued by a trusted Certificate Authority. Network-to-network connectivity is a requirement. Machine authentication is required for the tunnel endpoints.

For VPN remote access, the different levels of encryption that you can configure are: No encryption: This option allows unencrypted VPN connections. Basic encryption: This option is also not frequently used because the weaker 40-bit key is used for encryption.

43

Strong encryption: A 56-bit key is used for encryption. Strongest encryption: A 128-bit key is used for encryption.

When planning a wireless remote access strategy, the security specific requirements that need to be considered are summarized below: Remote access policies that allow wireless users to connect to the network have to be configured. For Wireless Access Points (WAP) to use IAS authentication, the following additional configurations are necessary: o o Each WAP must be added as a RADIUS client in the IAS MMC snap-in. On the WAP, you have to enable RADIUS authentication and define the primary and servers. Because security is a high priority for wireless networks, WAPs and adapters that support the elements listed next should be used: o o o o Firmware updates WEP using 128-bit encryption Disabling of SSID broadcasts MAC filtering to restrict wireless access based on MAC addresses. backup IAS

Determine the following important factors. o Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy (WEP) protocol will be used. o o o o o For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used. Whether 802.1X authentication will be used. Whether wireless clients will use IPSec. Whether MAC address filtering will be used. Whether Group Policy will be used to configure wireless client security.

Securing Remote Access through the Dial-in Properties of a User Account

The different options that you can configure on the Dial-In tab of a specific user account in the Active Directory Users And Computers management console are: In the Remote Access Permission (Dial-in Or VPN) area, you can select one of the following options:

44

Allow Access: The Allow Access option allows remote access for the specific user account. The Allow
Access option overrides any settings specified through remote access policies.

o o

Deny Access: The Deny Access option prevents remote access for the specific user account. Control Access Through Remote Access Policy: When you select the Control Access Through
Remote Access Policy option, whether or not the user is allowed remote access is determine by remote access policies applied to the connection.

You can enable the Verify Caller ID checkbox to specify the phone number of the user that should be verified before the remote access connection can be established. A connection will only be established if the number that the user is calling from corresponds with the number configured here. The Callback Options area of the Dial-in tab is where you specify the following: o o o No callback. Set by caller Always callback to a specific callback number.

Callback Security is a feature that you can use for dial-in connections. When enabled, and a remote access client establishes a connection through Callback, the call is disconnected and the client is called back. You can enable either of the following methods of the Callback Security feature. You can allow the user to define the callback number. An administrator can specify the callback number.

A few guidelines for setting Dial-in Properties of a user account are summarized below: If you want to prevent the user from remotely accessing the network, set the remote access permission for the specific user account to the Deny Access option. If you want to restrict your remote access clients to only certain network segments, configure static routes for the remote access client which specifies those network segments that they can access. If you want to allow or deny remote access based on policies, select the Control Access Through Remote Access Policy option for the particular user account. If you want to assign a particular IP addresses for each remote access connection attempt made by a particular user, specify the IP address in the Assign A Static IP Address field. If you want dial-up connections to use a particular phone number, set the value of the Verify the specific phone number. Caller ID field to

Authentication Methods for Remote Access

There are a number of authentication methods supported by Routing and Remote Access Service (RRAS).

45

You configure the authentication protocols through the Routing and Remote Access Service (RRAS) 1. Click Start, Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, select the server, and then click the Action menu to select the Properties command. 3. Switch to the Security tab. 4. Click the Authentication Methods button. 5. The Authentication Methods dialog box opens. The different authentication methods on the Authentication Methods dialog box are:

Extensible Authentication Protocol (EAP): EAP is used for network and dialup authentication. It allows the
Routing and Remote Access Service to use authentication protocols provided by Windows 2000 and Windows Server 2003 together with third-party authentication protocols and mechanisms such as smart cards .EAP offers mutual authentication, and provides for the negotiation of encryption methods. To secure the authentication process, the EAP authentication method utilizes Transport Layer Security (TLS). If you want to use the EAP authentication method, select the Extensible Authentication Protocol (EAP) checkbox, and then click the EAP Methods button to open the EAP Methods dialog box: o Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAPo o o MD5 CHAP)

Extensible Authentication Protocol-Transport Level Security (EAP-TLS) Protected EAP ( EAP-RADIUS PEAP)

Microsoft Encrypted Authentication Version 2 (MS-CHAPv2): MS-CHAPv2 provides mutual

authentication and is used for network and dialup authentication. MS-CHAPv2 enables mutual authentication through the use of encrypted passwords. This is one of the more secure authentication methods to use to control remote access connections.

Microsoft Encrypted Authentication (MS-CHAP): MS-CHAP is the initial version of the Challenge
Handshake Authentication Protocol (CHAP) protocol. With MS-CHAP, one-way authentication is utilized. Only one encryption key is used for sent messages and received messages. This makes MS-CHAP a weaker authentication method than MS-CHAPv2 - MS-CHAPv2 provides mutual authentication.

Encrypted Authentication (CHAP): CHAP is a challenge-response authentication protocol used for PPP
connections. This authentication method utilizes the users' passwords for authentication. To use this authentication method, you have to use group policy and enable the Store Passwords Using Reversible Encryption password policy and then reset all users password so that it can be interpreted by CHAP.

Shiva Password Authentication Protocol (SPAP): SPAP uses a non-complicated password

authentication protocol that offers no real authentication. SPAP is considered an insecure authentication protocol.

46

Unencrypted Password (PAP): PAP uses plain text passwords and no encryption. PAP is only provided as
an authentication method for those clients that do not support any of the previously mentioned, more secure authentication methods.

Allow Remote Systems To Connect Without Authentication: This option allows remote access clients
to connect to the remote access servers with no authentication.

From the above mentioned authentication methods, the following password based authentication methods are considered weak authentication method for securing remote access. It is recommended that you disable these authentication methods: Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Challenge Handshake Authentication Protocol (CHAP): Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAPv1)

How to disable password based authentication methods 1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, select the server, and then click the Action menu to select the Properties command. 3. Switch to the Security tab. 4. Click the Authentication Methods button. 5. The Authentication Methods dialog box opens. 6. Disable the checkbox for Microsoft Encrypted Authentication (MS-CHAP). 7. Disable the checkbox for Encrypted Authentication (CHAP). 8. Disable the checkbox for Shiva Password Authentication Protocol (SPAP) 9. Disable the checkbox for Unencrypted Password (PAP). 10. Click OK. A few guidelines and recommendations for selecting authentication methods for your remote access solution are listed below: SPAP should be used when Shiva Remote Access servers are being used for Network Access Servers (NASs). You cannot use SPAP if you require strong encryption methods for remote access connections. Both SPAP and PAP offer low levels of security.

47

PAP should only be used when none of the other authentication methods are supported by your remote access clients. CHAP: CHAP provides a medium level of security for remote access connections. CHAP should be used when your remote access clients use Microsoft operating systems ( OSs) and other OSs. Remember that CHAP requires passwords to be stored in reversible encrypted format on domain controllers. MS-CHAP: MS-CHAP should be used when the following statements are true: o o o Your remote access clients use Microsoft operating systems (OSs). You do want to store passwords in reversible encrypted format on domain controllers. Data needs to be encrypted between the remote access client and the Network Access Server ( NAS).

MS-CHAPv2: MS-CHAPv2 provides a high level of protection for remote access connections, and should be
used when the following statements are true: o o o o Mutual authentication is required for the remote access client and the Network Access Server (NAS). Data needs to be encrypted between the remote access client and the Network Access Server (NAS). Windows 95 clients and Windows 98 clients are only being utilized for VPN authentication. Windows NT 4.0 clients and Windows 2000 clients are utilized for dial-up authentication and VPN authentication.

EAP-TLS: EAP-TLS also provides a high level of protection for remote access connections, and should be used
when the following statements are true: o o o Mutual authentication is required for the remote access client and the Network Access Server (NAS). Data needs to be encrypted between the remote access client and the Network Access Server (NAS). Operating systems that support third-party authentication mechanisms, such as smart cards, are being used.

Using Remote Access Policies to Secure Remote Access

Remote access policies can be created to control whether or not the user is allowed to connect to the remote access server. Remote access policies contain conditions which you specify through the Routing and Remote Access management console. These conditions determine which users are allowed to connect to the remote access server. Remote access policies can be used to: Specify which authentication protocol clients must utilize. Specify which encryption methods clients must utilize.

48

Restrict user access, based on the following: o o o User Group membership Time of day

The Grant or Deny setting of a specific policy determines whether the user is allowed or denied access. When a user attempts to establish a connection, the remote access policies are evaluated to determine whether the user is permitted to access the remote access server. The user is only allowed access once all the conditions in the remote access policy allow access. When more than one remote access policy is configured, you can define the order in which they are to be applied. You do this by specifying the order number or priority of each remote access policy. A few conditions that remote access policies can compel clients to meet are listed below: Authentication type; indicates which authentication protocols clients must utilize. Framed protocol; indicates the data-link layer protocol which clients have to utilize. Day and time restrictions; indicates which day of the week and the time of the day that the user can connect. Tunnel type; for VPN clients, it defines the data-link layer protocol that these clients must utilize. Windows groups; indicates which groups users have to be a member of if they want to connect to the remote access server.

The different attribute types that can be evaluated in a remote access policy are: Authentication Type; the authentication type, for instance PAP or CHAP. Called Station ID; the network access server's (NAS) phone number. Calling Station ID; the phone number used by the caller. Client-Friendly Name; the name of the RADIUS client requiring authentication. Client IP Address; the IP address of the RADIUS client. Client Vendor; the network access server's (NAS) vendor. Day and Time Restrictions; specifies when a connection can be established. Framed Protocol; IAS uses this to determine the frame type of the incoming packets. MS RAS Vendor; the RADIUS client machine's vendor. NAS Identifier; the network access server's (NAS) name.

49

NAS IP Address; IP address of the NAS. NAS Port Type; the media used by the client. Service Type; the type of service requested. Tunnel Type; the type of tunnel (PPTP, L2TP) that should be used. Windows Groups; the groups to which are allowed access to the remote access server.

You can also use remote access policies configure further restrictions once the connection attempt is authorized by the RRAS. Connections can be restricted through remote access policies, based on the following elements: Idle timeout time Maximum session time Encryption strength IP packet filters Advanced restrictions - IP addresses for PPP connections

How the Routing and Remote Access Service (RRAS) applies remote access polices when multiple policies are configured You can define the order in which remote access policies should be applied to connections through the Routing and Remote Access management console. You simply have to select the remote access policy in the details pane and click the Action menu and then click either the Move Up command or the Move Down command. The order that the Routing and Remote Access Service (RRAS) applies remote access policies is illustrated below: 1. The Routing and Remote Access Service (RRAS) evaluates the connection attempt to the very first remote access policy. The connection is rejected if there are no configured remote access policies in the list. 2. If the connection does not meet each condition specified in the initial remote access policy, then the Routing and Remote Access Service (RRAS) proceeds to check the connection against the second remote access policy specified in the list. 3. If the connection does not meet all of the conditions of any of the remote access policies, the attempted connection is rejected. 4. If the Ignore-User-Dialin-Properties attribute has a value of False, the Routing and Remote Access Service (RRAS) proceeds to check what the remote access permission setting for the specific user account is. 1. If the Deny Access option is configured for the user account, the attempted connection is rejected. 2. If the Allow Access option is configured, the user account and profile properties are applied to the connection. If the user account and profile properties match the connection attempt, the connection is allowed. If it does not match, RRAS rejects the attempted connection.

50

3. If the Control Access Through Remote Access Policy option is configured, the remote access permission setting of the policy is checked. If Allow Access is specified, RRAS checks whether the user account and profile properties match the connection attempt. If so the connection is allowed. If not, the connection is rejected. 5. If the Ignore-User-Dialin-Properties attribute has a value of True, the Routing and Remote Access Service (RRAS) proceeds to check what the remote access permission setting of the policy indicates: 1. If the Allow Access is specified, RRAS checks whether the user account and profile properties match the connection attempt. If so the connection is allowed. If not, the connection is rejected. 2. If Deny Access is specified, the attempted connection is rejected. A few recommendations

for implementing remote access policies are discussed next:

Because all conditions in a remote access policy have to be matched for a remote access connection attempt to be allowed, it is wise to not configure a large number of conditions for each remote access policy. Ensure that the correct condition is applied to each remote access policy. You should not include a remote access policy condition that cannot be matched or met. Specify the correct order in which the Routing and Remote Access Service (RRAS) must process the remote access policies. Remote access policies that have more precise exact conditions should be applied to connections before remote access policies that include more general conditions are applied. Remember that if no remote access policies are defined in the list, then all remote access attempts will simply be denied. A remote access policy that allows remote access connections 24 hours a day is enabled by default.

Using Policy Profiles for Remote Access Connections

Remote access profiles are an important component of remote access policies. Remote access profiles determines what happens after the connection is authorized by RRAS. Each remote access profile contains a set of properties, which are applied to connections that match the conditions specified in the remote access policy. You can create a remote access profile for a remote access policy either when you create the actual remote access policy, or at some later date. You create a profile by accessing the Properties dialog box of the specific remote access policy, and then clicking the Edit Profile button. The profile Properties dialog box contains the following six tabs: Dial-In Constraints tab, IP tab, Multilink tab, Authentication tab, Encryption tab and Advanced tab. A remote access profile is made up of the following sets of properties, which can be configured through the profile's Properties dialog box:

Dial-in constraints: Dial-in constraints are used to specify the following:

o o o The number of minutes that the server can stay idle, prior to it disconnecting. The maximum time that a connection is connected. The time when connections are allowed.

51

Specify, based on media type, which connections should be rejected.

Authentication properties: Authentication properties allow you to set the following:

o o Specify which authentication methods are allowed for connections. Specify whether users are allowed to modify expired passwords through MS-CHAP and MS-CHAP v2.

Encryption properties: Encryption properties allow you to set the following:

o Specify which encryption strength should be used: Basic Encryption, Strong Encryption or Strongest Encryption.

IP properties: The IP properties allow you to configure the following:

o o o o Specify that the remote access client requests an IP address. Specify that the remote access server provide an IP address. Specify that static IP addresses be used. Specify that the remote access server determines how IP addresses are assigned.

Multilink properties: Multilink properties allow you to configure the following:

o o Enable multilink. Set the number of ports a multilink connection is allowed to utilize.

Advanced properties: Advanced properties allow you to set the following:

o Specify the RADIUS attributes that are returned by the IAS server to the RADIUS client.

A few guidelines

for implementing remote access profiles are summarized below:

If you want to restrict remote access connections to a certain phone number only, then you have to configure dialin constraints to restrict connections to this phone number. If you want to ensure that idle remote access connections are not utilizing your available remote access ports, then you have to configure dial-in constraints to disconnect idle connections once a predefined time elapses. If you want clients to use a particular authentication protocol, configure a remote access profile to only accept connections that are using this specific authentication protocol. Remember that if you do this, then all connections which are not utilizing the specified authentication protocol will be rejected. If you want clients to only use a specific encryption strength, then configure a remote access profile to allow only this specific encryption strength.

52

If you want to restrict remote access connections to only certain protocols, configure IP packet filters to only allow these protocols. If you want to restrict remote access connections to only a specific computer(s), configure IP packet filters that restrict access to only these specific IP addresses.

Planning a Remote Access Strategy

Remote Access Overview
Dial-up networking allows a remote access client to establish a dial-up connection to a port on a remote access
server. The configuration of the DUN server determines what resources the remote user can access. Users that connect through a DUN server, connect to the network much like a standard LAN user accessing resources.

Virtual Private Networks (VPNs) provide secure and advanced connections through a non-secure network by providing data privacy. Private data is secure in a public environment. Remote access VPNs provides a common
environment where many different sources such as intermediaries, clients and off-site employees can access information via web browsers or email. Many companies supply their own VPN connections through the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. Tunneling is the concept used to describe a method of using an internetwork infrastructure to transfer a payload. IPSec tunnel mode enables IP payloads to be encrypted and encapsulated in an IP header so that it can be sent over the corporate IP internetwork or Internet. Routing is the process that transfers data over the internetwork from one local area network (LAN) to another. Routers are devices operating at the network layer of the OSI model that use the IP routing tables to forward traffic which it receives from a host or from another router. The different types of TCP/IP traffic become important when discussing routing and the routing protocols:

Unicast traffic comprises of point-to-point connectivity between TCP/IP systems. Broadcast traffic comprises of point-to-multipoint connectivity between TCP/IP systems. Multicast traffic comprises of point-to-multipoint traffic to a group of selected members that belong to a
multicast group.

There are a number of technologies

that enable remote network connections, including:

Frame Relay: This is a WAN technology that uses other hardware components to establish remote site
connections. A frame relay connection uses a standard leased line which connects the network site to the frame relay provider's nearest point of presence (POP). The frame relay provider then delivers the connection to the frame relay cloud. In order to use the frame relay provider for a LAN-to-LAN connection, you have to install a leased line at each site which connects the network to the nearest point of presence (POP) of the frame relay provider. The frame relay provider is then responsible for connecting the lines to the same frame relay cloud so that a connection can be established between the two networks. The benefits of using the frame relay WAN technology are: o Frame relay provides flexibility.

53

Each of your sites can be connected to a local point of presence (POP) which in turn leads to reduced cost of the leased lines.

o o o

You can connect to multiple sites using a single frame relay connection. You pay for only the bandwidth that is used.

Contracted bandwidth can be exceeded when heavy traffic conditions are present.

Leased lines: Dedicated leased lines are also typically used to connect remote networks. While dedicated
leased lines are commonly used for WAN links to enable remote network connectivity, purchasing and maintaining leased lines are expensive. In addition to this, you have to pay for allocated bandwidth all the time. This is due to leased lines being classed as persistent connections. This means that the connections are permanent connections, and remain open all the time.

Dial-on demand connections: While the WAN connections provided by Integrated Service Digital Network
(ISDN) and standard asynchronous modems are typically slower than dedicated leased lines, they can be disconnected at an time, and can also be used to enable connectivity to different locations. One of the main characteristics of dial-on demand connections is that you pay for the actual bandwidth that you are using.

Virtual private networks (VPNs): Remote access VPNs provides a common environment where many
different sources such as intermediaries, clients and off-site employees can access information via web browsers or email. Many companies supply their own VPN connections via the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Remote access VPNs offer a number of advantages, including the elimination of WAN circuit and modem costs, cable modems enable fast connectivity and are relatively cost efficient, new users can be added with hardly any costs, and information is easily and speedily accessible to off-site users through Internet connectivity.

The Routing

and Remote Access Service (RRAS) provides multiprotocol routing services for Microsoft Windows

2000 Server and Windows Server 2003 computers. RRAS includes a wide variety of features that support unicast and multicast IP routing, IPX routing, AppleTalk routing, and remote access.

Determining Organizational and User Requirements

Determining the remote access requirements of the organization and users should be one of the initial stages when you plan your remote access strategy. All organizations and all users do not have common remote access requirements. From an organization perspective, a few issues that need to be initially addressed are: Identify the subnets which will be remotely accessed. Determine the resources which need to be remotely accessed. Determine whether your existing servers can be modified and configured to enable remote access. Evaluate existing modems and connections. Evaluate existing traffic patterns.

54

Determine what dial-in connection security and VPN connection security mechanism need to be implemented.

From a users perspective, a few issues that need to be initially addressed are: Determine what operating systems are being used by clients. Determine the computers which are being used by clients. Determine what the bandwidth needs of users are. Determine what connections can be supported. Determine whether clients' current Internet connections can be used for VPN connections. Determine how often users will need to connect to the network.

Determining the Types of Remote Access to Allow

When deciding on the specific type(s) of remote access that you are going to allow, you have to include the needs of the organization and the users which you have identified. The focal point here is whether the remote access type meets these needs and requirements. Another important factor that should be included when you determine the remote access type you are going to allow is the cost and administrative skills needed to both implement and maintain the remote access type. The different types of remote access are summarized below:

Dial-in remote access: Dial-in remote access uses modems and servers running the Routing and Remote
Access (RRAS) service. To enable communication, dial-in access utilizes the Point-to-Point (PPP) The advantages of using dial-in remote access are: o o o o o Modem access remains unaffected by Internet usage. You could use existing modems and phone lines. When high bandwidth is not a requirement, modem access is reliable and its speed is consistent. You do not need to provide encryption. protocol.

Security features such as caller ID verification and callback security can be used.

VPN remote access: A VPN provides secure and advanced connections through a non-secure network. With
VPN access, encryption is used to create the VPN tunnel between the remote client and the corporate network. The advantages of using VPN access are: o o An unlimited number of connections can be allowed from clients, and over a single connection. You can easily modify existing Internet connections to enable VPN access.

55

If clients can use a broadband Internet connection, more bandwidth is available than that provided by dialin access.

To secure VPN access, Windows Server 2003 provides strong levels of encryption.

Wireless remote access: Wireless networks are defined by the IEEE 802.11 specification. With wireless
networks, wireless users connect to the network through connecting to a wireless access point (WAP). Wireless networks do not have the inbuilt physical security of wired networks, and are unfortunately more prone to attacks from intruders. To secure wireless networks and wireless connections, administrators can require all wireless communications to be authenticated and encrypted. There are a number of wireless security technologies that can be used to protect wireless networks. When planning wireless remote access, planning security for wireless networks should be a high priority factor.

Understanding Network Access Client Types:

Based on the different types of remote access, there are three network access client types:

Dial-up client: A dial-up client uses a physical connection to the remote access server to establish a connection
to it. A dial-up client can access resources in much the same manner as if they are actually physically connected to the network. Dial-up clients can:

o o o

Access network resources and services. Share files. Map network drives, and perform other operations, based on the access that is allowed.

You should utilize a dial-up client when the following conditions are present: o o The Internet cannot be used to access resources on the corporate network because of security issues. The throughput provide by a dial-up connection adequately meets the requirements of remote access clients - they are able to perform the various functions which they need to. o The expense of phone lines and modems are affordable.

VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish a connection to the
network.

Wireless client: These clients connect to the network through radio frequencies such as infrared frequencies.

Dial-In Access Design Considerations

The common dial-up networking connection methods are:

Plain old telephone service (POTS): In the early days of dial-up networking, phone lines were used to
establish the dial-up connection. The amount of data that was passed was initially limited because analog

56

components caused signal loss. This has since improved with the connections between phone offices becoming all digital connections paths.

Integrated Services Digital Network (ISDN): ISDN uses an all digital signal path and includes features
such as caller ID, call forwarding, and fast call setup times.

Point-to-Point Protocol (PPP): The Point-to-Point Protocol (PPP) uses a three way PPP negotiation process
to enable devices to establish a TCP/IP connection over a serial connection. There are a number of protocols that operate above the PPP to enable the PPP negotiation process, such as Challenge Handshake Authentication Protocol (CHAP), Callback Control Protocol (CBCP), Compression Control Protocol (CCP), IP Control Protocol (IPCP) and Internet Protocol (IP).

A few factors to consider before implementing dial-in remote access are: You need to provide for the initial cost of setting up a dial-up networking infrastructure, this includes cost on: o o o o Modems Phone lines Communication hardware Server hardware

The cost of dial-in remote access increases as more phone lines are added for remote access. The number of remote access users also affects the cost component of dial-up networking.

The main factors or issues that you need to clarify when planning a dial-up networking strategy are:

The method you will use to assign IP addresses to clients: The methods that you can select between
for assigning assign IP addresses to clients are: o

Configure the RRAS server to assign IP addresses to clients, using a static address pool defined on the RRAS server: In this method, you have to configure the static address pool on
the RRAS server. A few factors to consider on static address assignment are: Each address assigned has to be unique. You therefore have to ensure that the static address pool configured for the RRAS server does not overlap with the address range defined for your DHCP server. For multiple RRAS servers, the static address has to be unique for each RRAS server.

Configure the RRAS server to request IP addresses for clients from a DHCP server: This
method is more feasible than using a static address pool. Remote access clients can be assigned IP addresses from the range of IP addresses already configured for the DHCP server, thereby eliminating the possibility of conflicting IP address assignments.

The type of incoming ports and the number of incoming ports you will need: The factors that fall
within this dial-up networking planning component are:

57

o o o o

Whether multilink connections need to be supported. The number of remote access users who would simultaneously need to access the network. The available number of IP addresses. The bandwidth available on the connection of the RRAS server to the LAN.

The security you will implement for your dial-in access strategy: There are two methods that you can
use to control which users are able to remotely access the network: o You can allow/disallow

remote access for individual users. You configure individual user access

through the Properties dialog box of a specific user, on the Dial-in tab. The Active Directory Users and Computers management console is the tool used to access the Properties dialog box of a specific user. o You can allow/disallow

remote access by configuring remote access policies. This method

allows you to specify remote access rights based on various criteria, such as users, group, and time of day. The settings specified on the Properties dialog box of a specific user, on the Dial-in tab dictates whether a user is affected by a Remote Access Policy. The different settings on the Dial-in tab of the Properties dialog box of a particular user are: Allow Access; the user is allowed to remotely access the network. The remote access policies are not included in the decision. Deny Access: the user is denied to remotely access the network. Control access through Remote Access Policy; the remote access policies dictate whether or not the user is allowed remote access.

Remote access policies can also be used to restrict remote connections after they have been authorized based on the following: Idle timeout time setting Maximum session time setting IP packet filters

Encryption strength IP addresses for PPP connections and static routes.

VPN Access Design Considerations

Before looking at the design considerations for implementing a VPN remote access strategy, lets first look at the components that are needed for VPN connections to occur: A transmit

network is a public network such as the Internet. Data moves over the public network toconnect to 58

the remote network.

A VPN

client creates a connection to the

gateway configured as the VPN server. The Routing and Remote

Access service (RRAS) is used. The VPN o o o o o A VPN

server performs the following operations:

Responds to calls from VPN clients Establishes whether requests are permitted. Authenticates requests to connect to the VPN server. Forwards traffic between the VPN client and the corporate network. Assign IP addresses to clients, either through static address assignment or through the DHCP protocol.

tunnel is a connection that encrypts and encapsulates data.

The tunneling protocols used to encapsulate data and manage VPN tunnels are: o o Point-to-Point Tunneling Protocol (PPTP) Layer Two Transport Protocol (L2TP)

The term used to describe data which is being sent over a connection is tunneled data.

The main factors or issues that you need to clarify when planning a VPN remote access strategy are summarized below:

The placement of the VPN servers: The choices for VPN server placement are:
o

Place the VPN server on the private internal network: For this placement strategy, the
firewall has to allow traffic to the VPN server.

Place the VPN server on the perimeter network: For this placement, you have to perform the
following configurations:

On the VPN server, configure inbound and outbound filters that allow VPN traffic to and from the Internet interface of the VPN server. On the firewall, configure it to allow traffic from the VPN server. The hardware

requirements of the VPN server are:

It is recommended to connect the interfaces on the private network to a high-capacity switch. Set devices to 100 Mbps Full duplex. For a multiprocessor computer, bind a processor to each network adapter card. It is always better to double the processor speed rather than doubling the number of processors.

59

512 MB of RAM is sufficient for 1,000 simultaneous connections. An additional 128 MB of RAM (above the standard RAM capacity for the server) is required for each 1,000 simultaneous calls. A further 128 MB of RAM should be added for remote access and services.

The VPN protocols that you will be using: You can support the use of one or both of the VPN tunneling
protocols: Point-to-Point Tunneling Protocol (PPTP) or Layer Two Transport Protocol (L2TP). The factors to consider when deciding on which VPN protocol to use are:

The requirements of clients: o Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 support PPTP o Only Windows 2000, Windows XP and Windows Server 2003 support L2TP.

Public Key Infrastructure (PKI) requirements: A Public Key Infrastructure (PKI) is needed for the mutual authentication of the VPN server and the client. Certificates need to be installed on the VPN server and VPN clients. In addition to this, user authentication needs protocols such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol Transport Layer Security ( EAPTLS). Whether IPSec is needed as well. L2TP can be used with IPSec to provide encryption. If you need authentication for the VPN server and the client, then you need to be able to support L2TP. Only L2TP over IPSec can provide data integrity.

Wireless Remote Access Design Considerations

The main requirements for enabling wireless remote access are: You need to configure remote access policies that allow wireless users to connect to the network. If you are going to configure your WAPs for RADIUS authentication, you should deploy a second IAS server and configure it as a backup to the primary server. This would enable wireless clients to continue establishing connections when the primary IAS server is unavailable. When planning for using multiple WAPs, bear the following in mind: o o o o All WAPs and clients should support the same protocols. All your WAPs can use the same server for authentication if you are using IAS authentication. Each WAP must be included in the list of clients on the IAS server. Each WAP must be configured for RADIUS authentication.

If you want your WAPs to use IAS authentication, you have to perform the following additional configurations: o Each WAP must be added as a RADIUS client in the IAS MMC snap-in.

60

On the WAP, you have to enable RADIUS authentication and define the primary and backup IAS servers.

Because security is a high priority for wireless networks, you should use WAPs and adapters that support the following: o o o o Firmware updates WEP using 128-bit encryption Disabling of SSID broadcasts MAC filtering to restrict wireless access based on MAC addresses.

When planning for wireless security remember to decide on the following important elements: o Whether the Wi-Fi Protected Access (WPA) protocol or the Wired Equivalent Privacy (WEP) protocol will be used. o o o o o For the WEP protocol, determine whether 64-bit or 128-bit encryption will be used. Whether 802.1X authentication will be used. Whether wireless clients will use IPSec. Whether MAC address filtering will be used. Whether Group Policy will be used to configure wireless client security.

Determining Authentication Methods for Remote Access

When planning your remote access strategy, you need to determine the authentication method that will be used to authenticate clients connecting to the remote access server. Once authentication occurs, authorization would determine the level of access that the user has to access network resources. The different authentication protocols are listed below:

Kerberos Version 5: This is a standard Internet protocol that can be used to authenticate users and
systems.

NT LAN Manager (NTLM): This protocol is mainly used to authenticate computers in Windows NT domains. Secure Socket Layer/ Transport Layer Security (SSL/TLS): SSL/TLS is used for authentication when
Web servers are accessed.

.NET Passport Authentication: Used to authenticate Internet,

intranet and extranet users for IIS 6.

Challenge Handshake Authentication Protocol (CHAP): This is a challenge-response authentication

protocol used for PPP connections.

Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2): Provides

mutual authentication and is used for network and dialup authentication.

61

Password Authentication Protocol (PAP): A network and dialup authentication method that uses plain text
passwords and no encryption.

Shiva Password Authentication Protocol (SPAP): This method uses a non-complicated password
authentication protocol.

Extensible Authentication Protocol (EAP): Used for network and dialup authentication, and for
authentication for PPP connections.

Extensible Authentication Protocol-Transport Level Security (EAP-TLS): Uses mutual

authentication together with smart card certificates.

Protected Extensible Authentication Protocol (

network encryption.

PEAP): Used to increase the security of wireless

MD-5 Challenge: Enables EAP authorization through a name and password combination.

Determining domain function Levels

The domain functional level specified for the domain would determine whether additional security features are supported, and therefore also affects which remote access security features can be used. The Windows Server 2003 domain functional level is the highest level that can be specified for a domain. All Active Directory domain features are available in Windows Server 2003 domain functional level, including the following: Local and Global groups Security group nesting Group conversion between Security Groups and Distribution Groups SID History Update logon timestamp User password support on the InetOrgPerson object

How to check which domain function level is set for the domain 1. Open the Active Directory Domains And Trusts console 2. Right-click the particular domain whose functional level you want verify, and select Raise Domain Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens 4. You can view the existing domain functional level for the domain in Current domain functional level. How to raise the domain functional level for a domain

62

1. Open the Active Directory Domains And Trusts console 2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens. 4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain. 5. Click Raise 6. Click OK

Determining the Level of Encryption for VPN Access

For VPN access, you need to decide on the level of encryption that will be used. The options are:

No encryption: This option is generally not recommended because it allows unencrypted VPN connections. Basic encryption: This option is also not frequently used because the weaker 40-bit key is used for encryption. Strong encryption: A 56-bit key is used for encryption. With IPSec, DES is used for encryption. Strongest encryption: A 128-bit key is used for encryption.

How to enable remote access for specific user

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, expand the domain that contains the user account that you want to enable remote access for. 3. Select the Users container. 4. In the right pane, locate the user account that you want to configure. 5. Right-click the specific user account and then select Properties from the shortcut menu. 6. The Properties dialog box of the user opens. 7. Click the Dial-in tab. 8. In the Remote Access Permission area, click the Allow Access option. 9. Click OK.

How to enable remote access based on remote access policy

63

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, expand the domain that contains the user account that you want to enable remote access for. 3. Select the Users container. 4. In the right pane, locate the user account that you want to configure. 5. Right-click the specific user account and then select Properties from the shortcut menu. 6. The Properties dialog box of the user opens. 7. Click the Dial-in tab. 8. In the Remote Access Permission area, click the Control Access Through Remote Access Policy option. 9. Click OK.

How to install computer certificates to support L2TP over IPSec for VPN connections
1. Click Start, Run, and enter mmc in the Run dialog box. Click OK. 2. From the File menu, select dd/Remove Snap-In. 3. When the Add/Remove Snap-In dialog box opens, click Add. 4. When the Add Standalone Snap-In dialog box opens, select Certificates from the available list and click Add. 5. Click Close to close the Add Standalone Snap-In dialog box opens. 6. Click OK in the Add/Remove Snap-In dialog box. 7. In the Certificates console, in the console tree, expand Certificates. 8. Select Personal. 9. Click the Action menu, and select All Tasks, and then Request New Certificate. 10. The Certificate Request Wizard launches. 11. Click Next on the initial page of the wizard. 12. For the type of certificate to request, click Computer and click Next. 13. Specify a name and description for the computer certificate, and then click Next. 14. Click Finish.

64

How to create a remote access policy for wireless access

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. Click the Action menu, and then select New Remote Access Policy. 3. The New Remote Access Policy Wizard launches. 4. Click Next on the initial screen of the New Remote Access Policy wizard. 5. On the Policy Configuration Method page, select the Use the wizard to set up a typical policy option. 6. In the Policy Name field, provide a name for the policy. Click Next. 7. On the Access Method page, select the Wireless option. Click Next. 8. On the User or Group Access, select the Group option, and then click the Add button. 9. Specify the group, and then click OK and Next. 10. Select the Smart card or other certificate option and then click Next. 11. Click Finish.

How to disable password based authentication

Because password based authentication is considered a weak authentication method for securing remote access, you should disable the usage of the following password based authentication methods/protocols: Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Challenge Handshake Authentication Protocol (CHAP): Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAP v1)

To do this, 1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, select the server, and then click the Action menu to select the Properties command. 3. Switch to the Security tab. 4. Click the Authentication Methods button.

65

5. The Authentication Methods dialog box opens. 6. Disable the checkbox for Microsoft Encrypted Authentication (MS-CHAP). 7. Disable the checkbox for Encrypted Authentication (CHAP). 8. Disable the checkbox for Shiva Password Authentication Protocol (SPAP) 9. Disable the checkbox for Unencrypted Password (PAP). 10. Click OK.

Implementing Remote Access Security

How to configure which authentication protocols the remote access server should support
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click the server that you want to configure and then select Properties from the shortcut menu to access the server Properties dialog box. 3. Click the Security tab. 4. In the Authentication Provider drop-down list box, select Windows Authentication. 5. Click Authentication Methods. 6. The Authentication Methods dialog box opens. 7. You should disable password based authentication by deselecting/clearing the checkboxes for the following authentication methods:

1.
o o o o Microsoft Encrypted Authentication (MS-CHAP) Encrypted Authentication (CHAP) Shiva Password Authentication Unencrypted Password (PAP). Protocol (SPAP)

8. Enable the following authentication protocols:

1.
o Extensible Authentication Protocol ( EAP)

66

Microsoft Encrypted Authentication Version 2 (MS-CHAPv2)

9. Ensure that the Allow Remote Systems To Connect Without Authentication checkbox is not selected. 10. Click OK in the Authentication Methods dialog box. 11. Click OK in the server Properties dialog box.

How to allow remote access for specific user

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, expand the domain that contains the user account that you want to enable remote access for. 3. Select the Users container. 4. In the right pane, locate the user account that you want to configure. 5. Right-click the specific user account and then select Properties from the shortcut menu. 6. The Properties dialog box of the user opens. 7. Click the Dial-in tab. 8. In the Remote Access Permission area, click the Allow Access option. 9. Click OK.

How to allow remote access based on remote access policy

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, expand the domain that contains the user account that you want to enable remote access for. 3. Select the Users container. 4. In the right pane, locate the user account that you want to configure. 5. Right-click the specific user account and then select Properties from the shortcut menu. 6. The Properties dialog box of the user opens. 7. Click the Dial-in tab. 8. In the Remote Access Permission area, click the Control Access Through Remote Access Policy option. 9. Click OK.

67

How to create a remote access policy for a remote access server

1. Click Start, Administrative Tools, and then select Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, select the Users container, right-click the user account which you want to configure and then select Properties from the shortcut menu. 3. Click the Dial-in tab. Verify that the Remote Access Permission (Dial-in or VPN) option is specified as Control Access Through Remote Access Policy. 4. To configure the remote access policy for the remote access server, click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.

5. In the console tree, expand the server's

node and then right-click Remote Access Policies and select New

Remote Access Policy fom the shortcut menu. 6. Select the desired policy configuration settings through the various pages of the New Remote Access Policy Wizard.

How to create a remote access policy to authorize access by user

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server's node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. On the Policy Configuration Method page, click the Use the wizard to set up a typical policy option. 6. Enter a name in the Policy name box, and then click Next.

7. On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless,
Ethernet. 8. On the User or Group Access page, click the User option and then click Next. 9. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next.

10. On the Policy

Encryption Level page, specify the encryption types and then click Next.

11. Click Finish to create the new remote access policy.

How to create a remote access policy to authorize access by group

68

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click Remote Access Policies and then select New Remote Access Policy from the shortcut menu. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. When the Policy Configuration Method page appears, select the Use the wizard to set up a typical policy option. 6. Enter a name in the Policy name box, and then click Next.

7. On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless or
Ethernet. 8. On the User or Group Access page, select the Group option and then click Add to specify the group name. 9. Using the Enter the object names to select box, specify the group and then click OK. 10. Click Next on the User or Group Access page. 11. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next. 12. On the Policy Encryption Level page, specify the encryption types and then click Next. 13. Click Finish to create the new remote access policy.

How to create a remote access policy that allows domain users remote access only through VPN connections
1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, click Remote Access Policies, click the Action menu, and then select the New Remote Access Policy command. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the initial page of the New Remote Access Policy Wizard. 5. On the Policy Configuration Method page, select the Use The Wizard To Set Up A Typical Policy For A Common Scenario option. 6. In the Policy Name field, enter a meaningful name that describes the purpose of the remote access policy. Click Next.

69

7. On the Access Method page, select VPN, Use For All VPN Connections. Click Next 8. When the User Or Group Access page opens, select the Group option and then click the Add button. 9. The Select Groups dialog box opens. 10. In the Enter The Object Names To Select field, enter Domain Users, and click the Check Names button. 11. Click OK. 12. On the Authentication Methods page, select the Microsoft Encrypted Authentication Version 2 (MS-CHAPv2) ption. Click Next. 13. On the Policy Encryption Level page, select the encryption strength and click Next. 14. Click Finish on the Completing The New Remote Access Policy Wizard page.

How to create a remote access policy that restricts remote access based on connection type
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server's node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. On the Policy Configuration Method page, click the Set up a custom policy option. 6. Enter a name in the Policy name box, and then click Next. 7. On the Policy Conditions page, click the add button to add a condition. 8. When the Select Attribute dialog box opens, specify the desired attribute and then click the Add button. 9. Click Next on the Policy Conditions page. 10. On the Permissions page, click the Deny remote access permission option and then click Next. 11. When the Profile page appears, use the Edit button if you want to change the profile. Click Next. 12. Click Finish to create the new remote access policy.

How to create a remote access policy for VPN access

70

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, expand the server node to display the Remote Access Policies node. 3. Right-click Remote Access Policies, and then select New Remote Access Policy from the shortcut menu. 4. When the New Remote Access Policy Wizard starts, click Next on the initial page of the Wizard. 5. Enter a name for the new remote access policy. Click Next. 6. On the Policy Conditions page, click Add. 7. To restrict VPN users to either use PPTP or L2TP, add the appropriate tunnel-type condition. Click Next. 8. Ensure that the Grant Remote Access Permission option is selected on the Permissions page. 9. To set profiles, click the Edit Profile button on the Profile page. 10. Click Finish.

How to create a remote access policy for wireless access

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. Click the Action menu, and then select New Remote Access Policy. 3. The New Remote Access Policy Wizard launches. 4. Click Next on the initial screen of the New Remote Access Policy wizard. 5. On the Policy Configuration Method page, select the Use the wizard to set up a typical policy option. 6. In the Policy Name field, provide a name for the policy. Click Next. 7. On the Access Method page, select the Wireless option. Click Next. 8. On the User or Group Access, select the Group option, and then click the Add button. 9. Specify the group, and then click OK and Next.

10. Select the

11. Click Finish.

Smart card or other certificate option and then click Next.

How to enable Multilink

71

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server node to display the Remote Access Policies node. 3. Select Remote Access Policies. 4. In the details pane, double-click the remote access policy that should be configured. 5. Click Edit Profile. 6. Use the Multilink tab to configure properties for the Multilink policy. 7. Click OK

How to configure idle and session time restrictions for an existing profile
1. Click Start, Administratve Tools, and then click Routing and Remote Access to open the Routing and Remote Access console. 2. In the console tree, expand the server node to display the Remote Access Policies node. 3. Select Remote Access Policies. 4. In the details pane, select the remote access policy that you want to modify the idle and session times for. 5. Click the Action menu and then select Properties from the shortcut menu. 6. When the properties dialog box of the remote access policy opens, click Edit Profile. 7. Select the Minutes server can remain idle before it is disconnected checkbox. Specify the number of minutes for this setting. 8. Select the Minutes the client can be connected checkbox, and then specify the number of minutes for this setting. 9. Click OK 10. Click OK in the properties dialog box of the remote access policy.

How to configure an encryption level

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server's node and then select Remote Access Policies. 3. All remote access policies defined for the remote access server are listed in the details pane of the Routing And Remote Access console.

72

4. Select the remote access policy that you want to configure an encryption level for, click the Action menu and then select Properties. 5. When the Properties dialog box of the policy opens, click the Edit Profile button. 6. Click the Encryption tab. 7. Ensure that the No Encryption checkbox is disabled. 8. Enable the following: Basic checkbox, Strong checkbox, and Strongest checkbox. 9. Click OK.

How to raise the domain functional level for a domain to enable additional security features
1. Open the Active Directory Domains And Trusts console 2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens. 4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain. 5. Click Raise. 6. Click OK.

Configuring Remote Access Servers

Installing and Configuring RRAS as a VPN Server
How to install the Routing and Remote Access Services (RRAS)
1. Click Start, and then click Manage Your Server. 2. Select the Add or remove a role option. 3. The Configure Your Server Wizard starts. 4. On the Preliminary Steps page, click Next. 5. A message appears, informing you that the Configure Your Server Wizard is detecting network settings and server information. 6. When the Server Role page appears, select the Remote Access/VPN Server option and then click Next.

73

7. On the Summary of Selections page, click Next. 8. The Welcome to the Routing and Remote Access Server Setup Wizard page is displayed

How to configure RRAS as a VPN Server

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console. 2. In the console tree, select the server that you want to configure. 3. Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu. 4. The Routing and Remote Access Server Setup Wizard starts. 5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page. 6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option. Click Next. 7. On the Remote Access page, select the VPN server checkbox and the Dial-up server checkbox (optional) and then click Next. 8. On the Macintosh Guest Authentication page, select the Allow Unauthenticated Access For All Remote Clients option if you have Macintosh File and Print services installed and you want the remote access server to allow anonymous remote access.

9. On the

IP Address Assignment page, select the Automatically option if you want use a

DHCP server for

IP address assignment for remote clients; or select the From A Specified Range Of Addresses option if you want to specify your own address range. 10. If you chose the From A Specified Range Of Addresses option, proceed to specify the address range for remote clients. Click Next. 11. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option. Click Next. 12. Click Finish when the Completing the Routing and Remote Access Server Setup Wizard page appears. 13. You will be notified that the DHCP Relay Agent has to be configured with the IP address of the DHCP server so that DHCP messages can be allowed from your remote clients. 14. Click OK to acknowledge this notification.

How to configure VPN ports for the remote access server

You can increase the number of clients that are allowed to concurrently connect to the VPN server, and you can enable and disable the use of PPTP or L2TP. You add more L2TP ports or PPTP ports in the Routing And Remote Access management console, through the Ports Properties dialog box for the remote access server.

74

To configure additional PPTP ports or L2TP ports, 1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.

2. In the console tree, expand the

node for the server that you want to configure.

3. Right-click Ports and then select Properties from the shortcut menu to open the Ports Properties dialog box. 4. Select WAN Miniport (PPTP) or select WAN Miniport (L2TP). 5. Click the Configure button. 6. The Configure Device dialog box opens. 7. In the Maximum Ports box, specify the number of connections that the port type which you have selected can support. The default configuration setting when the RRAS is installed is 5 PPTP ports and 5 L2TP ports. 8. If you want to specify the IP address of the public interface to which VPN clients connect, use the Phone Number For This Device box on the Configure Device dialog box. 9. If you want to disable connections for the port type, select the Use the Remote Access Connections (Inbound Only) checkbox on the Configure Device dialog box. 10. If you do not want to allow the specific VPN type to be used for demand-dial connections, deselect the DemandDial Routing Connections (Inbound And Outbound) checkbox. 11. Click OK to close the Configure Device dialog box. 12. Click OK to close the Ports Properties dialog box.

How to configure the VPN client computer

1. On the client computer open
Control Panel.

2. Right-click Network Connections and then select open from the shortcut menu. 3. Click New Connection Wizard to start the New Connection Wizard. 4. Click Next on the Welcome to the New Connection Wizard page. 5. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next. 6. Click Virtual Private Network Connection, and click Next. 7. Enter a name for the connection and click Next. 8. Specify the external IP address of the VPN server, or the FQDN of the VPN server, and then click Next.

75

9. Select the Anyone's use - If you want the connection to be available to everyone who uses the computer and then click Next. 10. When the Completing the New Connection Wizard page appears, click Finish. 11. The logon dialog box is displayed after you click the Finish button to complete the New Connection Wizard.

How to grant dial-in permission for user accounts

1. Click Start, Administrative Tools, and then click Computer Management to open the Computer Management console. 2. Double-click Local Users and Groups. 3. Double-click Users. 4. Double-click the specific user account that you want to grant access for to open the Properties dialog box of the user. 5. Click the Dial-in tab. 6. Click Allow access, and then click OK. 7. On the client computer, access the Network Connections folder, and then double-click the VPN connection that you want to configure. 8. Specify the user account credentials, and then click Connect.

How to manually install the DHCP Relay Agent

The DHCP Relay Agent is automatically installed when you install the Windows Server 2003 Routing And Remote Access Service (RRAS). You can though manually install the DHCP Relay Agent, 1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the Server node of the server that you want to install the DHCP Relay Agent for. 3. Expand the IP Routing node.

4. Right-click the General node, and then select New Routing

5. The New Routing Protocol dialog box opens. 6. Select DHCP Relay Agent. 7. Click OK.

Protocol from the shortcut menu.

76

8. The DHCP Relay Agent node appears beneath the IP Routing node in the console tree of the Routing And Remote Access management console.

How to add the DHCP server that DHCP requests should be forwarded to
1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access management console. 2. Expand the IP Routing node and in the console tree. 3. Right-click the DHCP Relay Agent node, and then select Properties from the shortcut menu to access the DHCP Relay Agent Properties dialog box. 4. On the General tab, enter the IP address of the DHCP server that DHCP requests should be forwarded to in the Server Address text box, and click Add. 5. Repeat the above process for each DHCP server that you want DHCP requests forwarded to. 6. Click OK.

How to configure the DHCP Relay Agent on a network interface

1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. 2. Expand the IP Routing node in the console tree. 3. Right-click the DHCP Relay Agent node and then select NewInterface from the shortcut menu. 4. The New Interface For DHCP Relay Agent dialog box opens, showing the interfaces that the DHCP Relay Agent can be attached to. 5. Select the interface that is on the same subnet as the DHCP clients. 6. Click OK. 7. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab. 8. You can change the Hop-Count Threshold and Boot Threshold values. 9. Click OK.

How to configure a VPN Gateway/Router

A VPN gateway or VPN router is simply a router that connects to another VPN gateway, or to multiple VPN gateways. VPN routers are usually created to provide an extension to the LAN. To configure a VPN router to enable connectivity between LANs,

77

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console. 2. In the console tree, select the server that you want to configure. 3. Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu. 4. The Routing and Remote Access Server Setup Wizard starts. 5. Click Next on the Routing and Remote Access Server Setup Wizard Welcome page. 6. On the Common Configuration page, select the Remote Access (Dial-Up Or VPN) option. Click Next. 7. On the Remote Access page, select the VPN server checkbox and then click Next. 8. On the VPN Connection page select the network interface for connecting the server to the Internet. 9. Leave the default setting that enables security on the selected interface unchanged, and then click Next. 10. On the Address Assignment page, select the From A Specified Range Of Addresses option and click Next. 11. On the Address Range Assignment page click New and then proceed to specify an address range for the remote VPN gateway. Click Next. 12. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option. Click Next. 13. Click Finish when the Completing the Routing and Remote Access Server Setup Wizard page appears. 14. You will be notified that the DHCP Relay Agent has to be configured with the IP address of the DHCP server so that DHCP relay messages can be allowed from your remote clients. 15. Click OK to acknowledge this notification. 16. To configure the demand-dial interface, in the console tree of the Routing and Remote Access console, select Network Interfaces. 17. From the Action menu, click New Demand-dial Interface. 18. The Demand-dial Interface Wizard starts. 19. Click Next on the Demand-dial Interface Wizard Welcome page. 20. Enter a name for the demand-dial VPN interface and then click Next.

21. On the Connection Type page, choose the Connect using virtual private
Next.

networking (VPN) option and click

78

22. On the VPN Type page, select the VPN protocol which you want to use and then click Next. You can leave the Automatic selection default option unchanged. 23. On the Destination Address page, provide the IP address that corresponds to the public interface of the remote gateway and then click Next. 24. On the Protocols And Security Page, select the Route IP packets on this interface checkbox, and click Next. 25. On the Static Routes For Remote Networks page, click the Add button and then enter the LAN subnet address for the remote LAN on the Static Route dialog box. 26. Click OK and then click Next. 27. Specify the username, password and domain for authentication purposes and click Next. 28. Click Finish on the Completing the Demand-dial Interface Wizard page. 29. You now have to configure the interface for a persistent connection. 30. In the console tree of the Routing and Remote Access console, select the demand-dial interface that you want to configure, and then select the Action menu. Click the Options command on the Action menu. 31. lick Persistent Connection and click OK. 32. In the console tree of the Routing and Remote Access console, expand the IP Routing node. 33. Select Static Routes to verify that the static route to the remote LAN subnet is configured. The static route should be displayed in the Details pane.

34. To configure
menu.

packet filtering properties, select the demand-dial interface and select Properties from the shortcut

35. On the General tab, select Inbound Filters and then select New. 36. Specify the appropriate LAN subnet information. Click OK. 37. Select the Drop all packets except those that meet the criteria below option and then click OK. 38. Select the demand-dial interface and select Properties from the shortcut menu. 39. On the General tab, select Outbound Filters and then select New. 40. Specify the appropriate LAN subnet information. Click OK. 41. Select the Drop all packets except those that meet the criteria below option and then click OK. 42. Click OK again.

79

43. In the console tree of the Routing and Remote Access console, select the demand-dial circuit from Network Interfaces, and then select the Connect command from the Action menu. 44. Examine the information in the Status column and Connection State column to verify the status and state of the tunnel.

How to specify server log file properties for the remote access server
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree right-click the server that you want to configure and then select Properties from the shortcut menu. 3. Click the Logging tab. 4. The logging options logging options which you can set are: o o o o Log errors only Log errors and warnings Log all events Do not log any events

5. Click OK.

Configuring RRAS LAN Routing and Packet Filters

How to configure RRAS LAN Routing
1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console. 2. In the console tree, select the server that you want to configure. 3. From the Action menu, select Configure And Enable Routing And Remote Access. 4. The Routing And Remote Access Server Setup Wizard starts. 5. Click Next on the initial page of the Routing And Remote Access Server Setup Wizard. 6. On the Configuration page, select the Custom Configuration option and then click Next. 7. On the Custom Configuration page, select the LAN Routing checkbox and then click Next. 8. On the Completing The Routing And Remote Access Server Setup Wizard page, click Finish.

80

9. Click Yes in the message box that appears, asking whether the Routing and Remote Access service should be started. 10. To configure the routing protocol, in the console tree of the Routing And Remote Access console, expand the IP Routing node. 11. Select the General subnode. 12. From the Action menu, click the New Routing Protocol command. 13. The New Routing Protocol dialog box opens. 14. Select RIP Version 2 For Internet Protocol from the Routing Protocols list. Click OK. 15. A RIP node is added beneath the IP Routing node in the console tree of the Routing And Remote Access console 16. Select the RIP node in the console tree of the Routing And Remote Access server. 17. From the Action menu, click the New Interface command. 18. The New Interface For RIP Version 2 For Internet Protocol dialog box opens. 19. Using the Interfaces list, select the interface which connects the computer to the LAN and then click OK. 20. The RIP Properties dialog box for the interface which you have selected is displayed next. 21. On the General tab, specify whether the RIP version 1 or RIP version 2 packet format must be used for outgoing messages. 22. Specify whether broadcasts or multicasts should be used. Specify whether incoming messages using the RIP version 1 format; or RIP version 2 format; or whether both of these formats should be processed. 23. Click the Advanced tab. 24. Set the value in the Periodic Announcement Interval (Seconds) setting to 300 seconds. This is the frequency at which the router transmits RIP messages. 25. Set the value in the Time Before Routes Expire (Seconds) setting to 1800 seconds. 26. Set the value in the Time Before Route Is Removed (Seconds) setting to 1200 seconds. 27. Click OK.

How to configure RRAS packet filters

1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.

81

2. Right-click the server in the console tree, and then select Configure And Enable Routing And Remote Access from the shortcut menu. 3. The Routing and Remote Access Server Setup Wizard starts. 4. Click Next on the initial page of the Routing and Remote Access Server Setup Wizard. 5. Select the Custom Configuration option. Click Next 6. Click LAN routing and then click Next. 7. Click Finish. 8. Click Yes to enable LAN routing. 9. Proceed to enable the RIP Version 2 for Internet Protocol. 10. Once RIP Version 2 is enabled, right-click RIP in the console tree, and then select New Interface from the shortcut menu. 11. Select the interface. 12. The default setting for RIP if you are running Windows Server 2003 is: o o Outgoing packet protocol: dropdown list = RIP version 2 broadcast Incoming packet protocol: dropdown list = RIP version 1 and 2

13. The following configuration is recommended if you are using RIP version 2; and Ethernet as the transport
medium: o o Outgoing packet protocol: dropdown list = RIP version 2 multicast Incoming packet protocol: dropdown list = RIP version 2 only

14. Click OK

Configuring a Remote Access Dial-Up Server

How to configure a RRAS Dial-Up server
1. Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console. 2. In the console tree, select the server that you want to configure. 3. From the Action menu, select Configure And Enable Routing And Remote Access. 4. The Routing And Remote Access Server Setup Wizard starts.

82

5. Click Next on the initial page of the Routing And Remote Access Server Setup Wizard. 6. On the Configuration page, select the Custom Configuration option and then click Next. 7. On the Custom Configuration page, select the Dial-Up Access checkbox and then click Next. 8. On the Completing The Routing And Remote Access Server Setup Wizard page, click Finish 9. Click Yes in the message box that appears, asking whether the Routing and Remote Access service should be started.

10. To configure

modem ports, in the console tree of the Routing And Remote Access console, expand the node

for the server that you want to configure. 11. Right-click Ports and then select Properties from the shortcut menu to open the Ports Properties dialog box. 12. Select the specific device and then click the Configure button. 13. To enable remote access, select the Use the Remote Access Connections (Inbound Only) checkbox and click OK.

How to configure properties for the RRAS Dial-Up server

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, select the server that you want to configure, and then select Properties from the Action menu. 3. Verify that the Remote access server checkbox is enabled on the General tab. 4. Click the Security tab. 5. In the Authentication Provider list, select the Windows Authentication option. 6. Choose the authentication protocol for you clients./li> 7. In the Accounting Provider list, select the Windows Accounting option. 8. Click the IP tab. 9. Select the Enable IP Routing checkbox. 10. Select the Allow IP-Based Remote Access And Demand Dial Connections checkbox. 11. The IP Address Assignment section of the IP tab is used to configure the manner in which the IP addresses are assigned to remote access clients.

12. If you are using a DHCP server, then you can select the Dynamic Host Configuration Protocol (DHCP) option. 83

13. In the Adapter list, choose the adapter for providing DNS, DHCP and WINS services for dial-in clients.
14. Click OK.

How to configure a Dial-Up Gateway

You configure a Dial-Up Gateway by completing the following process: Configure the user account, with the correct dial-in permissions, that the remote access server would use to connect to the remote LAN. Configure a demand dial interface to the remote network. Configure a static route to point non-LAN traffic to the dial-up connection.

1. Click Start, Administrative Tools, and then select Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, right-click the Users container and then select New and then User from the shortcut menu. 3. In the New Object - User dialog box, enter the correct account name information and then click Next. 4. Enter the password information for the new user account in the Password and Confirm Password textboxes. 5. Ensure that the User must change password at next logon checkbox is not selected and then click Next to complete the creation of new user account. 6. In the console tree, select the Users container, right-click the user account which you created and then select Properties from the shortcut menu. 7. When the Properties dialog box for the user account appears, click the Dial-in tab. 8. Click the Allow access option. 9. Click OK. 10. To configure the demand dial interface, click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 11. In the console tree, right-click the server that you want to configure, and then select Configure And Enable Routing And Remote Access. 12. The Routing And Remote Access Server Setup Wizard starts. 13. Click Next on the initial page of the Routing And Remote Access Server Setup Wizard. 14. On the Configuration page, select the Custom Configuration option and then click Next.

84

15. On the Custom Configuration page, select the Demand-dial connections (used for branch office routing) checkbox and then click Next. 16. On the Completing The Routing And Remote Access Server Setup Wizard page, click Finish 17. Click Yes in the message box that appears, asking whether the Routing and Remote Access service should be started. 18. In the console tree of the Routing And Remote Access management console, right-click Network Interfaces and then select New Demand-dial Interface from the shortcut menu. 19. The Demand-dial Interface Wizard starts. 20. Click Next on the Demand-dial Interface Wizard Welcome page. 21. Enter a name for the new demand-dial interface and then click Next. 22. On the Connection Type page, choose the Connect using a modem, ISDN adapter, or other physical device option and click Next. 23. On the Protocols And Security Page, select the Route IP packets on this interface checkbox, and click Next. 24. On the Static Routes For Remote Networks page, click the Add button to configure the static route. 25. Click OK in the Static Route dialog box. Click Next. 26. Specify the username, password and domain for authentication purposes on the Dial Out Credentials page. Click Next 27. Click Finish on the Completing the Demand-dial Interface Wizard page. 28. This process has to be completed for the remote LAN as well.

Configuring the Remote Access Server to use Multilink with Bandwidth Allocation Protocol (BAP)
How to enable BAP
1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click the server that you want to configure and then click Properties from the shortcut menu. 3. Click the PPP tab on the Server Properties dialog box.

4. Click the Dynamic

bandwidth control using BAP and BACP to activate it.

How to enable Multilink

85

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server node to display the Remote Access Policies node. 3. Select Remote Access Policies. 4. In the details pane, double-click the remote access policy that should be configured. 5. Click Edit Profile. 6. Use the Multilink tab to configure properties for the Multilink policy. 7. Click OK.

How to enable multiple device dialing on the client system

1. Open Control Panel. 2. Click Network and Dial-up Connections. 3. Right-click the connection for multilink and then select Properties from the shortcut menu. 4. Select Options and then Multiple devices. 5. If you want to dynamically dial and hang up devices click Dial devices only as needed and then click Configure. 6. If you want to use all devices, click Dial all devices. 7. If you want to use only the first available device, click Dial only first available device. 8. Click OK.

Configuring Remote Access Policies for Remote Access Servers

You can configure remote access policies to control the access rights of remote users. Remote access policies allow you to authenticate remote connections and enforce any specific connection restrictions. The following connection settings can be administered by configuring standard remote access policy settings. Authentication methods: The different authentication methods that can be configured are listed below: o o o o EAP CHAP MS-CHAP MS-CHAP version 2

86

o o o

PAP PEAP Unauthenticated access

Remote access permissions Group membership Time of day Type of connection

The following connection settings can be administered by configuring advanced remote access policy settings. Access server identity Access client phone number or MAC address

Specify to use user account dial-in properties Specify that unauthenticated access be allowed

After a remote access policy authorizes a connection, you can also configure that certain constraints be enforced. Constraints are based on the following: Encryption strength IP packet filters Idle timeout Maximum session time

How to configure a remote access policy for a remote access server

1. Click Start, Administrative Tools, and then select Active Directory Users and Computers to open the Active Directory Users and Computers management console. 2. In the console tree, select the Users container, right-click the user account which you want to configure and then select Properties from the shortcut menu. 3. The Properties dialog box for the user account appears. 4. Click the Dial-in tab. 5. Ensure that the Remote Access Permission (Dial-in or VPN) option is specified as Control Access Through Remote Access Policy.

87

6. To configure the remote access policy for the remote access server, click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 7. In the console tree, expand the server's node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu. 8. Select the desired policy configuration settings through the various pages of the New Remote Access Policy Wizard. 9. The different policy conditions that you can specify are listed below: o o o o o o o o o o o o o o o Authentication Type; the authentication type, for instance PAP or CHAP. Called Station ID; the network access server's ( NAS) phone number.

Calling Station ID; the phone number used by the caller. Client-Friendly Name; the name of the RADIUS client requiring authentication.

Client IP Address; the IP address of the RADIUS client. Client Vendor; the network access server's (NAS) vendor. Day and Time Restrictions; when a connection can be established. Framed Protocol; IAS uses this to determine the frame type of the incoming packets. MS RAS Vendor; the RADIUS client machine's vendor. NAS Identifier; the network access server's (NAS) name. NAS IP Address; IP address of the NAS. NAS Port Type; the media used by the client. Service Type; the type of service requested. Tunnel Type; the type of tunnel (PPTP, L2TP). Windows Groups; the groups to which the user establishing a connection belongs.

How to configure a remote access policy to authorize access by user

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, expand the server's node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu.

88

3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. On the Policy Configuration Method page, click the Use the wizard to set up a typical policy option. 6. Enter a name in the Policy name box, and then click Next. 7. On the Access Method page, select between the following options and then click Next: o o o o Dial-up VPN Wireless Ethernet

8. On the User or Group Access page, click the User option and then click Next. 9. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next. 10. On the Policy Encryption Level page, specify the encryption types and then click Next. 11. Click Finish to create the new remote access policy.

How to configure a remote access policy to authorize access by group

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console. 2. In the console tree, right-click Remote Access Policies and then select New Remote Access Policy from the shortcut menu. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. When the Policy Configuration Method page appears, select the Use the wizard to set up a typical policy option. 6. Enter a name in the Policy name box, and then click Next. 7. On the Access Method page, select between the following options and then click Next: o o Dial-up VPN

89

o o

Wireless Ethernet

8. On the User or Group Access page, select the Group option and then click Add to specify the group name. 9. Using the Enter the object names to select box, specify the group and then click OK. 10. Click Next on the User or Group Access page. 11. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next. 12. On the Policy Encryption Level page, specify the encryption types and then click Next. 13. Click Finish to create the new remote access policy.

How to restrict remote access by connection type

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Rmote Access console. 2. In the console tree, expand the server's node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu. 3. The New Remote Access Policy Wizard starts. 4. Click Next on the New Remote Access Policy Wizard Welcome page. 5. On the Policy Configuration Method page, click the Set up a custom policy option. 6. Enter a name in the Policy name box, and then click Next. 7. On the Policy Conditions page, click the add button to add a condition. 8. When the Select Attribute dialog box opens, specify the desired attribute and then click the Add button. 9. Click Next on the Policy Conditions page. 10. On the Permissions page, click the Deny remote access permission option and then click Next. 11. When the Profile page appears, use the Edit button if you want to change the profile. Click Next. 12. Click Finish to create the new remote access policy.

Configuring Remote Access Clients

Page Not Found!

90