; Microsoft Training and Certification 13
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Microsoft Training and Certification 13

VIEWS: 15 PAGES: 74

Microsoft Training and Certification

More Info
  • pg 1
									                                          Module 11: Configuring
                                          Remote Access

Contents

Overview                                   1
Overview of Remote Access in
Windows 2000                               3
Configuring the Remote Access Server      11
Configuring Authentication Protocols      20
Configuring Encryption Protocols          25
Configuring Routing and Remote Access
for DHCP Integration                      27
Lab A: Configuring RAS                    31
Examining Remote Access Policies          38
Examining Remote Access Policy
Evaluation                                40
Creating a Remote Access Policy           45
Lab B: Configuring Remote Access Policy   49
Configuring the Remote Access Client      54
Best Practices                            58
Lab C: Connecting to RAS                  60
Review                                    66
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, places or events is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001-2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Desktop, Active Directory, FrontPage,
MSDN, NetMeeting, PowerPoint, Visual Basic, Win32, and Windows Media are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

Special thanks to Kimborly A. Ditto-Ehlert of Net Wave Training, Matthew Duncan of the Dana
Corporation, and Thomas Lee of PS Partnership for technical review of the course content.
                                                     Module 11: Configuring Remote Access          iii



Instructor Notes
Presentation:   This module provides students with the knowledge and skills necessary to
90 Minutes      configure a remote access server and clients in a Microsoft® Windows® 2000
                network.
Lab:
45 Minutes      After completing this module, students will be able to:
                   Describe the remote access process and protocols.
                   Configure inbound connections on a remote access server.
                   Configure authentication protocols for remote access sessions.
                   Configure encryption protocols for remote access sessions.
                   Configure the Routing and Remote Access service for Dynamic Host
                   Configuration Protocol (DHCP) integration.
                   Explain remote access policy and profile concepts.
                   Describe the process of remote access policy evaluation.
                   Create a remote access policy and configure a remote access profile.
                   Configure outbound connections on a remote access client.
                   Apply best practices to managing remote access.


Materials and Preparation
                This section provides the materials and preparation tasks that you need to teach
                this module.

                Required Materials
                To teach this module, you need the Microsoft PowerPoint® file 2126B_11.ppt.

                Preparation Tasks
                To prepare for this module:
                   Read all of the materials for this module.
                   Complete the lab.
                   Read the following white papers under Additional Reading on the Web
                   page on the Student Materials compact disc:
                   • Microsoft Privacy Protected Network Access: Virtual Private
                     Networking and Intranet Security
                   • Windows 2000–Based Virtual Private Networking: Supporting VPN
                     Interoperability
                   • Virtual Private Networking: An Overview
                   • Microsoft Windows 2000 TCP/IP Implementation Details
                   Read the “Remote Access Server” and “Virtual Private Networking” topics
                   in the Microsoft Windows 2000 Server Resource Kit.
                   Read the “Remote Access” and “Virtual Private Networks” topics in
                   Microsoft Windows 2000 Server Help.
iv   Module 11: Configuring Remote Access



Module Strategy
                       Use the following strategy to present this module:
                           Overview of Remote Access in Windows 2000
                           Describe the remote access process. Compare dial-up and virtual private
                           network (VPN) connections. Explain the remote access and local area
                           network (LAN) protocols that Windows 2000 supports. Compare Point-to-
                           Point Tunneling Protocol (PPTP) with Layer Two Tunneling Protocol
                           (L2TP) as VPN protocols. Finally, introduce the topics of Multilink and the
                           Bandwidth Allocation Protocol (BAP).
                           Configuring the Remote Access Server
                           Explain and demonstrate the procedures for configuring dial-up and VPN
                           inbound connections. Explain and demonstrate the procedures for
                           configuring modem and cable ports. Explain how to configure Multilink and
                           BAP. Discuss the types of settings that can be configured for a user account
                           for dial-in connections.
                           Configuring Authentication Protocols
                           Explain the purpose of authentication protocols. Describe each of the
                           standard authentication protocols that Windows 2000 supports. Explain how
                           extensible authentication protocols are used.
                           Configuring Encryption Protocols
                           Explain how to configure Microsoft Point-to-Point Encryption (MPPE) and
                           Internet Protocol security (IPsec).
                           Configuring Routing and Remote Access for DCHP Integration
                           List the options for assigning Internet Protocol (IP) addresses to remote
                           access clients. Explain how to use DHCP for IP addressing for remote
                           access clients.
                           Examining Remote Access Policies
                           Explain the purpose of remote access policies. Solicit examples of when
                           remote access policies could benefit a company. Describe the components
                           of a remote access policy.
                           Examining Remote Access Policy Evaluation
                           Students must understand the evaluation process to effectively manage
                           remote access policies in a network. Describe the evaluation process that
                           occurs when a user attempts to access a network remotely. Next, discuss the
                           default remote access policy, and then explain the impact of multiple remote
                           access policies.
                           Creating a Remote Access Policy
                           Explain how to configure dial-in settings, policy conditions, and policy
                           settings, while emphasizing that all settings must match. Demonstrate each
                           of the procedures.
                                  Module 11: Configuring Remote Access       v


Configuring the Remote Access Client
Discuss the hardware options for remote access clients. Explain and
demonstrate the procedures for configuring dial-up and VPN inbound
connections.
Best Practices
In this topic, you will present best practices for managing remote access.
Emphasize the reason for each best practice.
                                                                       Module 11: Configuring Remote Access         1



Overview
Topic Objective
To provide an overview of
the module topics and                       Overview of Remote Access in Windows 2000
objectives.
                                            Configuring the Remote Access Server
Lead-in
In this module, you will learn              Configuring Authentication Protocols
about the Routing and                       Configuring Encryption Protocols
Remote Access service in
                                            Configuring Routing and Remote Access for DHCP Integration
Windows 2000.
                                            Examining Remote Access Policies
                                            Examining Remote Access Policy Evaluation
                                            Creating a Remote Access Policy
                                            Configuring the Remote Access Client
                                            Best Practices



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Remote access allows users to connect to your network from a remote location.
                                 The primary tasks for enabling remote access are:
                                    Configuring the Routing and Remote Access service.
                                    Configuring users’ access rights to the remote access server.
                                    Creating appropriate remote access connections on remote access clients.

                                 After you install and configure the Routing and Remote Access service, you
                                 can enhance remote access to your Microsoft® Windows® 2000 network in
                                 several ways. For example, you can configure authentication protocols to
                                 increase the security of your remote access connections, and you can use
                                 Dynamic Host Configuration Protocol (DHCP) to provide Internet Protocol (IP)
                                 addresses to dial-up clients.
                                 In Windows 2000, you can also define and create remote access policies to
                                 control the level of remote access that a user or group of users has to the
                                 network, including the encryption levels they will use. Remote access policies
                                 are a set of conditions and connection settings that give network administrators
                                 more flexibility in granting remote access permissions and usage.

                                 Note The information in this module that applies to remote access policies
                                 assumes an environment in which the Active Directory® directory service is
                                 enabled and running in native mode, where all domain controllers are running
                                 Windows 2000.
2   Module 11: Configuring Remote Access


                       After completing this module, you will be able to:
                           Describe the remote access process and protocols.
                           Configure inbound connections on a remote access server.
                           Configure authentication protocols for remote access sessions.
                           Configure the Routing and Remote Access service for DHCP integration.
                           Explain remote access policy and profile concepts.
                           Describe the process of remote access policy evaluation.
                           Create a remote access policy and configure a remote access profile.
                           Configure outbound connections on a remote access client.
                                                                  Module 11: Configuring Remote Access      3



       Overview of Remote Access in Windows 2000
Topic Objective
To list the process and
protocols of remote access.
Lead-in                                  How Does a Remote Access Connection Work?
Remote access allows users               Remote Access Protocols and LAN Protocols
to connect to your network
from a remote location.                  Virtual Private Network Protocols
                                         Multilink Protocols




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                              The Microsoft Windows 2000 Server Routing and Remote Access service
                              provides:
                                 Dial-up and virtual private network (VPN) remote access services.
                                 Multiprotocol local area network (LAN)-to-LAN, LAN-to-wide area
                                 network (WAN), VPN, and network address translation (NAT) routing
                                 services.
                                 Multilink protocols, allowing the bundling of two or more communication
                                 paths into a single path to increase bandwidth.


                              Note For more information about using Routing and Remote Access as a
                              router, see Appendix A, “Using Routing and Remote Access service as a
                              Router,” in Course 2126B, Managing a Windows 2000 Network Environment.

                              Windows 2000 allows remote clients to connect to remote access servers
                              through a variety of hardware, including analog modems, Integrated Services
                              Digital Network (ISDN) adapters, and digital subscriber line (DSL) modems.
                              The remote access server runs the Routing and Remote Access service, a
                              Windows 2000 component, which supports various data transport and VPN
                              protocols to enable remote connections.
4         Module 11: Configuring Remote Access



How Does a Remote Access Connection Work?
Topic Objective
To illustrate the process that                                                                       Local area
occurs when establishing a                                                                            network
remote access connection.                          Remote access                                       s
                                                                                                   col
Lead-in
                                                   protocols
                                                                                            Pr oto
                                                                                        N
Remote or mobile workers                      LAN protocols                           LA
can connect to the corporate
network by using remote
access.                                                          ss
                                                            c ce               Remote access
                                                         e A cols
                                                      ot o                        server
                                                   Rem Prot
                                                              Internet




                                                   Remote access client


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Windows 2000 Server remote access, which is part of the Routing and Remote
                                 Access service, enables remote or mobile workers to connect to corporate
                                 networks.

                                 The Remote Access Process
                                 Users run remote access software and initiate a connection to the remote access
                                 server. This connection uses a remote access protocol, such as the Point-to-
                                 Point Protocol (PPP).
                                 The remote access server, which is a computer running Windows 2000 Server
                                 and the Routing and Remote Access service, authenticate users and remote
                                 access sessions. The remote access server acts as a gateway by sending data
                                 between the client and the LAN.
                                 Using this connection, the client sends data to and receives data from the
                                 remote access server. The data is encoded by a protocol, such as Transmission
                                 Control Protocol/Internet Protocol (TCP/IP), and is then encapsulated in a
                                 remote access protocol.
                                 All services that are typically available to a LAN-connected user (including file
                                 and print sharing, Web server access, and messaging) are enabled for a remote
                                 user through the remote access connection.
                                     Module 11: Configuring Remote Access        5


Types of Remote Access Connectivity
Windows 2000 provides two types of remote access connectivity.

Dial-up Connections
To connect to the network with dial-up remote access, a remote access client
uses a communications network, such as the Public Switched Telephone
Network (PSTN), to create a physical connection to a port on a remote access
server on the private network. This connection is typically made by using a
modem or ISDN adapter to dial in to the remote access server.
Dial-up remote access enables an organization to connect users to their network
when they are working remotely. However, if your organization has many users
who travel to many locations, long-distance telephone charges and telephone
line maintenance can be expensive. Your organization may choose a VPN
solution as an alternative to increasing the size of a dial-up remote access
network.

Virtual Private Network Connections
A VPN provides secure remote access through the Internet, rather than through
direct dial-up connections. A VPN client uses TCP/IP over a public network to
create an encrypted, virtual, point-to-point connection with a VPN gateway on
the private network. Typically, the user connects to the Internet through an
Internet service provider (ISP) and then creates a VPN connection to the VPN
gateway. By using the Internet in this way, companies can reduce their long-
distance telephone expenses and rely on an existing infrastructure.
Companies that want to reduce the cost of remote access and increase their
network flexibility can take advantage of VPN remote access. Traveling
employees can dial in to the local ISP and then make a VPN connection back to
the corporate network. This eliminates the long-distance charges or toll calls
that are associated with a dial-up connection.
6         Module 11: Configuring Remote Access



Remote Access Protocols and LAN Protocols
Topic Objective
To introduce the protocols
that are used for remote
access.                                    Remote Access
                                             Protocols                      LAN Protocols
Lead-in
Windows 2000 uses both                                PPP
                                                      PPP                        TCP/IP
                                                                                 TCP/IP
remote access protocols
                                                 Microsoft RAS
                                                 Microsoft RAS                   NWLink
                                                                                 NWLink
and LAN protocols to
support remote access.                      ARAP (server only)
                                            ARAP (server only)                  NetBEUI
                                                                                 NetBEUI
                                                                                AppleTalk
                                                                                AppleTalk




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             The Routing and Remote Access service in Windows 2000 uses both remote
                             access protocols and LAN protocols to enable clients to connect to remote
                             access servers. Remote access protocols control transmission of data over WAN
                             links, whereas LAN protocols control transmission of data in the local area
                             network.
                             Windows 2000 uses a remote access protocol to establish a connection between
                             the remote access devices. Windows 2000 then uses LAN protocols to establish
                             communication between the two computers. When a remote access client
                             communicates with a server, the Routing and Remote Access service
                             encapsulates the data in a LAN protocol packet for transport in the LAN. This
                             packet is then encapsulated in a remote access protocol packet for transport to
                             the server.
                             When you install and configure the Routing and Remote Access service, any
                             protocols that are already installed on the computer are automatically enabled
                             for remote access on inbound and outbound connections. If you are
                             administering a remote access server, for each LAN protocol you must also
                             specify whether you want to provide access to the entire network or only to the
                             remote access server. By default, access to the entire network is configured. If
                             you provide access to the entire network by using TCP/IP, you must also
                             configure how the server provides IP addresses.
                                     Module 11: Configuring Remote Access        7


Remote Access Protocols
Windows 2000 supports several remote access protocols, providing clients with
the ability to connect to a variety of remote access servers.

Point to Point Protocol
PPP enables remote access clients and servers to operate together, independent
of the client and server operating systems. For example, clients running
Windows 2000 can connect to remote networks through any server that uses
PPP. Similarly, computers running other remote access software can also use
PPP to connect to a computer running the Routing and Remote Access service.
This is the most commonly used remote access protocol.

Microsoft RAS
The Microsoft Remote Access Service (RAS) protocol is a proprietary protocol
that supports the network basic input/output system (NetBIOS). Microsoft RAS
supports clients that use Microsoft Windows NT® version 3.1, Microsoft
MS-DOS®, LAN Manager, or Windows for Workgroups, because those clients
must use the NetBIOS Enhanced User Interface (NetBEUI) protocol to gain
access to the remote access server.
When the client is connected to the RAS server, Microsoft RAS acts as a
gateway that provides access to network resources. However, these clients do
not support PPP and therefore cannot gain access to applications that run
directly over TCP/IP. For example, Web servers on the network are unavailable
to these clients.

AppleTalk Remote Access Protocol
Apple clients can connect to a remote access server running Windows 2000 by
using the AppleTalk Remote Access Protocol (ARAP) protocol.

LAN Protocols
The Routing and Remote Access service supports the following LAN protocols:
   TCP/IP
   NWLink
   NetBEUI
   AppleTalk

You can use the support for these protocols to integrate the Routing and
Remote Access service into existing Microsoft-based, UNIX, or Novell
NetWare networks by using remote access protocols. For example, a remote
access client can connect to a remote access server by using NetBEUI, and can
use that server as a gateway to communicate with a UNIX server running
TCP/IP or a NetWare server running Internetwork Packet Exchange/Sequenced
Packet Exchange (IPX/SPX).
8         Module 11: Configuring Remote Access



Virtual Private Network Protocols
Topic Objective
To list the differences                          PPTP                               L2TP
between PPTP and L2TP.             Internetwork must be IP based        Internetwork can be IP, frame
                                    Internetwork must be IP based        Internetwork can be IP, frame
Lead-in                                                                    relay, X.25, or ATM based
                                                                           relay, X.25, or ATM based
                                      No header compression
                                      No header compression
VPN connections are                                                         Header compression
                                                                            Header compression
encrypted and secure.                 No tunnel authentication
                                      No tunnel authentication
                                                                            Tunnel authentication
                                                                            Tunnel authentication
                                       Built-in PPP encryption
                                       Built-in PPP encryption
                                                                            Uses IPSec encryption
                                                                            Uses IPSec encryption
                                         Wide compatibility
                                         Wide compatibility
                                                                          Windows 2000 and XP are
                                                                           Windows 2000 and XP are
                                                                         the only Microsoft operating
                                                                          the only Microsoft operating
                                                                              systems supported
                                                                               systems supported

                                                                      Internet

                                                 Client                                Server
                                                              PPTP or L2TP

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               A VPN connection over the Internet is encrypted and secure. The remote access
                               server enforces authentication and encryption protocols. Sensitive data is
                               hidden from Internet users, but it is made securely accessible to appropriate
                               users through a VPN.

                               VPN Operation
                               VPN protocols encapsulate data packets inside PPP data packets. The remote
Key Points                     access server performs all security checks and validations, and enables data
VPNs work by putting
normal data packets inside
                               encryption, making it safer to send data over non-secure networks, such as the
encrypted PPP packets.         Internet. Typically, users will connect to the VPN by first connecting to an ISP
                               and then connecting to the VPN ports through that Internet connection.
Most VPN connections start
with a connection to an ISP,
                               VPNs use either the Point-to-Point Tunneling Protocol (PPTP) or the Layer
although only network          Two Tunneling Protocol (L2TP) to establish connections. Windows 2000
connectivity to the VPN        automatically enables these protocols when you create VPN ports during the
server is required.            administration of the Routing and Remote Access service.
                                     Module 11: Configuring Remote Access        9


PPTP and L2TP
Both PPTP and L2TP use PPP to provide an initial envelope for the data and to
append additional headers for transport through a network. Some of the most
important differences between PPTP and L2TP include:
   Connectivity. L2TP performs over a wide range of WAN connection media,
   such as IP or frame relay, requiring only that the tunnel media provide
   packet-oriented, point-to-point connectivity. PPTP requires an IP-based
   internetwork.
   Header Compression. L2TP supports header compression, but PPTP does
   not. When header compression is enabled, L2TP operates with headers of 4
   bytes, but PPTP operates with 6-byte headers.
   Authentication. L2TP supports tunnel authentication, but PPTP does not.
   Internet Protocol security (IPSec) provides computer-level authentication, in
   addition to data encryption, for VPN connections that use the L2TP
   protocol. IPSec negotiates between your computer and its remote access
   server before an L2TP connection is established, which secures both
   passwords and data.
   Encryption. PPTP uses the built-in PPP encryption, Microsoft Point to Point
   Encryption (MPPE). L2TP provides a secure tunnel by cooperating with
   other encryption technologies. In the Microsoft implementation, this is
   IPSec.

   Note IPSec encryption currently cannot pass through any device that
   performs Network Address Translation (NAT), such as many proxy server
   and firewalls products. If you have NAT at your firewall, you will have to
   use PPTP as your VPN mechanism.
   A future Service Pack for Microsoft Windows XP, will enable L2TP to pass
   through a NAT by using UDP encapsulation, provided you are connecting
   to the remote access service from Microsoft .NET Server.

   Compatibility. For Microsoft operating systems, only computers running
   Windows 2000 and Windows XP can use L2TP. Most Windows operating
   system clients can use PPTP.


Note There is currently a beta available for an L2TP/IPSec client for Microsoft
Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98. For full
details and to enroll in the beta program, see the Microsoft Web site at
http://www.microsoft.com/windows2000technologies/communications/vpn.
10        Module 11: Configuring Remote Access



Multilink Protocols
Topic Objective
To introduce the concepts of            A                                                Multilink
Multilink and the bandwidth
allocation protocol.                                                               Remote
                                                                                Access Server
Lead-in                                       B
Multilink allows users to
combine communication
paths and BAP allows
multilink servers to                                                                Multilink with BAP
dynamically reallocate
hardware resources where                A                                         Remote
more bandwidth is needed.
                                                                                  Access Server

                                              B                                                   C

                                                         Connection Switches on Demand
                                                         Connection Switches on Demand

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Multilinking combines multiple physical links into a logical bundle to increase
                               bandwidth. Multilink protocols allow users to combine analog modem paths,
                               ISDN paths, and even mixed analog and digital communications links on client
                               and server computers.
                               Multilinking enables your computer to use two or more communications ports
                               as if they were a single port of greater bandwidth. This means that if you use
                               two modems to connect to the Internet, you can connect at double the speed of a
                               single modem. To dial multiple devices, your connection and your remote
                               access server must both have Multilink enabled.

                               PPP Multilink Protocol
                               The PPP Multilink protocol combines the bandwidth of two or more
                               communication lines to create a single virtual data connection, providing
                               scalable bandwidth based on the volume of data. Routing and Remote Access
                               can use Multilink over multiple modems, ISDN, or X.25 adapter cards. Both the
                               client and the remote access server must have Multilink enabled.

                               Bandwidth Allocation Protocol
                               The Bandwidth Allocation Protocol (BAP) enhances Multilink by dynamically
                               adding or dropping links on demand. BAP is especially valuable to operations
                               that have carrier charges based on bandwidth utilization. BAP is a PPP control
                               protocol that works with PPP to provide bandwidth on demand.

                               Note For more information about Multilink, see RFC 1990, and for more
                               information about BAP, see RFC 2125 under Additional Reading on the Web
                               page on the Student Materials compact disc.
                                                                   Module 11: Configuring Remote Access       11



       Configuring the Remote Access Server
Topic Objective
To list topics relevant to
configuring the remote
access server in                          Configuring Inbound Connections
Windows 2000.
                                          Configuring Modem and Cable Ports
Lead-in
To enable and configure the               Configuring Virtual Private Network Ports
remote access server, you
must be logged on as a                    Configuring Multilink Connections
member of the
Administrators group.                     Configuring Inbound Access for Users




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               To enable and configure the remote access server, you must be logged on as a
Key Point                      member of the Administrators group.
To create an inbound
connection, you first enable   Before you install the Routing and Remote Access service, all hardware must
a port for the appropriate     be installed and working. Depending on your network and your requirements,
type of connection (VPN,
                               you will need the following hardware:
modem, or cable).
                                  Network adapter with a certified Network Driver Interface Specification
                                  (NDIS) driver.
                                  One or more compatible modems and an available COM port.
                                  Multiport adapter for acceptable performance with multiple remote
                                  connections.
                                  X.25 adapter card (if you are using an X.25 network).
                                  ISDN adapter (if you are using an ISDN line).


                               Note To verify the compatibility of all hardware on a computer running
                               Windows 2000 Server, see the Microsoft Windows Hardware Compatibility
                               List at www.microsoft.com.

                               When you install Windows 2000 Server, the remote access component is
                               automatically installed. However, the Routing and Remote Access service is
                               installed in a disabled state. You enable the Routing and Remote Access service
                               by configuring the server to accept inbound connections.
                               After you configure the remote access server to accept inbound connections,
                               you can configure additional VPN, modem, and cable ports, and the dial-in
                               settings that control access to the remote access server.
12         Module 11: Configuring Remote Access



Configuring Inbound Connections
Topic Objective
                                            Routing and Remote Access
To illustrate the procedure
for configuring the Routing                Action     View
and Remote Access service.                   Routing and Remote Access
                                                 Server Status
Lead-in
                                                    SERVERX (local)
Most computers that create
inbound connections are                                           Configure and Enable Routing and Remote Access
members of a domain.                                                  Disable Routing and Remote Access
Administrators must
                                                                      All Tasks
configure inbound
connections on computers                                              View
that belong to a domain by                                            Delete
using the Routing and                                                 Refresh
Remote Access service.                                                Export List...

                                                                      Properties

                                                                      Help



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 If the server is a member of a domain in the Windows 2000 Active Directory®
                                 directory service and you are not a domain administrator, instruct your domain
                                 administrator to add the computer account of this server to the RAS and IAS
                                 Servers security group in the domain of which this server is a member.
                                 Membership of this group allows non-domain controller computers to access
                                 the remote access properties of user accounts.
                                 To configure remote access on the server:
                                 1. Install and configure TCP/IP. If your remote access server will provide
Delivery Tips                       access to clients that require NWLink, NetBEUI, or AppleTalk, install and
Demonstrate configuration
of the Routing and Remote
                                    configure those protocols.
Access service, showing          2. On the Administrative Tools menu, open Routing and Remote Access.
that the console is installed,
but the service is not started   3. In the console tree, right-click the server name, and then click Configure
initially.                          and Enable Routing and Remote Access.
                                 4. In the Routing and Remote Access Server Setup Wizard, click Next.
Emphasize that students
must not perform the actions     5. On the Common Configuration page, select Remote access server, and
along with you during the           then click Next.
demonstration. They will
                                 6. On the Remote Client Protocols page, verify that you have all of the
perform this task in the lab.
                                    transport protocols that are required to connect to the client computers with
                                    remote access, and then click Next.
                                 7. On the Network Selection page, select the network connection to which the
                                    remote access clients will be assigned, and then click Next.
                                 8. On the IP Address Assignment page, select Automatically or From a
                                    specified range of addresses to assign IP addresses to the dial-in clients.
                                                                    Module 11: Configuring Remote Access   13


                                9. On the Managing Multiple Remote Access Servers page, select to
                                   configure RADIUS (Remote Authentication Dial-In User Service) or not to
                                   configure RADIUS now, and then click Next.
                                10. Click OK to close the DHCP message box.
For Your Information            11. Click Finish to complete the wizard.
In-depth information about
RADIUS is beyond the
scope of this course. As        Note RADIUS provides centralized authentication, authorization, and
system administrators,          accounting services for distributed dial-up networking. For more information
students must know if a         about RADIUS, see “Using RADIUS” in Microsoft Windows 2000 Server Help.
RADIUS server is available
on their network; however,
they would not typically
install, configure, or manage
RADIUS.
14        Module 11: Configuring Remote Access



Configuring Modem and Cable Ports
Topic Objective
To illustrate the dialog
boxes for configuring
modem and cable ports.
                                  Ports, grouped
                                  Ports, grouped
Lead-in                               by type
                                      by type               Configure Device – Windows Modem PCI …
Hardware ports are                                           You can use this device for remote access requests
                                                             or demand-dial connections.
configured from the same
                                                               Remote access connections (inbound only)
location as virtual ports.        Function of port
                                  Function of port             Demand-dial routing connections (inbound/outbound)
                                                             Phone number of this device:              Phone number
                                                                                                       Phone number
                                                                                                       (if applicable)
                                                                                                        (if applicable)
                                                             You can set a maximum port limit for a device that
                                                             supports multiple ports.

                                                                      Maximum ports:        1            Number of
                                                                                                          Number of
                                                                                                         virtual ports
                                                                                                         virtual ports


                                                                                                OK        Cancel




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             When you start the Routing and Remote Access service for the first time,
                             Windows 2000 automatically detects any modems that are installed and creates
                             modem ports for them. Windows 2000 also creates ports for each parallel or
                             serial cable connection that it detects. When you add a multiport device, you
                             configure these ports manually under Ports in the console tree of Routing and
                             Remote Access. You can also use this procedure to manage which ports are
                             enabled for remote access.
                             To configure modem or cable ports on the server:
                             1. In the console tree of Routing and Remote Access, right-click Ports, and
                                then click Properties.
                             2. In the Ports Properties dialog box, click a device, and then click
                                Configure.
                                Modem, parallel, and serial ports are listed individually, but are grouped
                                together and can be configured either individually or together. To configure
                                several ports simultaneously, press CTRL while you click multiple ports,
                                and then click Configure.
                             3. In the Configure Ports dialog box, select the Remote access (inbound)
                                check box to enable inbound connections.
                             4. If you are configuring a modem port, type a telephone number.
                             5. In the Configure Ports and Ports Properties dialog boxes, click OK.
                                                                                       Module 11: Configuring Remote Access                15



Configuring Virtual Private Network Ports
Topic Objective
To illustrate the location of          Routing and Remote Access

different remote access               Action   View

ports in the Routing and              Routing and Remote Access        Name                         Device     Comment    Status

Remote Access service.                   Server Status
                                         SERVERX (local)
                                                                         WAN Miniport (PPTP)(VPN3-4) VPN                 Inactive
                                                                         WAN Miniport (PPTP)(VPN3-3)   VPN               Inactive

Lead-in                                       Ports                      WAN Miniport (PPTP)(VPN3-2)   VPN                   PPTP ports
                                                                                                                         Inactive
                                                                                                                             PPTP ports
                                              Dial-In Clients (0)        WAN Miniport (PPTP)(VPN3-1)   VPN               Inactive
You configure VPN ports by                    IP Routing                 WAN Miniport (PPTP)(VPN3-0)   VPN               Inactive
                                              Remote Access Policies
using the Routing and                                                    WAN Miniport (L2TP)(VPN2-4)   VPN               Inactive

Remote Access service.                                                   WAN Miniport (L2TP)(VPN2-3)
                                                                         WAN Miniport (L2TP)(VPN2-2)
                                                                                                       VPN
                                                                                                       VPN
                                                                                                                         Inactive
                                                                                                                              L2TP ports
                                                                                                                              L2TP ports
                                                                                                                         Inactive
                                                                         WAN Miniport (L2TP)(VPN2-1)   VPN               Inactive
                                                                         WAN Miniport (L2TP)(VPN2-0)   VPN               Inactive
                                                                         Direct Parallel (LPT1)        PARALLEL              Cable and
                                                                                                                             Cable and
                                                                                                                         Inactive
                                                                         Modem (COM 3)                 MODEM                modem ports
                                                                                                                            modem ports
                                                                                                                         Inactive




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                When you start the Routing and Remote Access service for the first time,
Key Points                      Windows 2000 automatically creates five PPTP and five L2TP ports. The
Windows 2000 automatically
creates five PPTP and five
                                number of virtual ports that are available to any remote access server is not
L2TP ports.                     limited to availability of hardware. You can increase or decrease the number of
                                available VPN ports to a number that is appropriate for the bandwidth that is
The number of virtual ports     available to the remote access server.
is not limited by physical
hardware as it is with          Note If you select the Virtual private network (VPN) option in the Routing
modems.
                                and Remote Access Setup Wizard, Windows 2000 automatically creates 128
                                PPTP and 128 L2TP ports.

                                To configure VPN ports on the server:
                                1. In the console tree of Routing and Remote Access, right-click Ports, and
                                   then click Properties.
                                2. In the Ports Properties dialog box, select a device, and then click
                                   Configure. For VPN ports, devices appear as WAN Miniport (PPTP) and
                                   WAN Miniport (L2TP).
                                3. In the Configure Ports dialog box, select the Remote access (inbound)
                                   check box to enable inbound VPN connections.
                                4. In Maximum Ports, type the number of ports, and then click OK.
                                5. In the Configure Device and Ports Properties dialog boxes, click OK.
16        Module 11: Configuring Remote Access



Configuring Multilink Connections
Topic Objective
To introduce the topics in
configuring a Multilink
connection with BAP.                    Configuring Multilink and BAP on the Remote Access
Lead-in                                 Server
For Multilink to work, you
must configure it at the
                                        Configuring Multilink on the Remote Access Client
client and the remote
access server.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             For Multilink to work, you must configure it at the client and the remote access
                             server.

                             Configuring Multilink and BAP on the Remote Access
                             Server
                             You enable the PPP multilink and BAP protocols on a server by server basis by
                             using the PPP tab in the Properties dialog box for each remote access server.
                             Select the Multilink connections and Dynamic bandwidth control
                             (BAP/BACP) check boxes to enable PPP Multilink and BAP, respectively.
                             This is the only configuration necessary for the server to accept Multilink
                             connections.
                                     Module 11: Configuring Remote Access        17


Configuring Multilink on the Remote Access Client
To configure an outbound connection with multiple devices:
1. Right-click the connection on which you want to enable the dialing of
   multiple devices, and then click Properties.
2. On the General tab, select the check boxes for all the devices that you want
   the connection to use.
3. On the Options tab, under Multiple devices, do one of the following:
   a. If you want to dial only the first available device, click Dial only the
      first available device, and then click Configure.
   b. If you want to use all of your devices, click Dial all devices, and then
      click Configure.
   c. If you want to dynamically dial and hang up devices as needed, click
      Dial devices only as needed, and then click Configure.
       i. In the Automatic Dialing and Hanging Up dialog box, click the
          Activity at least percentage and the Duration at least time that you
          want to set. Another line is dialed when the connection activity
          reaches this level for the amount of time you specify.
       ii. In the Automatic hangup dialog box, click the Activity no more
           than percentage and the Duration at least time that you want to set. A
           device is disconnected when connection activity decreases to this
           level for at least the amount of time that you specify and then click
           OK twice.
18         Module 11: Configuring Remote Access



Configuring Inbound Access for Users
Topic Objective                                              User1 Properties
                                                              General Address Account Profile     Telephones          Organization
To illustrate the locations of                                  Member Of       Dial-in       Environment             Timeouts
user dial-in settings.                                          Remote Access Permission (Dial-in or VPN)

Lead-in                                  Permissions
                                                                   Allow access
                                         Permissions
You must also configure the                                        Deny access

settings for users’ dial-in                                        Control access through Remote Access Policy

properties to make remote                Caller ID
                                         Caller ID                 Verify Caller-ID:

access work correctly.                                          Callback Options
                                                                   No Callback

                                         Callback
                                         Callback                  Set by Caller (Routing and Remote Access Service only)

                                                                   Always Callback to:


                                                                  Assign Static IP Address

                                         IP routing
                                          IP routing              Apply Static Routes

                                                                Define routes to enable for this Dial-in
                                                                                                           Static Routes...
                                                                connection.




                                                                                               OK          Cancel             Apply



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 You configure dial-in settings to set the conditions for remote access
Delivery Tip                     connections. On a stand-alone server, you configure the dial-in settings on the
To illustrate the location of
the dial-in settings, open the
                                 Dial-in tab in the Properties dialog box for a user account in Local Users and
Properties dialog box for a      Groups. For an Active Directory–based server, you configure the dial-in
user.                            settings on the Dial-in tab in the Properties dialog box for a user account in
                                 Active Directory Users and Computers.
                                 These settings must be used with caution if used in conjunction with remote
                                 access policies. All of the settings on the Dial-in tab must agree with the
                                 settings in the policy’s profile and the conditions of the connection attempt.

                                 Setting Remote Access Permissions
                                 The Remote Access Permission settings offer the options to Allow access,
                                 Deny access, or Control access through Remote Access Policy. If access is
                                 explicitly allowed, remote access policy conditions, user account properties, or
                                 profile properties can still deny the connection attempt. The Control access
                                 through Remote Access Policy option is available only on user accounts for
                                 stand-alone Windows 2000–based remote access servers or members of a
                                 Windows 2000 domain in native mode.
                                 When you configure the remote access permission to deny access, the Deny
                                 Access setting overrides settings in the remote access policy that permit access.

                                 Note For more information about remote access policies, see “Examining
                                 Remote Access Policies,” later in this module.
                                      Module 11: Configuring Remote Access        19


Enabling Caller ID Verification
If the Verify Caller-ID option is enabled, the server verifies the caller’s
telephone number. If the caller’s telephone number does not match the
configured telephone number, the connection attempt is denied.
All parts of the connection must support caller ID. Caller ID support on the
remote access server consists of caller ID answering equipment and the driver
that passes caller ID information to the Routing and Remote Access service. If
you configure a caller ID setting for a user and you do not have the driver for
passing the caller ID information from the caller to the Routing and Remote
Access service, the connection attempt will be denied.

Setting Callback Options
If the callback property is enabled, during the connection process, the server
calls back a specific telephone number, which is set by the caller or by the
network administrator.

Assigning a Static IP Address
If the Assign Static IP Address option is enabled, Windows 2000 assigns a
specific IP address to the user when a connection is made.

Applying Static Routes
If the Apply Static Routes option is enabled, the network administrator defines
a series of static IP routes that are added to the routing table of the remote
access server when a connection is made. This setting is designed for use with
demand-dial routing.
Static routes also allow an administrator to block a remote user’s access to
specific subnets.
20        Module 11: Configuring Remote Access



       Configuring Authentication Protocols
Topic Objective
To introduce the topics
relevant to authentication
protocols.                               Standard Authentication Protocols
Lead-in                                  Extensible Authentication Protocol
You can use several
different protocols to
authenticate users on your
network.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             Remote access servers use authentication to determine the identity of users who
                             are attempting to connect to the network remotely. After a user is authenticated,
                             the user receives the appropriate access permissions and is allowed to connect
                             to the network.
                             Correct and secure authentication of user accounts is critical for the security of
                             a network. Without authentication, anyone who can gain remote access to the
                             RAS server can gain access to your network.
                             The Routing and Remote Access service uses several standard protocols to
                             authenticate users. It also allows the use of Extensible Authentication Protocols.
                                                                     Module 11: Configuring Remote Access      21



Standard Authentication Protocols
Topic Objective                         Protocol     Security                    Use when
To list the level of security
and appropriate use of                                          The client and server cannot negotiate using
                                          PAP          Low
standard authentication                                         more secure validation
protocols.
                                                                Connecting a Shiva LAN Rover and
Lead-in                                  SPAP        Medium
                                                                Windows 2000–based client or a Shiva
Windows 2000 supports                                           client and a Windows 2000–based remote
many standard                                                   access server
authentication protocols,                            Above      You have clients that are not running
which vary in levels of                  CHAP
                                                     Medium     Microsoft operating systems
security.
                                                     Above      You have clients running Windows NT
                                       MS-CHAP
                                                     Medium     version 4.0 or later, or Windows 95 or later

                                                                You have dial-up clients running
                                      MS-CHAP v2       High     Windows 2000, or VPN clients running
                                                                Windows NT 4.0 or Windows 98


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                Windows 2000 supports many authentication protocols, which vary in levels of
                                security. You enable standard authentication protocols in the Routing and
                                Remote Access service by selecting the appropriate check boxes on the
                                Security tab in the Properties dialog box for the remote access server. Only
                                those protocols that you select on this tab can be used to authenticate users to
                                the remote access server.

                                PAP
                                The Password Authentication Protocol (PAP) uses clear-text passwords. If the
                                passwords match, the server grants access to the remote access client. This
                                protocol provides little protection against unauthorized access.

                                SPAP
                                The Shiva Password Authentication Protocol (SPAP) is a two-way reversible
                                encryption mechanism that is employed by Shiva, a hardware manufacturer.
                                SPAP encrypts the password data that is sent between the client and server and
                                is, therefore, more secure than PAP.

                                CHAP
                                The Challenge Handshake Authentication Protocol (CHAP) (also known as
                                Message Digest 5 [MD5]–CHAP) is a challenge-response authentication
                                protocol. To use CHAP, you must enable reversible encryption of the user’s
                                password in the user accounts properties.

                                MS-CHAP
                                The Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a
                                one-way, encrypted password authentication protocol. If the server uses
                                MS-CHAP as the authentication protocol, it can use Microsoft Point-to-Point
                                Encryption (MPPE) to encrypt data to the client or server. On a remote access
                                server running Windows 2000, MS-CHAP is enabled by default.
22   Module 11: Configuring Remote Access


                       MS-CHAP v2
                       Microsoft Challenge Handshake Authentication Protocol version 2
                       (MS-CHAP v2) is a newer version of MS-CHAP, which provides mutual
                       authentication, stronger initial data encryption keys, and different encryption
                       keys for sending and receiving.
                       For all VPN connections, Windows 2000 Server offers MS-CHAP v2 before
                       offering MS-CHAP. Windows 2000 dial-up connections can also use
                       MS-CHAP v2.

                       Selecting Authentication Protocols
                       The following table describes when you use these protocols.
                       Protocols        Security   Use when

                       PAP              Low        The client and server cannot negotiate by using a more
                                                   secure form of validation.
                       SPAP             Medium     Connecting to a Shiva LAN Rover, or when a Shiva
                                                   client connects to a Windows 2000–based remote access
                                                   server.
                       CHAP             Above      You have clients that are not running Microsoft
                                        Medium     operating systems.
                       MS-CHAP          Above      You have clients running Windows 2000, Microsoft
                                        Medium     Windows NT 4.0 or later, or Microsoft Windows 95 or
                                                   later.
                       MS-CHAP v2       High       You have dial-up clients running Windows 2000, or
                                                   VPN clients running Windows NT 4.0 Service Pack 4
                                                   or later, Microsoft Windows 98, Microsoft
                                                   Windows XP, Microsoft Windows Millennium Edition,
                                                   or Windows 95 with the Windows Dial-up Networking
                                                   1.3 Performance and Security Upgrade.
                                                   MS-CHAP v2 is the most secure form of authentication.
                                                                      Module 11: Configuring Remote Access          23



Extensible Authentication Protocol
Topic Objective
To list the key points related
to the Extensible
Authentication Protocol.                    Enables the client and server to negotiate the
Lead-in                                     authentication method that they will use
EAP is designed to provide
proprietary and future
                                            Supports authentication by using:
authentication methods.                         MD5-CHAP
                                                Transport Layer Security
                                                Additional third-party authentication methods
                                            Ensures support of future authentication methods
                                            through an API



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 The Extensible Authentication Protocol (EAP) enables customized
                                 authentication to remote access servers. The client and the remote access server
                                 negotiate the exact authentication method to be used.
                                 EAP supports authentication by using:
                                    Message Digest 5 Challenge Handshake Authentication Protocol. This
                                    protocol encrypts user names and passwords with an MD5 algorithm.
                                    Transport Layer Security (TLS). Transport Layer Security is used for smart
                                    card (and other) intermediary security devices. Smart cards require a card
                                    and reader. The smart card electronically stores the user certificate and
                                    private key.
                                    Additional, third-party authentication methods. EAP allows vendors to add
                                    their own authentication methods, such as token cards. Token cards are
                                    physical cards that provide passwords and may use several authentication
                                    methods, including the use of codes that change with each use.

                                 Through the use of the EAP application programming interfaces (APIs),
                                 independent software vendors can supply new client and server authentication
                                 methods for technologies such as token cards, smart cards, biometric hardware
                                 (including retina or fingerprint scanners), and authentication technologies that
                                 are not yet developed.
24   Module 11: Configuring Remote Access


                       To enable EAP authentication, open Routing and Remote Access, right-click
                       your server, and then click Properties. The configuration settings are on the
                       Security tab. You must click the Authentication Methods button and then
                       select the EAP check box. You enable and configure specific EAP types on the
                       Authentication tab of the Edit Dial-in Profile dialog box for the remote access
                       policy.

                       Note For more information about EAP, see RFC 2284, PPP Extensible
                       Authentication Protocol (EAP), and RFC 2716, PPP EAP TLS Authentication
                       Protocol, under Additional Reading on the Web page on the Student Materials
                       compact disc.
                                                                      Module 11: Configuring Remote Access     25



Configuring Encryption Protocols
Topic Objective
To illustrate the available
encryption options.                         Encryption
                                                                      MPPE                 IPSec
                                                                                            IPSec
                                             Scheme
Lead-in
Security between a remote
access client and the server            Basic                40-bit                 56-bit DES
                                                                                    56-bit DES
can be enhanced by
encrypting the data.

                                        Strong               56-bit                 56-bit DES
                                                                                    56-bit DES



                                        Strongest
                                        Strongest            128-bit
                                                             128-bit                3DES
                                                                                    3DES




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Data encryption provides security by encrypting, or encoding, data that is sent
                               between a remote access client and a remote access server. For installations that
                               require the highest degree of security, the administrator can set the server to
                               force encrypted communications. Clients connecting to that server must encrypt
                               their data or the server will refuse their connection.

                               Note You enable encryption protocols in a remote access policy. For more
                               information about remote access policies, see “Examining Remote Access
                               Policies,” later in this module.


                               Important Data encryption is available only if you use MS-CHAP (v1 or v2) or
                               TLS (an EAP protocol) as the authentication protocol.

                               There are two methods of encrypting the data that is transmitted over a
                               Windows 2000 remote access connection: MPPE and IPSec.

                               Encrypting Data by Using MPPE
                               MPPE encrypts data that moves between a PPTP connection and the VPN
                               server. MPPE is also the encryption method between a dial-in client running
                               CHAP, MSCHAP or EAP/TLS, and the remote access server. It enables three
                               levels of encryption schemes: strongest (128-bit), strong (56-bit), and basic
                               (40-bit).

                               Note For 128-bit encryption, you must download and install the
                               Windows 2000 High Encryption Pack from the Microsoft Windows 2000
                               Updates Web site or install Service Pack 2.
26       Module 11: Configuring Remote Access


                            Encrypting Data by Using IPSec
                            IPSec is a suite of cryptography-based protection services and security
                            protocols. IPSec provides both computer-level authentication, and data
                            encryption for VPN connections that use the L2TP protocol only. IPSec
                            negotiates between your computer and its remote tunnel server before the L2TP
                            connection is established, which secures passwords and data.
                            IPSec encryption does not rely on the authentication method to provide initial
                            encryption keys. Therefore, L2TP connections can use all standard PPP-based
                            authentication protocols, such as EAP-TLS, MS-CHAP, CHAP, SPAP, and
                            PAP, to authenticate the user after the secure IPSec communication is
                            established.
                            When you use IPSec to communicate between two computers, you use IPSec
                            policies to configure the security services. IPSec security services provide
                            protection for most types of network traffic. Your network security
                            administrator can configure IPSec policies to meet the security requirements of
                            a user, group, application, domain, site, or global enterprise network.
                            However, when using IPSec with L2TP, you do not have to define an IPSec
Key Points                  policy. The operating system has a built-in function to use IPSec for L2TP. The
Using L2TP over IPSec
requires that the remote
                            only IPSec authentication method available is certificate-based. This means that
access client and the       both the remote access server and the remote access client wishing to use L2TP
remote access server have   with IPSec must have a computer certificate installed.
computer certificates
installed.                  Note For more information about obtaining and installing computer
                            certificates, see Windows 2000 Help.

                            IPSec uses Data Encryption Standard (DES) encryption. When you select the
                            basic or strong encryption schemes, IPSec uses 56-bit DES encryption. When
                            you select the strongest scheme, IPSec uses triple DES (3DES) encryption.
                            IPSec as offered by Microsoft operating systems can currently be used only
                            with clients running Windows 2000 and Windows XP. As IPSec becomes more
                            commonplace, manufacturers of Network Information Cards (NICs) will start
                            building IPSec onto their NICs. These NICs can be used with any operating
                            system for which the card manufacturer supplies drivers.

                            Note There is currently a beta available for an L2TP/IPSec client for
                            Windows NT 4.0, Windows 95, and Windows 98. For full details and to enroll
                            in the beta program, see the Microsoft Web site at
                            http://www.microsoft.com/windows2000technologies/communications/vpn.
                                                                 Module 11: Configuring Remote Access        27



      Configuring Routing and Remote Access for DHCP
      Integration
Topic Objective
To introduce the topics
related to configuring the
Routing and Remote Access               Assigning IP Addresses to Remote Access Clients by
service for DHCP                        Using DHCP
integration.
                                        Configuring Routing and Remote Access to Use DHCP
Lead-in
You can configure the
DHCP server to assign IP
addresses to remote access
clients from an existing
address pool.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             When you configure a remote access server to allow clients to connect to a
                             corporate network, you select how clients will receive an IP address from one
                             of the following options:
                                Static IP Address. You configure the IP address on the client computer.
                                When clients use preassigned IP addresses, you must ensure that the IP
                                address is valid for each network to which the client connects and that no
                                other client uses the same address. For this reason, it is not recommended
                                that you use static IP addresses for dial-up networking.
                                From a Range of IP Addresses. A remote access server can assign an IP
                                address from a range of addresses that you configure. If you choose this
                                option, you must ensure that you have a sufficient number of IP addresses
                                allocated exclusively for the remote access server to assign to client
                                computers.
                                From the DHCP Server. A remote access server can obtain IP addresses
                                from a DHCP server and assign the IP addresses to dial-up clients. This
                                configuration is the most versatile configuration, because you do not need to
                                reserve IP addresses for use by dial-up clients, and you must maintain only
                                one address pool.


                             Note For more information about how dial-up clients obtain a subnet mask and
                             addresses, see the “DHCP Option Parameters” topic in the
                             Microsoft Windows 2000 Server Resource Kit.
28        Module 11: Configuring Remote Access



Assigning IP Addresses to Remote Access Clients by Using DHCP
Topic Objective
To explain the implications
of using DHCP to assign IP
addresses to remote access
clients.
                                        If DHCP server is
                                         If DHCP server is      Remote access server obtains
                                                                Remote access server obtains
                                        available:
                                         available:             10 IP addresses at a time
                                                                10 IP addresses at a time
Lead-in
The remote access server
obtains 10 IP addresses at a
time from the DHCP server.

                                        If DHCP server is
                                         If DHCP server is      Remote access server uses
                                                                Remote access server uses
                                        unavailable:
                                         unavailable:           automatic private IP addressing
                                                                automatic private IP addressing




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               If the remote access server is configured to use DHCP to obtain IP addresses,
                               the remote access server initially obtains 10 IP addresses from a DHCP server.
                               The remote access server uses the first IP address obtained from DHCP for
                               itself and allocates subsequent addresses to TCP/IP-based remote access clients
                               as they connect. IP addresses that are released when remote access clients
                               disconnect are reused. When all 10 IP addresses are used, the remote access
                               server obtains 10 more. When the Routing and Remote Access service is
                               stopped, all IP addresses obtained through DHCP are released.

                               Tip You can assign DHCP options to dial-up clients that differ from the
                               options that you assign to clients that are directly connected to the network. To
                               do this, use the Default Routing and Remote Access Class user class.

                               If a DHCP server is not available when the Routing and Remote Access service
                               is started, Automatic Private IP Addressing addresses in the range from
                               169.254.0.1 through 169.254.255.254 are used. Because this may prevent client
                               computers from accessing computers on your network other than the remote
                               access server, ensure that a DHCP server is always available.
                               The remote access server uses a specific LAN adapter to obtain
                               DHCP-allocated IP addresses for remote access clients. The IP addresses that
                               the remote access server receives are valid for the network segment to which
                               the adapter is attached.
                                     Module 11: Configuring Remote Access         29


You can select which adapter you want to use. By default, the Routing and
Remote Access service randomly picks a LAN adapter to use. For a remote
access server with multiple adapters, select the adapter that is connected to a
network segment where DHCP-allocated addresses can be obtained.

Tip When you use DHCP to obtain IP addresses for dial-up clients, you can
reduce the number of required IP addresses by setting a short lease duration,
such as one hour. Configuring a short lease duration enables you to support
many dial-up clients while keeping the number of allocated IP addresses low.
A remote access server requires only as many IP addresses as there are
simultaneously connected clients.
30         Module 11: Configuring Remote Access



Configuring Routing and Remote Access to Use DHCP
                                                  LONDON (local) Properties
Topic Objective                                   General      Security    IP      PPP      Event Logging
To illustrate configuration of
                                                      Enable IP routing
the Routing and Remote                                Allow IP-based remote access and demand-dial connections
Access service to obtain IP                           IP address assignment
addresses from a DHCP                                This server can assign IP addresses by using:
server.                                                 Dynamic Host Configuration Protocol (DHCP)
                                                        Static address pool
Lead-in                                                     From      To           Number    IP Add… Mask
You can configure the
Routing and Remote Access
service to obtain IP
addresses from a DHCP
server.                                                        Add…             Edit…    Remove

                                                    Use the following adapter to obtain DHCP, DNS, and
                                                    WINS addresses for dial-up clients.
                                                    Adapter:       Corpnet:


                                                                                   OK          Cancel       Apply

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 You can configure the Routing and Remote Access service to obtain IP
                                 addresses from a DHCP server.
                                 To configure a remote access server to obtain IP addresses from a DHCP
                                 server:
                                 1. On the Administrative Tools menu, open Routing and Remote Access.
                                 2. Right-click the server name of the remote access server, and then click
                                    Properties.
                                 3. In the Properties dialog box for the remote access server, on the IP tab,
                                    click Dynamic Host Configuration Protocol (DHCP).
                                 4. In the Adapter box, click the network adapter from which you want the
                                    remote access server to obtain IP addresses by using DHCP.
                                 5. Click OK.
                                                                       Module 11: Configuring Remote Access        31



Lab A: Configuring RAS
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will configure
your Windows 2000 server
to allow remote connections.




*****************************ILLEGAL FOR NON-TRAINER USE******************************

Key Points                        Objectives
The lab does not reflect the
                                  After completing this lab, you will be able to:
real-world environment. It is
recommended that you                 Install Routing and Remote Access.
always use complex
passwords for any                    Configure Routing and Remote Access to allow incoming VPN
administrator accounts, and          connections.
never create accounts
without a password.
                                  Prerequisites
Outside of the classroom          Before working on this lab, you must be familiar with remote access concepts
environment, it is strongly       and VPN concepts.
advised that you use the
most recent software              Estimated time to complete this lab: 15 minutes
updates that are necessary.
Because this is a classroom       Important Outside of the classroom environment, it is strongly advised that
environment, we may use           you use the most recent software updates that are necessary. Because this is a
software that does not
                                  classroom environment, we may use software that does not include the latest
include the latest updates.
                                  updates.
32        Module 11: Configuring Remote Access


     Lab Setup
      Tasks                                Detailed steps

      •    Log on to your domain as        a.    Press CTRL+ALT+DEL to open the logon screen.
           Administrator with a            b.    In the User Name box, type Administrator
           password of password.
                                           c.    In the Password box, type password
                                           d.    In the Domain box, ensure that your domain is listed.
                                           e.    Click OK.


                            Important This Lab does not reflect the real-world environment. It is
                            recommended that you always use complex passwords for any user or
                            administrator accounts, and never create accounts without a password.
                                                                Module 11: Configuring Remote Access           33


Exercise 1
Configuring User Accounts for Remote Access
In this exercise, you will verify that your domain is in native mode, create two test users, verify
what the default dial-in setting is for user accounts and modify them. Then, add the users into a test
group.


Scenario
Northwind Traders will implement remote access servers for the sales force, to allow for secure
access to the company network from the Internet. As the administrator for the remote access servers
on your network, you need to implement the remote access server that grants access to the sales
group and denies access to everyone else. Before you set up the server in such a way, you will
create two test users, put them in a test group and configure the remote access server to allow only
one of the users access.


  Tasks                                Detailed steps

  1.   Verify that your domain is      a.   Open Active Directory Users and Computers from the Administrative
       in Native Mode.                      Tools menu.
                                       b.   In the console tree, right-click domain.nwtraders.msft, and then click
                                            Properties.
                                       c.   In the domain.nwtraders.msft Properties box, verify that the Domain
                                            is in Native mode, if it is close the Properties box and proceed to task
                                            2 and if not, proceed to the next step.
                                       d.   Click Change Mode.
                                       e.   In the Active Directory dialog box, click Yes to confirm the change.
                                       f.   Click OK to close the domain.nwtraders.msft Properties box, and
                                            then click OK to close the Active Directory dialog box.

  2.   Create two users, one called    a.   If not already open, open Active Directory Users and Computers from
       RemoteUser1, with a                  the Administrative Tools menu.
       password of password, and       b.   In the console tree, under domain, right-click Users, point to New, and
       the other called                     then click User.
       RemoteUser2 with a
       password of password.           c.   In the New Object – User dialog box, in the First name box, type
       Configure the user                   RemoteUser1
       properties of RemoteUser1       d.   In the User logon name box, type RemoteUser1
       only to allow dial-in access.   e.   Select @domain.nwtraders.msft, and then click Next.
                                       f.   Set the password for the new user account to password, click Next,
                                            and then click Finish.
                                       g.   In the details pane, right-click RemoteUser1, and then click
                                            Properties.
                                       h.   On the Dial-in tab, click Allow access, and then click OK.
                                       i.   Complete steps b to f to create RemoteUser2 with a password of
                                            password, on the Dial-in tab for this user, click Deny access.
34        Module 11: Configuring Remote Access




     Tasks                                Detailed steps

     3.    Create a new global group       a.    In the console tree, right-click Users, point to New, and then click
           called RemoteGroup. Add               Group.
           the users that you just         b.    In the New Object – Group dialog box, in the Group name box, type
           created to the group.                 RemoteGroup
                                           c.    Under Group scope, verify that Global is selected, and under Group
                                                 type, verify that Security is selected, and then click OK.
                                           d.    Open the Properties dialog box for RemoteGroup.
                                           e.    On the Members tab, click Add.
                                           f.    In the Select Users, Contacts, Computers, or Groups dialog box, in
                                                 the Look in box, verify that your domain is displayed.
                                           g.    In the list of objects, click RemoteUser1, click Add, and then click
                                                 RemoteUser2, click Add and then click OK.
                                           h.    Click OK to close the RemoteGroup Properties dialog box.

     4.    Set the properties of the       a.    If not already open, open Active Directory Users and Computers from
           Administrator account to              the Administrative Tools menu.
           allow dial-in access.           b.    In the console tree, under domain, click Users.
                                           c.    In the details pane, locate and right-click Administrator, and click
                                                 Properties.
                                           d.    On the dial-in tab, click Allow Access, and then click OK.
                                           e.    Close all open windows.
                                                                Module 11: Configuring Remote Access            35


Exercise 2
Configuring Inbound VPN Connections
In this exercise, you will set up Routing and Remote Access, and create VPN ports.


Scenario
The sales staff at Northwind Traders will soon start traveling to remote locations. Although the
traveling sales force will have access to the Internet at all of the remote locations, they still need
access to your network for demonstration purposes. You need to enable secure remote access to
your network over the Internet for these traveling users.


  Tasks                                Detailed steps

  1.   Install Routing and Remote      a.   If not currently logged on, Log on as Administrator with a password of
       Access. Use the                      password.
       Configuration Wizard to         b.   On the Administrative Tools menu, open Routing and Remote
       configure the server as a            Access.
       remote access server with
       the following values: For       c.   In the console tree, right-click server (where server is the name of your
       the IP Address use 10.x.0.10         computer), and then click Configure and Enable Routing and
       (where x is your student             Remote Access.
       number).                        d.   In the Routing and Remote Access Server Setup Wizard, click Next.
                                       e.   On the Common Configurations page, click Remote access server,
                                            and then click Next.
                                       f.   On the Remote Client Protocols page, click Next.
                                       g.   On the IP Address Assignment page, click From a specified range of
                                            addresses, and then click Next.
                                       h.   On the Address Range Assignment page, click New.
                                       i.   In the Start IP address: box, type 10.x.0.10 (where x is your student
                                            number), and then in the Number of addresses box, type 5
                                       j.   Click OK, and then click Next.
                                       k.   On the Managing Multiple Remote Access Servers page, verify that
                                            No, I don’t want to set up this server to use RADIUS now is
                                            selected, click Next, and then click Finish.
                                       l.   Click OK to close the Routing and Remote Access message box, and
                                            then close Routing and Remote Access.
                                       m. If it appears, click OK to close the DHCP message box.
36          Module 11: Configuring Remote Access


     Exercise 3
     Configuring Authentication and Adding VPN Ports
     In this exercise, you will add five more L2TP VPN ports to your server and configure
     authentication methods.


     Scenario
     Northwind Traders will implement remote access servers for the sales force, to allow for secure
     access to the company network from the Internet. As the administrator for the remote access servers
     on your network, you need to implement a remote access server that will allow for all 15 sales staff
     to access the server simultaneously. 10 of these staff are running Windows 2000 Professional or
     Windows XP Professional on their laptops; the remaining staff still use Windows NT 4.0.


       Tasks                                  Detailed steps

       1.    Use Routing and Remote           a.   If not already open, open Routing and Remote Access from the
             Access to add five extra              Administrative Tools menu.
             L2TP ports to the default        b.   In the console tree, expand server (where server is the name of your
             setting of five.                      computer), right-click Ports, and then click Properties.
                                              c.   In the Ports Properties dialog box, select the WAN Miniport (L2TP)
                                                   device, and then click Configure.
                                              d.   In the Configure Device – WAN Miniport (L2TP) dialog box, find
                                                   the Maximum ports: field and type 10
                                              e.   Click OK, and then close the Ports Properties dialog box.

               Why have you configured 10 L2TP ports and 5 PPTP ports for the 15 sales staff? (Hint: read the scenario at
               the beginning of this exercise.)


                The 10 Sales staff using Windows 2000 or Windows XP Professional will use L2TP to make a
                VPN connection to our server. Windows NT 4.0 can only make PPTP VPN connections




       2.    Configure the highest level      a.   In the Routing and Remote Access console tree, right click server
             of authentication that the            (where server is the name of your computer), and then click
             Sales staff computers can             Properties.
             support.                         b.   In the Properties dialog box for your server, on the Security tab,
                                                   verify that the Authentication provider is Windows Authentication.
                                              c.   Click Authentication Methods, notice the defaults of MS-CHAP and
                                                   MS-CHAP v2 selected.
                                              d.   Click to clear MS-CHAP, and then click OK.
                                              e.   Close the properties dialog box.
                                              f.   Close all windows and log off.
                                                         Module 11: Configuring Remote Access        37




Tasks                              Detailed steps

    Why was MS-CHAPv2 selected as the only authentication method when some of the sales staff will be using
    NT 4.0?


        MS-CHAP v2 can be used by Windows 2000 and Windows XP clients for both dial-in and VPN
        access. Computers running Windows NT 4.0, Windows 98, and Windows 95 can use MSCHAP v2 for
        VPN access only. As the sales staff will only make VPN connections, MS-CHAPv2 is the most secure
        authentication that they can all use.
38        Module 11: Configuring Remote Access



Examining Remote Access Policies
Topic Objective                                          A Remote Access Policy:
To identify the concepts
essential to an
understanding of remote
access policies.
                                           Is stored locally, not in Active Directory
Lead-in
To create effective remote                 Consists of
access policies, you must
understand the concepts                        Conditions
behind policies, their
associated profiles, and how                   Permissions
they are evaluated and
applied.                                       Profile




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                It is important that you become familiar with remote access policies because
                                using them effectively provides you with flexibility in granting remote access
                                permissions and usage.
                                You can use remote access policies to assign settings to a connection, based on
                                the user who is connecting and the properties of the connection. Understanding
                                how policies are applied will help you provide customized access to the various
                                users and groups in your organization. The default policy settings are probably
                                adequate for your remote access needs.

Key Point                       Policies Are Stored Locally
Remote access policies are
                                Windows 2000 stores remote access policies on the remote access server, not in
stored on the remote access
server, not in Active
                                Active Directory, so that policies can vary according to remote access server
Directory. This allows          capabilities.
policies to vary according to
the capabilities of the         Components of a Policy
server.
                                A remote access policy consists of three components that cooperate with
                                Active Directory to provide secure access to remote access servers. The three
                                components of a remote access policy are its conditions, permissions, and
                                profile.
                                      Module 11: Configuring Remote Access       39


Conditions
The conditions of a remote access policy are a list of parameters, such as the
time of day, user groups, caller IDs, or IP addresses, which are compared to the
settings of the connection attempt by the client.
When a user connects to the remote access server, the characteristics of the
connection attempt are compared with the conditions of the remote access
policy. If there are multiple conditions, all of the conditions in the policy set
must match the settings of the connection attempt for the policy to be activated.

Note If you are using a stand-alone remote access server that is running
Windows 2000, you cannot use the local groups on that server as the user
groups parameter, you must use user accounts instead.


Permissions
Remote access connections are permitted on the basis of a combination of the
dial-in properties of a user account and remote access policies. The permission
setting on the remote access policy works with the user’s dial-in permissions in
Active Directory.
If all of the conditions of a remote access policy are met, remote access
permission is either granted or denied. When you create a remote access policy,
you can choose to either grant or deny remote access permission for the policy.
You can also grant or deny remote access permission for each user account. The
user remote access permission overrides the policy remote access permission.
However, when remote access permission on a user account is set to the
Control access through Remote Access Policy option, the policy remote
access permission determines whether the user is granted access.

Profile
Each policy includes a profile of settings, such as authentication and encryption
protocols, that are applied to the connection. The settings in the profile are
applied to the connection immediately, and may cause the connection to be
denied. For example, if the profile settings for a connection specify that the user
is required to use MS-CHAP v2 authentication, but the client cannot use that
authentication protocol, access will be denied. Additionally, the profile can
require that the connection meet other restrictions, such as origination from a
specific telephone number and call duration.
40         Module 11: Configuring Remote Access



       Examining Remote Access Policy Evaluation
Topic Objective
To identify topics related to
remote access policy
evaluation.                                   Following Policy Evaluation Logic
Lead-in                                       Examining Default and Multiple Policies
It is important to understand
the logic of remote access
policy evaluation, the
function of the default policy,
and the interaction of
multiple policies.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                  Remote access policies are evaluated in a specific order. Familiarity with the
                                  logic of the evaluation, the features of the default policy, and the interaction of
                                  multiple policies will help you manage effective remote access policies.
                                                                       Module 11: Configuring Remote Access          41



Following Policy Evaluation Logic
Topic Objective                                                               Routing and Remote Access
                                                                              Routing and Remote
                                                                              Routing and Remote Access
To illustrate the logic that is                                                             Remote
                                                                              Routing the conditions to the
                                                                              matches and connectionof the
                                                                              matches the connection the
                                                                                            conditions
                                                                              checks the user’s dial-inof the
                                                              Yes
                                                              Yes
used to evaluate remote                                                                   user’s
                                                                              checks the the policy
                                                                              settingsaccess user to the and
                                                                                       of the policy to the
                                                                              remote access user account and
                                                                              remote of in Active Directory
                                                                              settings
                                                                              permission
access permissions,                            No
                                               No
                                                                              permission
                                                                              characteristics of the Directory
                                                                              the policy profile
                                                                              the policy profile
                                                                              characteristics        connection
policies, and profiles.
                                                         Deny
                                                         Deny            Allow
                                                                         Allow
Lead-in
Remote access policies
work together with user                                        Use Remote
                                                               Use Remote
properties to create a robust                                 Access Policy
                                                              Access Policy
model for granting remote                  Connection
                                           Connection                                                Connection
                                                                                                     Connection
access to users and groups.
                                                         Deny
                                                         Deny            Allow
                                                                         Allow


                                                                                       Profile
                                                                                       Profile
                                                                        No
                                                                        No                               Yes
                                                                                                         Yes
                                                                                      Evaluation
                                                                                      Evaluation
                                          Conditions         Profile
                                               Permissions

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                  Windows 2000 evaluates a connection attempt on the basis of logic that
                                  incorporates policy conditions, user and remote access permissions, and profile
                                  settings.
                                  Remote access policies are evaluated as follows:
                                  1. Routing and Remote Access matches the conditions of the remote access
                                     policy to the characteristics of the attempted connection:
                                     • If there is no policy that contains a set of conditions that matches the
                                       characteristics of the connection, access is denied.
                                     • If there is a match between the policy and the characteristics of the
                                       connection, the dial-in permissions of the user account are checked.
                                       Thus, the connection is authenticated according to the profile of the
                                       remote access policy.
                                  2. Routing and Remote Access checks the user account’s dial-in permissions:
                                     • If the permission is set to Deny access, the user is denied access.
                                     • If the permission is set to Allow access, the remaining user account
                                       properties, such as Verify Caller ID and Assign a Static IP Address,
                                       are applied if enabled. Then, the profile for the policy is applied.
                                     • If the permission is set to Control access through Remote Access
                                       Policy, the policy’s permission setting (to either allow or deny access to
                                       connections that meet the policy conditions) determines user access.

                                     Note If the dial-in permission for the user account is set to Allow access,
                                     the policy permission is set to Deny access, and all other profile conditions
                                     are met, the connection will be accepted.

                                  3. Routing and Remote Access applies the settings in the policy’s profile to the
                                     incoming connection.
42   Module 11: Configuring Remote Access


                       The connection may not be accepted if a critical setting in the profile does not
                       match a setting on the remote access server. For example, the profile for an
                       incoming connection may specify that a group can connect only at night. If a
                       user in that group tries to connect during the day, the connection will be denied.
                       The connection may be disconnected at a later stage because of a setting in the
                       profile, such as a time restriction on connecting.
                                                                       Module 11: Configuring Remote Access       43



Examining Default and Multiple Policies
Topic Objective
To identify additional topics
that are relevant to remote                   Default Remote Access Policy
access policy evaluation.
                                                 Applied to all connection attempts that do not match any
Lead-in                                          other policies
The default remote access
policy provides a policy that                    Denies all connection attempts unless user’s account is
will affect all users if no                      set to Allow Access
other policies exist.
                                              Multiple Policies
                                                 Policies are checked in order until a policy matches the
                                                 connection attempt
                                                 Profile and user account settings are checked for the
                                                 first matching remote access policy only


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                The default policy is applied to all connection attempts that do not match any
                                other policies. You must be aware of the settings of this policy and understand
                                how multiple policies interact.

                                Default Remote Access Policy
                                The default policy, called Allow access if dial-in permission is enabled, is
                                created when Routing and Remote Access is installed. This policy controls
                                access through the user’s dial-in permission. The following table describes the
                                settings of the default policy.
                                Setting                       Value

                                Conditions                    Current date/time = any day, any time
                                Permissions                   Deny access
                                Profile                       None

                                Setting the dial-in permission on every user account to Control access through
                                Remote Access Policy will result in the rejection of all connection attempts if
                                you do not change the default remote access policy. However, if you set one
                                user’s dial-in permission to Allow access, that user’s connection attempts will
                                be accepted. If you change the permission setting on the default policy to Grant
                                remote access permission, all connection attempts will be accepted.
44        Module 11: Configuring Remote Access


                                 Multiple Policies
                                 Many organizations have different remote access requirements for different
Key Point                        groups. These organizations require multiple remote access policies. If a
If no remote access policy
exists (for example, if the
                                 connection attempt does not match any of the remote access policies, the
default policy is deleted),      connection attempt is rejected, even when a user’s dial-in permission is set to
users will not be able to gain   Allow access.
access to the network,
regardless of their individual
                                 When a user attempts to connect, the first policy in the ordered list of remote
dial-in permissions.             access policies is checked. If all of the conditions of the policy do not match the
                                 connection attempt, the next policy in the ordered list is checked, until a policy
                                 matches the connection attempt.
                                 The connection attempt is then evaluated against the profile and user account
                                 settings of that profile. If the connection attempt does not match the profile or
                                 user account settings of the first remote access policy that matches the
                                 connection attempt, the connection attempt is rejected. No other policies are
                                 checked.
                                 You can modify the order of remote access policies. For example, you might
                                 want the remote access policy that applies to the majority of your users to be
                                 checked first, so that fewer connection attempts must be evaluated against more
                                 than one policy.
                                 To modify the order of remote access policies:
                                 1. In Routing and Remote Access, in the console tree, click Remote Access
                                    Policies.
                                 2. In the details pane, right-click the policy that you want to move, and then
                                    click either Move Up to move the policy up one level, or Move Down to
                                    move the policy down one level.


                                 Important Because Routing and Remote Access requires that the conditions of
                                 at least one policy be matched, if the default policy is removed and there are no
                                 other policies, all connection attempts will be rejected. In most situations, you
                                 must leave the default policy unaltered to provide access for users who are
                                 explicitly granted access through their user permissions.
                                                                     Module 11: Configuring Remote Access      45



       Creating a Remote Access Policy
Topic Objective
To identify the topics that
are relevant to the creation
of a remote access policy.                 Configuring Remote Access Policy Conditions
Lead-in                                    Configuring Remote Access Profile Settings
Creating a remote access
policy involves configuring
the user’s dial-in settings,
creating the policy, and then
defining the profile.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                You can create detailed rules for remote access that are as simple or as complex
                                as your organization needs. A remote access policy consists of user dial-in
                                settings, remote access policy conditions, and remote access policy settings.
                                Although you are not required to complete these settings in any particular order,
                                it is important to include all components in your planning and implementation.
46          Module 11: Configuring Remote Access



Configuring Remote Access Policy Conditions
 Topic Objective                                   Examples of Connection Attempt Conditions
 To illustrate the role of
 policy conditions.
 Lead-in
 Several conditions can be                          Is between 8 A.M. and 5 P.M., Monday–Friday
 added to a single policy, so
 that you can create highly
                                                    AND
 customized access for your                         Is from any IP address that matches 192.168.*.*
 organization.
                                                    AND
                                                    Is from any user in the Sales group




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                    Remote access policy conditions are attributes that are compared to the settings
 Key Point                          of a connection attempt. If there are multiple conditions in a policy, all of the
 Explain that Internet
 Authentication Service (IAS)
                                    conditions must match the settings of the connection attempt, or the next policy
 uses several of these              is evaluated.
 conditions for RADIUS
                                    The following table lists some of the more common conditions that you can set
 support.
                                    for a remote access policy.
                                                                                                       Wildcard   Used by
Condition name               Description                                                               okay (*)   IAS

NAS IP Address               A character string that identifies the IP address of the network access   Yes        Yes
                             server (NAS).
Calling Station ID           A character string that identifies the telephone number that the caller   Yes        No
                             uses. The telephone line, hardware, and hardware driver must support
                             reception of caller ID data.
Day and Time                 The day of the week and the time of day of the connection attempt.        No         No
Restrictions
Client IP Address            A character string that identifies the IP address of the RADIUS           Yes        Yes
                             (Remote Authentication Dial-In User Service) client.
Windows Groups               The names of the Windows 2000 groups to which the user who is             No         No
                             attempting the connection belongs. For a remote access server in a
                             domain in native mode, or for an IAS server, use universal groups.
                             There is no condition for a specific user name.


                                    Note A network access server (NAS) is a device that accepts Point-to-Point
                                    protocol (PPP) connections and places clients on the network. For example, the
                                    network access server could be your Internet service provider (ISP) RADIUS
                                    server, a remote access server in a branch office, or the remote access server on
                                    your network.
                                                                  Module 11: Configuring Remote Access          47


                            You can create a remote access policy and an associated profile under Remote
                            Access Policies in the console tree of Routing and Remote Access.
                            To add a remote access policy:
Delivery Tip
Demonstrate how to create   1. On the Administrative Tools menu, open Routing and Remote Access.
a remote access policy.
                            2. Right-click Remote Access Policies, and then click New Remote Access
                               Policy.
                            3. In the Add Remote Access Policy Wizard, type the name of the policy in the
                               Policy friendly name box, and then click Next.
                            4. To configure a new condition, click Add.
                            5. In the Select Attribute dialog box, click the attribute to add, and then click
                               Add.
                            6. In the attribute dialog box (the name of this dialog box will vary according
                               to the attribute selected), enter the information that the attribute requires,
                               and then click OK.
                            7. Click Add to add another condition, or click Next to continue with the
                               wizard.
                            8. To grant access to callers matching these conditions, click Grant remote
                               access permission, or to deny access, click Deny remote access
                               permission, and then click Next.
                            9. You can then modify the default profile, or click Finish to create a policy
                               with the default profile settings. You can edit the profile settings after the
                               policy is created.
48         Module 11: Configuring Remote Access



Configuring Remote Access Profile Settings
Topic Objective                                         Examples of Profile Settings
To illustrate the role of
profile settings.
Lead-in
After permission has been                   90-minute connect time
granted to a connection
attempt, the settings of the
                                            AND
profile are applied to the                  Require IPSec encryption
connection. If there is no
match, the connection is
denied.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               The remote access profile specifies what kind of access the user will be given if
                               the conditions match. Access will be granted only if the connection attempt
                               does not conflict with the settings of the user account or the profile. You can
                               configure a profile in the Edit Dial-in Profile dialog box by clicking Edit
                               Profile in the Properties dialog box for a policy. The following settings are
                               some of the more popular settings that you can configure in the Properties
                               dialog box:
                                  Dial-in Constraints. You can use these settings to determine the amount of
                                  idle time before disconnection; the maximum session time; and the days,
                                  times, telephone numbers, and allowed media types, such as ISDN and
                                  virtual private network VPN.
                                  IP. You can configure client IP address assignment and TCP/IP packet
                                  filtering on this tab. You can define separate filters for inbound or outbound
                                  packets.
                                  Authentication. You can use these settings to define the authentication
                                  protocols that are allowed for connections that use this policy. Make sure
                                  that any protocols that you select are also enabled in the Properties dialog
                                  box for the server.
                                  Encryption. You can use this tab to specify the types of encryption that are
                                  prohibited, allowed, or required.
                                                                       Module 11: Configuring Remote Access          49



Lab B: Configuring Remote Access Policy
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will configure
remote access policies for
the remote access server
you created in the preceding
lab.




*****************************ILLEGAL FOR NON-TRAINER USE******************************

Key Points                        Objectives
The lab does not reflect the
                                  After completing this lab, you will be able to:
real-world environment. It is
recommended that you                 Create a remote access policy.
always use complex
passwords for any                    Create a remote access profile.
administrator accounts, and
never create accounts
without a password.
                                  Prerequisites
                                  Before working on this lab, you must have:
Outside of the classroom
environment, it is strongly          Familiarity with remote access policy and profile concepts.
advised that you use the             Completed Module 11 Lab A.
most recent software
updates that are necessary.
Because this is a classroom       Scenario
environment, we may use           Your company needs to have control over which employees have access to its
software that does not            network remotely, and it also needs more control over how and when those
include the latest updates.       employees connect to the network. To accomplish this, you are going to
                                  configure remote access policies to control access to your network.
                                  In this lab, you will configure remote access policies. You will create a remote
                                  access policy for a group created in Lab A, and configure access by using that
                                  policy.

                                  Estimated time to complete this lab: 15 minutes
                                  Important Outside of the classroom environment, it is strongly advised that
                                  you use the most recent software updates that are necessary. Because this is a
                                  classroom environment, we may use software that does not include the latest
                                  updates.
50        Module 11: Configuring Remote Access


     Lab Setup
      Tasks                               Detailed steps

      •    Log on to your domain as        a.    Press CTRL+ALT+DEL to open the logon screen.
           Administrator with a            b.    In the User Name box, type Administrator
           password of password.
                                           c.    In the Password box, type password
                                           d.    In the Domain box, ensure that your domain is listed.
                                           e.    Click OK.


                            Important This Lab does not reflect the real-world environment. It is
                            recommended that you always use complex passwords for any user or
                            administrator accounts, and never create accounts without a password.
                                                               Module 11: Configuring Remote Access           51


Exercise 1
Configuring Remote Access Policies
In this exercise, you will create two remote access policies that grant access to members of the
group created in Lab A. The first will have minimum encryption setting for the group accessing the
server during office hours, and the second will have maximum encryption for the same group
accessing the server out of hours.


Scenario
Northwind Traders has implemented remote access servers for the sales force, to allow for secure
access to the company network from the Internet. As the administrator for the remote access servers
on your network, you need to implement remote access policies that grant access to the sales group
and deny access to everyone else. When connecting during office hours, the sales group requires
minimum encryption, but out of hours, the maximum encryption will be needed.


  Tasks                               Detailed steps

  1.   Use Routing and Remote         a.   Open Routing and Remote Access from the Administrative Tools
       Access to add a new policy          menu.
       called Allow RemoteGroup       b.   In the console tree, expand server (where server is the name of your
       access, which allows access         computer), right-click Remote Access Policies, point to New, and then
       to users in the RemoteGroup         click Remote Access Policy.
       group, between the hours of
       8AM to 5PM. This policy        c.   In the Add Remote Access Policy Wizard, on the Policy Name page,
       will also ensure that the           type Allow RemoteGroup access and click Next.
       connection will have a         d.   On the Conditions page, click Add, and in the Select Attribute dialog
       minimum encryption                  box, click Windows-Groups, and then click Add.
       setting. Make sure that this   e.   In the Groups dialog box, click Add.
       policy is evaluated before
       the default policy.            f.   In the Select Groups dialog box, in the Look in list, click your
                                           domain.
                                      g.   In the Select Groups dialog box, under Name, click RemoteGroup,
                                           click Add, and then click OK.
                                      h.   In the Groups dialog box, click OK.
                                      i.   On the Conditions page, click Add, and in the Select Attribute dialog
                                           box, click Day-And–Time-Restrictions, and then click Add.
                                      j.   Use the dialog box to allow connections Monday to Friday, 8AM to
                                           5PM, and then click OK.
                                      k.   On the Conditions page, click Next.
                                      l.   On the Permissions page, click Grant remote access permission, and
                                           then click Next.
                                      m. On the User Profile page, click Edit Profile, on the Encryption tab
                                           make sure that only No Encryption is selected, then click OK, and
                                           then click Finish.
                                      n.   In Routing and Remote Access, in the console tree, click Remote
                                           Access Policies, and in the details pane, right-click Allow
                                           RemoteGroup access, and then click Move Up.
                                      o.   Minimize Routing and Remote Access.
52        Module 11: Configuring Remote Access




     Tasks                                  Detailed steps

             Why did you choose to move the new policy above the default policy?


              When a user attempts to access the remote access server, the remote access policies are evaluated
              in order. The default policy is set to deny access to any user at any time of day. Therefore even
              the sales users will meet the conditions of the default policy before evaluating the new one and
              will be denied access




     2.    Create a second remote           a.   Restore Routing and Remote Access.
           access policy to apply the       b.   In the console tree, expand server (where server is the name of your
           highest encryption settings           computer), right-click Remote Access Policies, and then click New
           out side office hours for the         Remote Access Policy.
           RemoteGroup. Make sure
           that this policy is evaluated    c.   In the Add Remote Access Policy Wizard, on the Policy Name page,
           after the Allow                       type Allow RemoteGroup secure access and click Next.
           RemoteGroup access policy,       d.   On the Conditions page, click Add, and in the Select Attribute dialog
           but before the default policy.        box, click Windows-Groups, and then click Add.
                                            e.   In the Groups dialog box, click Add.
                                            f.   In the Select Groups dialog box, in the Look in list, click your
                                                 domain.
                                            g.   In the Select Groups dialog box, under Name, click RemoteGroup,
                                                 click Add, and then click OK.
                                            h.   In the Groups dialog box, click OK.
                                            i.   On the Conditions page, click Add, and in the Select Attribute dialog
                                                 box, click Day-And-Time-Restrictions, and then click Add.
                                            j.   Use the dialog box to allow connections Sunday to Saturday, 24hours,
                                                 and then click OK.
                                            k.   On the Conditions page, click Next.
                                            l.   On the Permissions page, click Grant remote access permission, and
                                                 then click Next.
                                            m. On the User Profile page, click Edit Profile, on the Encryption tab
                                                 make sure that only Strongest is selected, then click OK, and then
                                                 click Finish.
                                            n.   In Routing and Remote Access, in the console tree, click Remote
                                                 Access Policies, and in the details pane, right-click Allow
                                                 RemoteGroup secure access, and then click Move Up once, to make
                                                 it the second remote access policy in the list.
                                            o.   Minimize Routing and Remote Access.
                                                               Module 11: Configuring Remote Access          53


Exercise 2
Configuring User Dial-in Permissions To Be Controlled Through
Remote Access Policies
In this exercise, you will set the test users to use remote access policies to control the dial-in
permissions.


Scenario
Northwind Traders wishes to implement remote access servers for the sales force, to allow for
secure access to the company network from the Internet. As the administrator for the remote access
servers on your network, you need to configure the appropriate users to have their access
permissions controlled through a remote access policy.


  Tasks                                Detailed steps

  •   Configure the dial-in            a.   Open Active Directory Users and Computers, and then open the
      permissions for                       Properties dialog box for RemoteUser1.
      RemoteUser1 and                  b.   On the Dial-in tab, click Control access through Remote Access
      RemoteUser2 to have access            Policy, and then click OK.
      controlled through the
      remote access policy.            c.   Complete steps a and b for RemoteUser2.
                                       d.   Close all open windows and log off.

        Note: The domain controllers must be running in native mode for the Control access through Remote
        Access Policy option to be available on the Dial-in tab.
54        Module 11: Configuring Remote Access



       Configuring the Remote Access Client
Topic Objective
To identify the types of
outbound connections that
are configured in                         Creating a Dial-up Connection
Windows 2000.
                                          Creating a Virtual Private Network Connection
Lead-in
There are four general types              Examining the Properties of a Connection
of outbound connections
that you configure in
Windows 2000. Any
outbound connection can be
configured quickly and
easily through the Network
Connection Wizard.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Outbound connections are connections made from a client to a server. Although
                               it is possible for a computer running Windows 2000 Server to be a client,
                               clients are typically computers running Windows 2000 Professional.
                               There are two basic types of outbound connections:
                                  Dial-up connections, which include:
                                  • Connections to a private network or server. This can include connections
                                    to a stand-alone computer in someone’s home or a modem pool in a
                                    corporate intranet.
                                  • Connections to an ISP.
                                  Connections to a VPN.

                               You configure all outbound connections in Windows 2000 by using the
                               Network Connection Wizard. The wizard automates much of the work of
                               configuring protocols and services. Understanding the options in the wizard
                               will help you configure connections efficiently.
                                                                          Module 11: Configuring Remote Access      55



Creating a Dial-up Connection
Topic Objective
To illustrate two types of
dial-up connections.
                                                   Network Connection Wizard
Lead-in
                                                    Network Connection Type
You can use the Network                               You can choose the type of network connection...
Connection Wizard to create            Client                                                              Remote
and configure an outbound                               Dial-up to private network                         access
                                                                                                           server
dial-up connection.                                      Connect using my phone line
                                                         (modem or ISDN)

                                                        Dial-up to the Internet
                                                         Connect to the Internet using my phone line
                                                         (modem or ISDN)




                                                                                                         Internet
                                         Client
                                                                                         ISP server


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                              You can use the Network Connection Wizard to create and configure an
                              outbound dial-up connection either to a private network or to an ISP.
                              To create a new outbound connection:
                              1. Click Start, point to Settings, and then click Network and Dial-up
Delivery Tip                     Connections.
Demonstrate how to create
these connections with the    2. In Network and Dial-up Connections, double-click Make New Connection.
wizard.
                              3. In the Network Connection Wizard, click Next, and then click either
                                 Dial-up to private network or Dial-up to the Internet.
                              4. Do one of the following:
                                 • If you clicked Dial-up to private network, type the telephone number
                                   of the computer to which you are connecting. This may be an ISP for an
                                   Internet connection or the modem connected to your private network’s
                                   remote access server.
                                 • If you clicked Dial-up to the Internet, the Internet Connection Wizard
                                   will start. Complete this wizard to create the connection.
                              5. If you want this connection to be made available to all users of this
Key Point                        computer, click For all users, and then click Next. If you want to reserve
Explain the difference
between sharing the
                                 the connection for yourself, click Only for myself, and then click Next.
connection and providing      6. If you clicked Only for myself in step 5, proceed to step 7. If you clicked
shared access. The first         For all users, and you want to enable other computers to gain access to
option relates to the            external resources through this dial-up connection, select the Enable
connection icon, and the         Internet Connection Sharing for this connection check box.
second option refers to the
resources that the            7. By default, selecting shared access also enables on-demand dialing. If you
connection accesses.             want to prevent other computers from automatically dialing this connection,
                                 clear the Enable on-demand dialing check box, and then click Next.
                              8. Type a name for the connection, and then click Finish.
56         Module 11: Configuring Remote Access



Creating a Virtual Private Network Connection
Topic Objective
To illustrate the concept of a                                                      Corporate
VPN.                                                                                  intranet

Lead-in                                                                   Intranet adapter
You can use the Network
Connection Wizard to create
a connection to a VPN, by
specifying the initial                          Internet adapter
connection and the host
name or address of the VPN
server.                                                             Windows 2000 VPN server
                                                   Internet

                                               Tunnel


                                               VPN remote access client


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 You can also use the Network Connection Wizard to create a connection to a
                                 VPN. To create a new VPN connection:
                                 1. In Network and Dial-up Connections, double-click Make New Connection.
                                 2. In the Network Connection Wizard, select Connect to a private network
Key Point                           through the Internet, click Next, and then do one of the following:
Explain that an initial
connection icon must                • If you must establish a connection with your ISP or some other network
already exist.                        before connecting to the VPN, click Automatically dial this initial
                                      connection, click a connection in the list, and then click Next.
                                    • If you do not want to establish an initial connection automatically, click
                                      Do not dial the initial connection, and then click Next.
                                 3. Type the host name or IP address of the computer to which you are
                                    connecting, and then click Next.
                                 4. If you want this connection to be made available to all users of this
                                    computer, click For all users, and then click Next. If you want to reserve
                                    the connection for yourself, click Only for myself, and then click Next.
                                 5. If you selected Only for myself in step 4, proceed to step 7. If you selected
                                    For all users and you want to enable other computers to gain access to
                                    external resources through this dial-up connection, select the Enable
                                    Internet Connection Sharing for this connection check box.

                                    Note If you want to use this VPN to log on, you must choose For all users.

                                 6. By default, selecting shared access also enables on-demand dialing. If you
                                    want to prevent other computers from automatically dialing this connection,
                                    clear the Enable on-demand dialing check box, and then click Next.
                                 7. Type a name for the connection, and then click Finish.
                                                                    Module 11: Configuring Remote Access        57



Examining the Properties of a Connection
Topic Objective
To introduce the settings
available for a connection,
and how to modify them.
Lead-in
You can change the settings
of a connection by modifying
the connections properties.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               You can change the settings of a VPN or dial-up connection by modifying its
                               properties. Settings, such as the IP Address of the VPN server, security options,
                               and which security protocols to use are defined for each connection. Modifying
                               these connection settings does not modify or affect the settings of other
                               connections. For example, you may have a VPN connection that requires data
                               encryption for all traffic between the VPN client and server. You may also have
                               a second connection that does not require any encryption. The security settings
                               of the first connection never cause the second connection to challenge the VPN
                               server for encryption.
                               You can modify connection settings when you are connected. However, the
                               connection may need to be reconnected in order to save the changes. If this
                               happens, the connection is disconnected, the changes are stored, and the
                               connection is immediately reconnected.
                               Each connection is configured with general settings that are the minimum
                               information needed to successfully connect. These options are found on the
                               General tab of the Properties dialog box for that connection. For example, a
                               VPN connection includes information such as the IP Address of the VPN
                               server, and whether or not to dial a dial-up connection first.
                               You can set additional configuration options on the Options, Security,
                               Networking, and Sharing tabs.
                               To configure advanced security settings, click Settings after clicking the
                               Advanced (custom settings) option on the Security tab. By modifying these
                               settings, you can choose which data encryption and logon settings the specific
                               connection can use.

                               Note Changes to some networking options of a connection can affect other
                               connections. For example, if you add the IPX/SPX protocol to the list of
                               available network components for one connection, the IPX/SPX protocol is not
                               enabled, but is available to other connections on the same computer.
58        Module 11: Configuring Remote Access



Best Practices
Topic Objective
To highlight some best                Only Install the Protocols That You Need
                                      Only Install the Protocols That You Need
practices when managing
remote access.
                                      Use DHCP to Obtain an IP Address
                                      Use DHCP to Obtain an IP Address
Lead-in
Here we address some best
practices for managing                Use Strong Authentication
remote access.
                                      Use Strong Authentication

                                      Use Strong Encryption
                                      Use Strong Encryption

                                      Avoid Different Remote Access Policies for the Same User
                                      Avoid Different Remote Access Policies for the Same User

                                      Create Multiple Connections by Copying
                                      Create Multiple Connections by Copying


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Only install the protocols that you need.
                               Limiting the number of protocols on your computer enhances network
                               performance and reduces network traffic.
                               Use DHCP to obtain IP addresses.
                               If you have a DHCP server, configure the Remote Access server to use
                               DHCP to obtain IP addresses for clients. This reduces the need for an
                               administrator to allocate and distribute the IP configuration necessary for
                               connection to individual users or computers. If you do not have a DHCP
                               server, configure the VPN server with a static IP address pool that is a
                               subset of addresses for the subnet to which the VPN server is attached.
                               Use strong authentication.
                               Use strong passwords more than 8 characters long that contain a mixture of
                               uppercase and lowercase letters, numbers, and permitted punctuation. Do
                               not use passwords based on names or words. Strong passwords are more
                               resistant to a dictionary attack, where an unauthorized user attempts to crack
                               a password by sending a series of commonly used names and words.
                               If you are using MS-CHAP, use MS-CHAP version 2. You can obtain the
                               latest MS-CHAP updates for Windows NT version 4.0, Windows 98, and
                               Windows 95 VPN clients from Microsoft.
                               Use strong encryption.
                               Use the strongest level of encryption that your situation allows. You can set
                               the encryption level by using a remote access policy profile. Using the
                               strongest allowable encryption makes any vulnerable data more difficult for
                               unauthorized personnel to decipher.
                                 Module 11: Configuring Remote Access       59


Avoid different remote access policies for the same user.
If a user dials in by using a multilink connection, all connections beyond the
first connection are connected by using the remote access policy that
matched the first connection. If more than one policy applies to the same
user, it can be difficult to troubleshoot any connection problems that the
user may have and also increases the possibilities of a particular user or
computer having the incorrect encryption settings.
Create multiple connections by copying them in the Network and Dial-up
Connections folder.
After you copy the connections, you can rename them and modify the
connection settings. By doing so, you can easily create different connections
to accommodate multiple modems, dialling profiles, and so on.
60         Module 11: Configuring Remote Access



Lab C: Connecting to RAS
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will use an
outbound connection to
connect to and test your
remote access server.




*****************************ILLEGAL FOR NON-TRAINER USE******************************

Key Points                      Objectives
The lab does not reflect the
                                After completing this lab, you will be able to:
real-world environment. It is
recommended that you            • Configure and test an outgoing VPN connection by using the Network
always use complex                Connection Wizard.
passwords for any
administrator accounts, and
never create accounts           Prerequisites
without a password.             Before working on this lab, you must:
Outside of the classroom           Be familiar with remote access concepts and VPN concepts.
environment, it is strongly
advised that you use the           Have completed module 11 Labs A and B.
most recent software
updates that are necessary.     Estimated time to complete this lab: 15 minutes
Because this is a classroom
environment, we may use         Important Outside of the classroom environment, it is strongly advised that
software that does not          you use the most recent software updates that are necessary. Because this is a
include the latest updates.     classroom environment, we may use software that does not include the latest
                                updates.
                                                           Module 11: Configuring Remote Access   61


Lab Setup
 Tasks                             Detailed steps

 •   Log on to your domain as      a.   Press CTRL+ALT+DEL to open the logon screen.
     Administrator with a          b.   In the User Name box, type Administrator
     password of password.
                                   c.   In the Password box, type password
                                   d.   In the Domain box, ensure that your domain is listed.
                                   e.   Click OK.


                     Important This Lab does not reflect the real-world environment. It is
                     recommended that you always use complex passwords for any user or
                     administrator accounts, and never create accounts without a password.
62          Module 11: Configuring Remote Access


     Exercise 1
     Testing Outbound VPN Connections
     In this exercise, you will create and test a VPN connection.


     Scenario
     To verify that remote access works for the traveling users, you need to connect to the remote access
     server that you have installed and configured.


       Tasks                                 Detailed steps

       1.    Use the Network                 a.    Right-click My Network Places, and then click Properties.
             Connection wizard to            b.    In Network and Dial-up Connections, double-click Make New
             configure a VPN connection            Connection.
             to your remote access
             server.                         c.    If prompted, on the Location Information page, type an area code,
             Area Code: Location area              click OK, and then click OK to close the Phone And Modem Options
             code.                                 dialog box.
             Network Connection Type:        d.    In the Network Connection Wizard, click Next.
             Connect to a private            e.    On the Network Connection Type page, click Connect to a private
             network through the                   network through the Internet, and then click Next.
             Internet.
             Destination Address:            f.    On the Destination Address page, type your IP address, and then click
             Your IP Address                       Next.
             Connection Availability         g.    On the Connection Availability page, click Only for myself, click
             page: Only for myself.                Next, and then click Finish.

       2.    Initiate a connection to your   a.    In the Connect Virtual Private Connection dialog box, verify that the
             partner’s computer, logging           user name is Administrator, and in the Password box, type password
             on as Administrator.                  and then click Connect.
                                                        After connecting to your computer, a message appears indicating
                                                        that Virtual Private Connection is connected. Notice that there is
                                                        an icon in the system tray representing the new connection.
                                             b.    Click OK to close the Connection Complete message box.
                                             c.    Close Network and Dial-up Connections.

       3.    Use the Ipconfig utility to     a.    At a command prompt, type ipconfig and then press ENTER.
             verify that you have                       Notice that there are three network adapters: the Ethernet
             established a VPN                          adapter Local Area Connection, the PPP adapter RAS Server
             connection and received an                 (Dial in) interface, and the PPP adapter Virtual Private
             IP address for that                        Connection. The IP address for the VPN connection was assigned
             connection.                                from the static address pool on your computer.
                                             b.    Close the command prompt window.

       4.    Close the connection.           a.    In the system tray, double-click the Connection icon.
                                             b.    In the Virtual Private Connection Status dialog box, click
                                                   Disconnect.
                                             c.    Close all open windows.
                                                              Module 11: Configuring Remote Access         63


Exercise 2
Testing Remote Access Policies
In this exercise, you will test a remote access policy that grants access to members of the test group.


Scenario
Northwind Traders has implemented remote access servers with appropriate remote access policies,
for the sales force, to allow for secure access to the company network from the Internet. As the
administrator for the remote access servers on your network, you need to test the remote access
policies.


  Tasks                               Detailed steps

  1.   Test your remote access        a.   Right-click My Network Places, and then click Properties.
       policy configuration by        b.   In Network and Dial-up Connections, double-click Make New
       dialing in to your computer         Connection.
       by using an account that you
       added to the RemoteGroup,      c.   If prompted, on the Location Information page, type an area code,
       and then close the                  click OK, and then click OK to close the Phone And Modem Options
       connection.                         dialog box.
                                      d.   In the Network Connection Wizard, click Next.
                                      e.   On the Network Connection Type page, click Connect to a private
                                           network through the Internet, and then click Next.
                                      f.   On the Public Network page, select Do not dial the initial
                                           connection, and then click Next.
                                      g.   On the Destination Address page, type your IP address, and then click
                                           Next.
                                      h.   On the Connection Availability page, click Only for myself, click
                                           Next, and then click Finish.
                                      i.   On the Connect Virtual Private Connection 2 page, click Properties.
                                      j.   On the Security tab, clear the Require data encryption (disconnect if
                                           none) check box, and then click OK.
                                      k.   In the User Name box, type RemoteUser1 with a password of
                                           password, and then click Connect.
                                      l.   Click OK to close the Connection Complete message, and then
                                           disconnect the VPN connection.

        What enabled the RemoteUser account to be able to access your computer using the VPN connection? Why
        did you have to change the properties on the connection?


        In Lab B, on the RemoteUser1 user properties, Dial in properties tab you enabled the option, control
        access through remote access policy. You also created a remote access policy that allowed the
        RemoteGroup access to your server with no encryption, between the hours of 8AM to 5PM. That
        remote access policy was then configured to be evaluated first.
64        Module 11: Configuring Remote Access




     Tasks                                Detailed steps

     2.    Configure the order of the      a.    Open Routing and Remote Access.
           remote access policies so       b.    In the console tree, click Remote Access Policies, and in the details
           that the default policy is            pane, right-click the default remote access policy, and then click Move
           evaluated first.                      Up twice.
                                           c.    Minimize Routing and Remote Access.

     3.    Test your dial-in               a.    In Network and Dial-Up Connections, double-click Virtual Private
           configuration by dialing in           Connection, and then connect as RemoteUser1 with a password of
           to your computer.                     password.
                                           b.    In the “Error Connecting to Virtual Private Connection” message, click
                                                 Cancel.

             Why was RemoteUser1 denied access using the VPN connection?


             You moved the default access policy to be evaluated first and this policy only allows users
             configured with the option Allow Access to access the server therefore RemoteUser1 is denied
             access.




     4.    Configure the user dial-in      a.    Open Active Directory Users and Computers.
           properties of RemoteUser1       b.    Open the Properties dialog box for RemoteUser1.
           to allow access.
                                           c.    On the Dial-in tab, click Allow access, and then click OK.
                                           d.    Close Active Directory Users and Computers.

     5.    Test your dial-in               a.    In Network and Dial-Up Connections, double-click Virtual Private
           configuration by dialing in           Connection, and then connect as RemoteUser1 with a password of
           to your partner’s computer.           password.
                                           b.    Click OK to close the Connection Complete message, and then
                                                 disconnect the VPN connection.

             Why was RemoteUser1 allowed access using the VPN connection?


             On the Dial in properties tab of RemoteUser1, you configured the option Allow access. After you
             made that change, the default remote access policy (that states allow access if the user account a
             has Allow access enabled) became true.
                                                                Module 11: Configuring Remote Access         65


Exercise 3
Disabling Routing and Remote Access
In this exercise, you will disable Routing and Remote Access on your server and then log off.


Scenario
One of your remote access servers is going to be replaced. You need to disable Routing and Remote
Access for the server before taking the server offline.


  Tasks                                Detailed steps

  1.   Remove the remote access        a.   Restore Routing and Remote Access.
       policy that you added in the    b.   In the console tree, click Remote Access Policies.
       previous exercise.
                                       c.   In the details pane, right-click Allow RemoteGroup access, and then
                                            click Delete.
                                       d.   In the Delete Policy box, click Yes.

  2.   Use Routing and Remote          a.   Right-click server (where server is the name of your computer), and
       Access to disable the service        then click Disable Routing and Remote Access.
       on your computer, close all     b.   In the Routing and Remote Access dialog box, click Yes.
       open windows, and then log
       off.                            c.   Close all open windows, and then log off.
66        Module 11: Configuring Remote Access



Review
Topic Objective
To reinforce module
objectives by reviewing key
points.                                  Overview of Remote Access in Windows 2000
Lead-in                                  Configuring the Remote Access Server
The review questions cover               Configuring Authentication Protocols
some of the key concepts
taught in the module.                    Configuring Encryption Protocols
                                         Configuring Routing and Remote Access for DHCP Integration
                                         Examining Remote Access Policies
                                         Examining Remote Access Policy Evaluation
                                         Creating a Remote Access Policy
                                         Configuring the Remote Access Client
                                         Best Practices


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                              1. What are the advantages of using L2TP instead of using PPTP?
                                 L2TP supports more types of internetworks, supports header
                                 compression, and works with IPSec for encryption.



                              2. In the Network Connection Wizard, you must configure two settings that are
                                 related to sharing the connection and its associated resources. Describe the
                                 difference between these two settings.
                                 One setting enables shared access to the connection. The other setting
                                 enables other computers to access resources through this port by
                                 sharing the connection after it is established.



                              3. People in your organization use a variety of operating systems to connect to
                                 your network by remote access. You want a remote access authentication
                                 protocol that is very secure but will allow all of your client operating
                                 systems to connect. What is the best authentication protocol to select?
                                 CHAP. This protocol works with a variety of operating systems and
                                 uses industry-standard MD5 encryption to keep passwords secure.
                                    Module 11: Configuring Remote Access         67


4. You are configuring a remote access server for your organization, and you
   want to ensure that the users who are using the remote access server receive
   only specified IP addresses, and that these addresses are always available to
   the remote access server. How can you do this?
   Configure the remote access server to assign IP addresses from a range
   of IP addresses. By doing this, remote access users will not use an IP
   address from DHCP and will use a known range of addresses.



5. Your organization’s help desk has received a call from a user who is dialing
   in to your network by using remote access. The user connects successfully,
   but is unable to access any resources on the network. You ask the user to
   use the Ipconfig command to verify the IP address for the connection, and
   the user reports that she has an IP address of 169.254.5.23. What is a likely
   cause of this problem? Why?
   A DHCP server is unavailable, so the remote access server is allocating
   IP addresses by using Automatic Private IP Addressing. Because these
   addresses do not work with the IP addresses on your network, the user
   is unable to access resources on the network.



6. What are the three components of a remote access policy?
   The three components of a remote access policy are its conditions,
   permissions, and profile.



7. You have been receiving many support requests from users who cannot
   connect to your remote access servers because all available lines are busy.
   You monitor the incoming lines, and notice that many people connect and
   remain connected for many hours, even though they do not transmit or
   receive any data. How can you reduce the time that users stay connected
   while idle?
   Create a remote access policy and specify in the conditions the busy
   times of the day for remote access. Next, configure the profile associated
   with that policy so that users are disconnected after 30 minutes of idle
   time.


8. Users are attempting to connect to your remote access server, but are
   receiving a message that they do not have dial-in permissions. You look up
   their accounts in Active Directory Users and Computers and verify that they
   do have dial-in permissions. What could be causing the problem?
   There are no remote access policies available. You must have at least
   one remote access policy to enable users to connect.
68   Module 11: Configuring Remote Access


                       9. A user calls the Help desk to say that he cannot connect to the
                          organization’s remote access servers. You look up the event logs on the
                          remote access server for all remote access entries, but find no entries. What
                          components of the remote access connection could be causing this error?
                          User’s computer settings, user’s communication hardware, server
                          communication hardware, and the communication lines themselves.

								
To top