How to Enable and Configure Remote Access in Windown Server2003

Tuesday, August 25, 2009

.1 Overview of remote access

By configuring Routing and Remote Access to act as a remote access server, you can connect remote or mobile workers to organization networks. Remote users can work as if their computers are physically connected to the network.

Users run remote access software and initiate a connection to the remote access server. The remote access server, which is a server running Routing and Remote Access, authenticates users and services sessions until terminated by the user or network administrator. All services typically available to a LAN-connected user (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.

A server running Routing and Remote Access provides two different types of remote access connectivity:

1. Dial-up networking

Dial-up networking is when a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider such as analog phone, ISDN, or X.25. The best example of dial-up networking is that of a dial-up networking client who dials the phone number of one of the ports of a remote access server.

Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.

2. Virtual private networking

Virtual private networking is the creation of secured, point-to-point connections across a private network or a public network such as the Internet. A virtual private networking client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a virtual private networking server. The best example of virtual private networking is that of a virtual private networking client who makes a virtual private network connection to a remote access server that is connected to the Internet. The remote access server answers the virtual call, authenticates the caller, and transfers data between the virtual private networking client and the corporate network.

In contrast to dial-up networking, virtual private networking is always a logical, indirect connection between the virtual private networking client and the virtual private networking server over a public network such as the Internet. To ensure privacy, you must encrypt data sent over the connection.

5.1.1 Exercise 1: Enabling Routing and Remote Access for Dialup and VPN Connections

1. Click Start, select Run, type rrasmgmt.msc and click OK.

2. Right click the server and select Configure and Enable Routing and Remote Access.

3. On the Welcome to the  Routing and Remote Access setup Wizard page click Next.

4. On the Configuration page select Remote Access(dial-up or VPN) and click Next.

5. On the Remote Access page select VPN and Dial-up and click Next.

6. On the IP Address Assignment page select

Automatically :   Select this option if you are using a DHCP server to assign   addresses automatically to your clients.

From a specified range of addresses : Use this option if you want your remote access servers to assign addresses automatically.

and click Next.

7. On the Address Range Assignment page five the range of addresses from which to assign addresses to     your clients and click Next.

8. On the Managing Multiple Remote Access Servers select No, use Routing and Remote Access to authenticate connection attempts and click Next.

9. On the next page click Finish.

 

5.2 Configuring Ports

5.2.1 Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol first supported in Windows NT 4.0 and Windows 98. PPTP is an extension of Point-to-Point Protocol (PPP) and leverages the authentication, compression, and encryption mechanisms of PPP. Client support for PPTP is built-in to the Windows XP remote access client.
VPN server support for PPTP is built in to members of the Windows Server 2003 family. PPTP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, PPTP is configured for five or 128 PPTP ports.

5.2.2 Layer Two Tunneling Protocol

Layer Two Tunneling Protocol (L2TP) is an RFC-based tunneling protocol that is an industry standard and was first supported in the Windows 2000 client and server operating systems. L2TP relies on Internet Protocol security (IPSec) for encryption services. Both L2TP and IPSec must be supported by both the VPN client and the VPN server. Client support for L2TP is built-in to the Windows XP remote access client, and VPN server support for L2TP is built in to members of the Windows Server 2003 family.
L2TP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, L2TP is configured for five or 128 L2TP ports.

5.2.3 Exercise 2: Configuring Ports

1. Open Routing and Remote Access.

2. Right click the Ports node and select Properties.

3. Select the type of port you want to configure PPTP or L2TP and click Configure.

4. On Configure Device page you can specify the phone number, enable demand dial and define the maximum number of PPTP or L2TP ports.

5.2.4 Exercise 3: To Disable Remote Access server.

1. Open Routing and Remote Access

2. Right click the server and select Properties.

3. On the Properties sheet uncheck the Remote access server option.

5. 3 Dial-in Properties of a user account

The dial-in properties for a user account are:

• Remote Access Permission (Dial-in or VPN)

You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control access through Remote Access Policy option is only available on user accounts in a Windows 2000 native domain, a Windows Server 2003 domain, or for local accounts on stand-alone servers running Windows 2000, Windows Server 2003

·         By default, the Administrator and Guest accounts on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. In a Windows 2000 mixed domain, they are set to Deny access. New accounts that are created on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. New accounts that are created in a Windows 2000 mixed domain are set to Deny access.

• Verify Caller ID

If this property is enabled, the server verifies the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied. Caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server

• Callback Options

If this property is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set by either the caller or the network administrator.

• Assign a Static IP Address

You can use this property to assign a specific IP address to a user when a connection is made.

5.3.1 Exercise 4: Configuring access permission for a DOMAIN user

1. Click Start, select Run type dsa.msc  and click OK.

2. Take the properties of the user whom you want to give dial in permissions and select the Dial-in tab.

3. Under Remote Access permission you can either Allow or Deny access or control access through remote access policy.

NOTE: Last option is available only when your domain is running under the Windows 2000 Native mode or Windows Server 2003 mode.

5.3.2 Exercise 5: Configuring Caller ID and Callback options

1.  Click Start, select Run type dsa.msc  and click OK.

2. Take the properties of the user whom you want to give dial in permissions and select the Dial-in tab.

3.  To enable caller ID place a check against Verify Caller ID and specify the number you want the caller to dial in from.

4.  To enable Callback select the Always Callback to option and give e number you want the remote access server to dial back to.

5.4 Client Configuration

5.4.1 Exercise 6: To create a connection to connect to the Remote Access Server using Dial Up

1. Click Start, Control Panel, Network Connections select New Connection Wizard.

2. On the Welcome To the New Connection Wizard click Next.

3. On the Network Connection type page select Connect to the network at my workplace and click Next.

4 On the Network Connection page select Dial up connection and click Next.

5. On the Connection Name page enter the name of the connection and click Next.

6. On the Phone Number to Dial page give the phone number of the Remote access server and click Next.

7. On the Connection Availability page select My use only and click Next, on the next page click Finish.

5.4.2 Exercise 7: To create a connection to connect to the Remote Access Server using VPN

1. Click Start, Control Panel, Network Connections select New Connection Wizard.

2. On the Welcome To the New Connection Wizard click Next.

3. On the Network Connection type page select Connect to the network at my workplace and click Next.

4 On the Network Connection page select Virtual Private Network connection and click Next.

5. On the Connection Name page enter the name of the connection and click Next.

6. On the VPN Server Selection page give the public IP of the Remote access server and click Next.

7. On the Connection Availability page select My use only and click Next, on the next page click Finish.

.1 Overview of remote access

By configuring Routing and Remote Access to act as a remote access server, you can connect remote or mobile workers to organization networks. Remote users can work as if their computers are physically connected to the network.

Users run remote access software and initiate a connection to the remote access server. The remote access server, which is a server running Routing and Remote Access, authenticates users and services sessions until terminated by the user or network administrator. All services typically available to a LAN-connected user (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.

A server running Routing and Remote Access provides two different types of remote access connectivity:

3. Dial-up networking

Dial-up networking is when a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider such as analog phone, ISDN, or X.25. The best example of dial-up networking is that of a dial-up networking client who dials the phone number of one of the ports of a remote access server.

Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.

4. Virtual private networking

Virtual private networking is the creation of secured, point-to-point connections across a private network or a public network such as the Internet. A virtual private networking client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a virtual private networking server. The best example of virtual private networking is that of a virtual private networking client who makes a virtual private network connection to a remote access server that is connected to the Internet. The remote access server answers the virtual call, authenticates the caller, and transfers data between the virtual private networking client and the corporate network.

In contrast to dial-up networking, virtual private networking is always a logical, indirect connection between the virtual private networking client and the virtual private networking server over a public network such as the Internet. To ensure privacy, you must encrypt data sent over the connection.

5.1.1 Exercise 1: Enabling Routing and Remote Access for Dial-up and VPN connections

1. Click Start, select Run, type rrasmgmt.msc and click OK.

2. Right click the server and select Configure and Enable Routing and Remote Access.

3. On the Welcome to the  Routing and Remote Access setup Wizard page click Next.

4. On the Configuration page select Remote Access(dial-up or VPN) and click Next.

5. On the Remote Access page select VPN and Dial-up and click Next.

6. On the IP Address Assignment page select

Automatically :   Select this option if you are using a DHCP server to assign   addresses automatically to your clients.

From a specified range of addresses : Use this option if you want your remote access servers to assign addresses automatically.

and click Next.

7. On the Address Range Assignment page five the range of addresses from which to assign addresses to     your clients and click Next.

8. On the Managing Multiple Remote Access Servers select No, use Routing and Remote Access to authenticate connection attempts and click Next.

9. On the next page click Finish.

5.2 Configuring Ports

5.2.1 Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol first supported in Windows NT 4.0 and Windows 98. PPTP is an extension of Point-to-Point Protocol (PPP) and leverages the authentication, compression, and encryption mechanisms of PPP. Client support for PPTP is built-in to the Windows XP remote access client.
VPN server support for PPTP is built in to members of the Windows Server 2003 family. PPTP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, PPTP is configured for five or 128 PPTP ports.

5.2.2 Layer Two Tunneling Protocol

Layer Two Tunneling Protocol (L2TP) is an RFC-based tunneling protocol that is an industry standard and was first supported in the Windows 2000 client and server operating systems. L2TP relies on Internet Protocol security (IPSec) for encryption services. Both L2TP and IPSec must be supported by both the VPN client and the VPN server. Client support for L2TP is built-in to the Windows XP remote access client, and VPN server support for L2TP is built in to members of the Windows Server 2003 family.
L2TP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, L2TP is configured for five or 128 L2TP ports.

5.2.3 Exercise 2: Configuring Ports

1. Open Routing and Remote Access.

2. Right click the Ports node and select Properties.

3. Select the type of port you want to configure PPTP or L2TP and click Configure.

4. On Configure Device page you can specify the phone number, enable demand dial and define the maximum number of PPTP or L2TP ports.

5.2.4 Exercise 3: To Disable Remote Access server.

1. Open Routing and Remote Access

2. Right click the server and select Properties.

3. On the Properties sheet uncheck the Remote access server option.

5. 3 Dial-in Properties of a user account

The dial-in properties for a user account are:

• Remote Access Permission (Dial-in or VPN)

You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control access through Remote Access Policy option is only available on user accounts in a Windows 2000 native domain, a Windows Server 2003 domain, or for local accounts on stand-alone servers running Windows 2000, Windows Server 2003

·         By default, the Administrator and Guest accounts on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. In a Windows 2000 mixed domain, they are set to Deny access. New accounts that are created on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. New accounts that are created in a Windows 2000 mixed domain are set to Deny access.

• Verify Caller ID

If this property is enabled, the server verifies the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied. Caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server

• Callback Options

If this property is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set by either the caller or the network administrator.

• Assign a Static IP Address

You can use this property to assign a specific IP address to a user when a connection is made.

5.3.1 Exercise 4: Configuring access permission for a DOMAIN user

1. Click Start, select Run type dsa.msc  and click OK.

2. Take the properties of the user whom you want to give dial in permissions and select the Dial-in tab.

3. Under Remote Access permission you can either Allow or Deny access or control access through remote access policy.

NOTE: Last option is available only when your domain is running under the Windows 2000 Native mode or Windows Server 2003 mode.

5.3.2 Exercise 5: Configuring Caller ID and Callback options

1.  Click Start, select Run type dsa.msc  and click OK.

2. Take the properties of the user whom you want to give dial in permissions and select the Dial-in tab.

3.  To enable caller ID place a check against Verify Caller ID and specify the number you want the caller to dial in from.

4.  To enable Callback select the Always Callback to option and give e number you want the remote access server to dial back to.

5.4 Client Configuration

5.4.1 Exercise 6: To create a connection to connect to the Remote Access Server using Dial Up

1. Click Start, Control Panel, Network Connections select New Connection Wizard.

2. On the Welcome To the New Connection Wizard click Next.

3. On the Network Connection type page select Connect to the network at my workplace and click Next.

4 On the Network Connection page select Dial up connection and click Next.

5. On the Connection Name page enter the name of the connection and click Next.

6. On the Phone Number to Dial page give the phone number of the Remote access server and click Next.

7. On the Connection Availability page select My use only and click Next, on the next page click Finish.

5.4.2 Exercise 7: To create a connection to connect to the Remote Access Server using VPN

1. Click Start, Control Panel, Network Connections select New Connection Wizard.

2. On the Welcome To the New Connection Wizard click Next.

3. On the Network Connection type page select Connect to the network at my workplace and click Next.

4 On the Network Connection page select Virtual Private Network connection and click Next.

5. On the Connection Name page enter the name of the connection and click Next.

6. On the VPN Server Selection page give the public IP of the Remote access server and click Next.

7. On the Connection Availability page select My use only and click Next, on the next page click Finish.