Windows 2000 Remote Access
Remote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection. Clients that use remote access use either:
- Dial-up to private connections or the internet.
- Virtual private networking (VPN) to the internet or across some other network.
- Cable connections to other computers using infared, serial or parallel ports.
- RAS can laso be configured to handle incoming connections by phone, the internet, or a cable.
RAS servers can be used as gateways to link LANs together.
Required Client Components
Required components to use RAS on a client:
- Transport Prococol (NetBEUI, NWLink, TCP/IP) - The best protocol depends on line conditions. TCP/IP is best when line conditions are poor, but it is slower. If line conditions are good, and speed is desired, use NetBEUI.
- Workstation service for NTWS or Client for Microsoft Networks fro Windows 95
Required Server Components
- Modems or ISDN interface or X.25 PAD. Modems are configured using the control panel modems applet. ATM and ISDN is installed using the control panel network applet.
- Must run the "Routing and Remote Access" service. This service is only available on servers but is installed by default.
Connection Protocols Supported
- Point to Point Protocol (PPP) - Point to Point Protocol is a form of serial line data encapsulation that is an improvement over SLIP which provides serial bi-directional communication. Packets are delivered in the order they were sent. It is much like SLIP but can support AppleTalk, IPX, TCP/IP, and NetBEUI along with TCP/IP which is supported by SLIP. It can negociate connection parameters such as speed, transport protocol, and selection of PAP or CHAP user authentication method.
- Serial Line Interface Protocol (SLIP) - Serial Line Internet Protocol. This protocol places data packets into data frames in preparation for transport across network hardware media. This protocol is used for sending data across serial lines. There is no error correction, addressing, compression, or packet identification. There is no authentication or negotiation capabilities with SLIP. SLIP will only support transport of IP packets.
- CSLIP - Compressed SLIP is essentially data compression of the SLIP protocol. It uses Van Jacobson compression to drastically reduce packet overhead by reducing the TCP/IP headers and not the data. It requires CSLIP support on both the client and server ends. This may also be used with PPP and called CPPP.
- Point to Point Multilink Protocol - Combines bandwidth from several physical connections into one logical connection.
- Microsoft RAS - Also known as AsyBEUI.
- Callback Control Protocol (CBCP) - Allows the server to negociate with the client to call the client back to establish the connection.
- Point to Point Tunneling Protocol (PPTP) - Point-to-Point Tunneling Protocol (RFC 2637) works at the link layer. No encryption or key management included in specifications. A VPN tunneling Protocol used to send secure communications from point to point. It is used to access a network through the network using the speed of a modem. It uses PPP encryption or Microsoft Point to Point Encryption (MPPE) over TCP as a transport protocol. This means that PPP packets are encrpted, then placed in TCP packets and sent over the internet. On the other side, the information is unwrapped and decrypted and sent on as PPP. Therefore the same protocols supported by PPP are supported with PPTP (AppleTalk, IPX, TCP/IP, and NetBEUI). PPTP Installation is done with the Routing and Remote Access Administration Tool.
- Layer Two Tunneling Protocol (L2TP) - Layer2 Tunneling Protocol. (RFC 2661) combines features of L2F and PPTP and works at the link layer. No encryption or key management is included in specifications. A VPN tunneling Protocol. It uses IPSec for encryption. It puts data in PPP packets, then adds more headers to route the packet. L2TP supports header compression and tunnel authentication support, and PPTP does not.L2TP Installation is done with the Routing and Remote Access Administration Tool. It is a new protocol with Windows 2000.
- IPSec - Internet protocol security, developed by IETF, implemented at layer 3. it is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling. Does not cover key management. A VPN tunneling Protocol. It is a new protocol with Windows 2000.
- IPSec installation - It is installed in Windows 2000 from the Microsoft Management Console (MMC) by adding the "IP Security Policy Management" snap-in and choosing the computer the new snap-in will manage.
- IPSec Configuration - Once installed, IPSec is configured from the TCP/IP properties dialog box in "Network and Dial-up Connections" for the connection you want to configure.
The allowed settings are "Do not use IPSEC" or "Use the IP security policy". The choices are:
- In the TCP/IP properties box, click "Advanced".
- Click on "Options"
- Select "IP Security", and click "Properties".
- Client (Respond Only)
- Secure Server (Require security)
- Server (Request Security)
Authentication Protocols Supported
- PAP - Password Authentification Protocol is a two way handshake protocol designed for use with PPP. Authentication Protocol Password Authentication Protocol is a plain text password used on older SLIP systems. It is not secure.
- CHAP - Challenge Handshake Authentication Protocol is a three way handshake protocol which is considered more secure than PAP. Authentication Protocol.
- MS-CHAP (MD5) - Uses a Microsoft version of RSA message digest 5 challenge and reply protocol. It only works on Microsoft systems and enables data encryption. Selecting this authentification method causes all data to be encrypted.
- RADIUS - Remote Authentication Dial-In User Service used to authenticate users dialing in remotely to servers in a organization's network. It can be used to track users' time on networks. User information is sent to a RADIUS server for validation when the user logs on to a network. It is a new protocol with Windows 2000. The RAS server must be configured as a RADIUS client on the Remote Access Service properties dialog box security tab. The RAS server may be configured to use any of several RADIUS servers for user authentication. The "Configure" button is used to add or remove RADIUS server information. The working sequence between the RAS server and the RADIUS server is as follows:
- A server running Remote Access Service (RAS) receives a connection request from a user on a remote computer.
- The remote computer is requesting RADIUS authentication.
- The RAS server forwards the request to a RADIUS server for authentication. (The RAS server becomes a RADIUS client).
- The Internet Authentication Service (IAS) on the RADIUS server responds to the request from the RAS server. (IAS can be installed and configured in the Control Panel network services dialog box.
- The RAS server takes appropriate action in verifying the user based on the RADIUS server response.
- EAP - Extensible Authentication Protocol is used between a dial-in client and server to determine what authentication protocol will be used. Used to support smart card and other high tech forms of authentication through its support of Transport Layer Security (TLS) which is used by these devices. It is a new protocol with Windows 2000.
Open the RAS server Remote Access Service properties dialog box and select the "Security" tab to enable these protocols (exclusive of RADIUS which is actually a service).
Bandwidth Allocation Protocols
- BACP - Bandwidth Allocation Control Protocol. It is used with PPP.
- BAP - Bandwidth Allocation Protocol is a bandwidth control protocol for PPP connections. It is a new protocol with Windows 2000. It works with BACP.
Open the RAS server Remote Access Service properties dialog box and select the "PPP" tab to enable these bandwidth allocation protocols.
Transport Protocols Supported
- NetBEUI - Microsoft developed a suite of protocols around NetBIOS using NetBEUI for transport. The primary advantage of this protocol is that it is easy to configure and Microsoft claims that it runs faster.
- NWLink (IPX/SPX) - IPX/SPX is a routable protocol and can be used for small and large networks. It was created by Novell primarily for Novell NetWare networks, but is popular enough that it is used on products that are not from Novell.
- TCP/IP - The TCP/IP suite of protocols is the set of protocols used to communicate across the internet. It is also widely used on many organizational networks due to its flexiblity and wide array of functionality provided.
- AppleTalk - Apple Computers have had their own set of protocols for many years. More and more operating systems today now can communicate with Apple systems using Apple networking protocols.
The client may support one or more of these protocols but the RAS server can act as a router for dial in clients supporting various transport protocols even if the client does not.
Supported Connection Types
The RAS service supports both hardware ports and virtual private networking (VPN) ports. VPN is a method of providing an encrypted virtual private network over a public network. It encapsulates IP packets as data inside other IP packets (tunneling) to send them across the public network.
- Analog Telephone (PSTN). Uses PPP or SLIP for support over PSTN lines. NT RAS hosts only answer when PPP is used, but the other protocols are supported for dial out. SliP only supports TCP/IP and does not support logon encryption or dynamic Ip assignments.
- Digital Telephone (ISDN)
- X.25 - Packet switching protocol used on dial-up or leased lines.
- Point to point tunneling protocol (PPTP) and L2TP for VPN connections across the Internet.
- RS-232 NulL modem cable.
Clients that the RAS server can host
- TCP/IP clients using PPP - These clients cannot use domain resources.
- LAN Manager
- DOS RAS
- Windows for Workgroups
- Windows 95/98
- Windows NT 3.1 and above
- Windows 2000
RAS Server Properties Box
- General - Used to set up as a router (for LAN only or LAN and demand dialing) or as a remote access server.
- Security - Used to set authentication provider (Windows or RADIUS-Remote Authentication Dial-in User Service) and accounting methods (none, Windows, or RADIUS). If RADIUS is used, RAS must be configured to use one or several RADIUS servers. Authentication methods are set here. These are the choices:
CHAP stands for Challenge Handshake Authentication Protocol. It causes the Server to send a challange to the client that contains a session and challenge key. The client sends the encrypted remote user name, password, session key and challenge key. The server verifies the information and sends a response back to the client indicating that it is authenticated. The client receives the response and begins the connection. MS-CHAP version two encrypts all authentication information. MS-CHAP does not encrypt the user name. CHAP requires user passwords to be stored in an encrypted form that can be reversed.
- Extensible authentication protocol (EAP) - Allows the client and server to negociate a common method. It allows Transport Layer Security (TLS) which supports smart cards and thumbprint readers.
- Microsoft encrypted authentication version 2 (MS-CHAP v2)
- Microsoft encrypted authentication (MS-CHAP)
- Encrypted authentication (CHAP) - Uses Message Digest 5 (MD5) encryption. It is for non Microsoft clients or clients not supporting MS-CHAP.
- Shiva Password Authentication Protocol (SPAP) - For Shiva LANRover clients.
- Unencrypted Password (PAP)
- Allow remote systems to connect without authentication
- IP - Options:
- Enable IP routing
- Allow IP based remote access and demand-dial connections
- IPaddress assignment using either DHCP or a static address pool.
- Specify the adapter to be used to obtain DHCP, DNS, and WINS addresses for dial-up clients.
- IPX - Options:
- Allow IPX based remote access and demand-dial connections
- Enable network access for remote clients and demand-dial connections
- IPX network number assignment as automatic or in a listed range.
- Use the same network number for all IPX clients
- Allow remote clients to request an IPX node number
- NetBEUI - Options are allow NetBEUI based remote access clients to access either this computer only or the entire network.
- PPP - Options:
- Multilink connections
- Dynamic bandwidth control using BAP or BACP - As bandwidth requirements change, the server and client can negociate for the addition or deletion of physical connections.
- Link control protocol (LCP) extensions
- Software compression - More efficient than modem compression, but compression on the modem should be disabled, if this is enabled.
- EventLogging - Options:
- Log errors only
- Log errors and warnings
- Log the maximum amount of information
- Disable event logging
- Enable Point-to-Point Protocol (PPP) logging
Remote Access Policies
These policies are stored on the remote access server, not in Active Directory. Three components which must be met by the client in order:
- Conditions - Conditions to be met by the client such as:
- Called station number
- Calling station number
- Client friendly name
- Client IP address
- Client vendor - RADIUS proxy Manufacturer .
- Day and time restrictions
- Framed protocol - PPP, AppleTalk, etc.
- NAS Identifier - Network Access Server (NAS) is a proprietary hardware access server. The identifier is a string identifer of the station starting the service request.
- NAS IP address
- NAS Port Type
- Service Type - Logon, callback.
- Tunnel Type - Type of tunneling protocol that must be used.
- Windows Groups - Security group the user must belong to.
- Permissions (Dial-in) - Access to the RAS is allowed or denied. These permissions are checked if the above conditions are met. Can be set using remote access policies or with the user's account properties.
- Profile - Tabs: Includes multilink options, authentication methods, IP address assignment methods and more.
- Dial-in Constraints
- Disconnect if idle for:
- Restrict maximum session to: number of minutes
- Restrict access to the following days and times:
- Restrict dial-in to this number only:
- Restrict Dial-in media: Includes Ethernet, ISDL, SDSL, and others.
- IP address assignment policy:
- Server must supply an IP address
- Client may request an IP address
- Server settings define policy
- Define IP filters to apply during the connection. They are defined from client and to client.
- Multilink - Maximum ports may be limited
- Default to server settings
- Disable multilink (restrict client to single port)
- Allow multilink
- Can set bandwidth to allow for one or more lines to be dropped if bandwidth requirements fall below a certain percent of capacity for a period of time. Uses the BAP protocol.
- Authentication - Selections:
- Extensible Authentication Protocol and selection of EAP type such as smart card.
- Microsoft encrypted authentication version 2 (MS-CHAP v2)
- Microsoft encrypted authentication (MS-CHAP)
- Encrypted authentication (CHAP)
- Unencrypted Password (PAP, SPAP)
- Allow remote PPP clients to connect without negociating any authentication method.
- Encryption - Selections:
- No Encryption
- Basic - IPSec 56 bit DES is used for L2TP VPN connections and MPPE (Microsoft Point to Point Encryption) 40 bit is used for other connections.
- Strong - IPSec 56 bit DES is used for L2TP VPN connections and MPPE (Microsoft Point to Point Encryption) 56 bit is used for other connections.
- Strongest - IPSec Triple DES is used for L2TP VPN connections and MPPE (Microsoft Point to Point Encryption) 128 bit is used for other connections.
- Advanced - Selections:
- Filter ID
- Framed compression
- Service type
If there are no Remote Access Policies, the connection is denied. The connection is allowed if it matches the conditions of one policy, but may be later denied if permissions or the profile are not met. The order of the policies may be set using the "Routing and Remote Access" tool. The last component sets profiles rather than being met, however, if the dial-in client is not compatable with the profile, the connection is terminated.
The "Routing and Remote Access" tool can be used to monitor the status of the RAS server and monitor connections.
User Account Policy Settings affecting RAS
The Dial-in tab affects RAS:
Dial-in tab - Options:
- Choose one of Allow access, Deny access, or Control access through Remote Access Policy.
- Verify Caller ID may be checked.
- Callback options are one of No callback, Set by caller (Routing and Remote Access Service Only), and Always callback to a specified number.
- Assign a Static IP Address
- Apply Static Routes with a button that allows for definition of static routes.
Use the Administrative Tool, Routing and Remote Access. Right click on "Ports" and select "Properties". Select the device, then select "Configure".
Inbound Connection Configuration
After installation of the Routing and Remote Access Server, do the following:
- Start the Administrative Tool, "Routing and Remote Access".
- Right click the server, select "Configure and Enable Routing and Remote Access".
- When the Routing and Remote Access Setup wizard starts, click "Next", then select "Remote Access Server".
- Configure the protocols to be used and the authentication options.
- Select the network connection, method of IP address assignment, and whether a RADIUS server will be used.
VPN Port Creation
- Start the Administrative Tool, "Routing and Remote Access".
- Right click "Ports" and select "Properties".
- Choose PPTP or L2TP for the WAN port.
- Click on the "Configure" button and select "Remote Access (inbound)" and click "OK".
Network Connection Wizard
The following connection configurations are created by using the "Network Connection Wizard". This wizard is started by clicking on "Start", "Settings", "Network and Dial-up Connections" and selecting "Make New Connection". These types cf connections may be configured using the wizard:
- Dial-up to a private network - Outbound connection to a private network.
- Dial-up to the nternet - Outbound connection to an internet server.
- Connect to a private network through the internet - Used to setup the ability to connect a system using VPN through the internet.
- Accept incomming connections
- Connect directly to another computer - This is a direct cable connection to another computer
In some cases, multiple lines may be used as though they are one connection to gain higher transfer speeds. The client and server must be NT computers to use multilink. The calling and receiving host must have the same number and type of multilink connections. This is supported in any combination of connections by NT. This is based on RFC 1717. Multilink is configured on the client and server using the Phonebook entry basic tab.
Used to monitor RAS performance. It is found on the Taskbar next to the time system tray. You can select it then have it display as a window.
The following registry entry controls RAS logging by turning it on or off:
The log is stored in the file:
Installing and Configuring RAS
RAS must have at least one of TCP/IP, NWLink, or NetBEUI installed as a transport protocol. A different transport protocol may be selected to support each modem or RAS device.
- Set up one or more of the following service types.
- Use the modem applet in the control panel to install modems and configure them to use specific COM ports.
- If using ISDN, it may connect straight into a serial port, or use a NT-1 network termination device. This can be on a separate card or may be on your network card. If the NT-1 is used, the RAS server treats the ISDN connection like a network card. The control panel network applet adapters tab is used to install this as though installing a network card. The ISDN adapter must be configured to use the appropriate ISDN protocol. The main ones are:
Set ISDN SPIDs (Service profile IDs) to two for maximum speed and use two telephone numbers. The SPID is a prefix and suffix along with the normal 10 digit phone number. Set the connection to be multipoint to use each channel.
- AT&T 5ESS
- Northern Telcom DMS-100
- To install X.25, the RAS setup dialog box is usedX.25 PAD button
- The "Routing and Remote Access" administrative tool is used to configure RAS. The "Network and Dial-up Connections" folder is used to add additional protocols. If more protocols are required, add them first. The "Routing and Remote Access" administrative tool can be installed from the /i386/Adminpak.msi package file on the Windows 2000 server(s) CDROMs.
- Configure the RAS network protocols - The RAS server will use the PPP data link protocol rather than a protocol like ethernet. It may use PPP or SliP to dial out.
- Different modems or RAS devices may be configured to use different network/transport protocols. For example one may use TCP/IP, while another uses NetBEUI. To set the protocol, use the control panel's Network applet, services tab. Any combination of TCP/IP, NWLink, or NetBEUI may be used.
- Set up each transport protocol and select whether clients can access the entire network or not.
- Configuration is done using the control panel network applet services tab. Select "Remote Access Service" and properties. Highlight the port to use and click on the network button. A Network Configuration dialog box will appear with the following options:
- Dial Out Protocols with selections of NetBEUI, TCP/IP, and IPX. The configure buttons next to the checkboxes allows each protocol to be configured including the ability to use the protocol for dialing out.
- Server Settings with:
- Allow remote clients running:
- TCP/IP - Options for IP addresses include:
- Use DHCP to assign remote TCP/IP client addresses - If DHCP is used, DCHP must be run on the RAS server, or the DHCP relay agent must be run on the RAS server.
- Use static address pool - Used when DHCP is not available on the network and IP address are still desired
- Allow remote clients to request a predetermined IP address - Used when DHCP is not available on the network and RAS clients have a unique IP address assigned. IP address cannot be assigned based on user account.
- Encyption Settings with:
- Allow any authentication including clear text.
- Require encrypted authentication.
- Require Microsoft encrypted authentication with an additional checkbox, "Require data encryption".
- Enable Multilink checkbox
RAS clients are configured using the control panel Dial-up Networking applet. The phone book entry is used and it has the following tabs:
- Server - Select the RAS server type, transport protocols to use and "Enable software compression" and "Enable PPP LCP extensions".
- Script - Used for dial up servers that are not RAS servers
- Security - Specifies type of authentication, clear text, encrypted, and Microsoft encrypted. Must match the server side unless the server allows any authentication.
To use ISDN with RAS, the following must be done:
- An ISDN BRI circuit must be installed by the provider.
- An ISDN adapter must be installed on the RAS server.
Server Configuration Selections
- Allow access to RAS server only or act as a gateway to the rest of the network.
When the RAS service is running, the COM ports and modems being used by the RAS service are not available for outgoing connections such as FAX or terminal software. To use these functions, stop the RAS service, then start it again when done.
Remote Access Administrative Utility
Used to configure RAS permissions for users. The following features exist on the Remote Access Permissions dialog box:
- Grant dialin permission to user checkbox
- Call back radio button section with options:
- No Call Back
- Set By Caller
- Preset To followed by a text box.
Permissions cannot be set for groups.
Authorizing RAS Users
RAS users can be authorized in two places:
- User Manager for Domains dial-up button.
- Remote Access administrative tool.
Security settings are entered by using the phonebook entry security tab. This is the same on the client and server side.
- Encrypted passwords - Protocols used:
- PAP - Password authentication protocol
- CHAP - Challenge handshake authentication protocol uses encrypted authorization.
- MS-CHAP - This uses MD-5 (Message Digest 5) security protocol over PPP. If the option to "Require data encryption" is set when using MS-CHAP, all data between the client and ther server will be encrypted. Only Microsoft clients can use this protocol.
- Callback (server only) - Calls the client back to establish the connection. Options are "No Callback", "Set by caller" or "Preset to...".
- Permissions (server only) - Can set up users who can use RAS as a client.
- PPTP (server only) - Point to Point Tunneling Protocol used for virtual private networking (VPN) as a means of sending secure information. To use this, when enabled on the server, the client will connect to the internet, then connect to the RAS server using the PPTP client service. The control panel, network applet protocols tab is used to add PPTP.
When having trouble getting authentication to work, the option "Allow any authentication including clear text" can be useful while debugging. Be careful of allowing access to sensitive information that will not be encrypted over the serial line.
- Encryption of logon requests.
- Supports multiple transport protocols.