Remote Access Overview

Remote access simply refers to the process whereby a client computer connects to a remote computer (called a remote access server) to gain access to resources or an internal network full of resources. There are two main types of remote access connections: 1. Dial-up remote access connections 2. Virtual Private Network (VPN) connections.

Dial-up remote access connections

Dial-up remote access connections typically use WAN technologies (modem, ISDN, Frame Relay, etc.) to connect computers together. Each computer must use a LAN protocol (such as TCP/IP, NWLink IPX/SPX or Appletalk) and then wrap that protocol in another protocol (called a remote access protocol) that is better designed for sending information across a WAN. Some common remote access protocols used for dial-up remote access connections include: Point-to-Point Protocol (PPP) the most common remote access protocol that is supported by nearly all operating systems Serial Line Interface Protocol (SLIP) an older remote access protocol typically used on UNIX systems; Windows can only use SLIP to connect to other computers as a remote access client. Appletalk Remote Access Protocol (ARAP) used to connect Apple Macintosh computers (only for Windows 2000/2003 remote access servers).

You may also configure remote access servers and clients to use several PPP connections at the same time to increase connection speed; this is known as PPP multilink. As well, if you have several multilink clients, your remote access server can use Bandwidth Allocation Protocol (BAP) to switch individual PPP connections to those who require it to improve bandwidth usage.

VPN remote access connections

VPNs allow computers that can already communicate on a LAN or WAN network (such as the Internet) the ability to participate in a private group; any communication in this private group may only be decrypted

jason.eckert@trios.com

Page 2 by members of the group. For example, you may specify private servers on the Internet that are members of a VPN; your computer must also be a member of the VPN to gain access to these servers and the resources they hold. To achieve this, your computer must wrap your normal LAN protocol in a VPN protocol that encrypts the data within and provides authentication to the VPN. There are three common VPN protocols used by Windows Server 2008: Point-to-Point Tunneling Protocol (PPTP) a VPN protocol for IP networks that uses a built-in PPP encryption, but does not offer header compression and tunnel authentication. It is the default protocol used by most VPNs and requires no additional encryption certificates to be configured. Layer-2 Tunneling Protocol (L2TP) a newer VPN protocol for IP, Frame Relay, X.25 and ATM networks. It uses IPSec Encryption and offers header compression and tunnel authentication. Although L2TP can be used by specifying a password on the RRAS server and VPN client, an IPSec encryption certificate should be installed on the RRAS server and VPN client for proper functionality. Secure Sockets Tunneling Protocol (SSTP) a new VPN protocol within Windows Server 2008 (although Linux has used it for years). It creates an existing HTTPS SSL tunnel (128-256-bit) for traffic using TCP port 443 only (easy for firewalls). In order to use SSTP, your RRAS server must have IIS installed with an SSL encryption certificate configured for SSL.

Authentication

Regardless of the type of remote access connections, client computers should be authenticated to the remote access server before they are allowed a connection to maintain security. There are many different authentication protocols that may be negotiated by remote access servers and clients; the most common used by Windows 2008 Remote Access Servers include: Password Authentication Protocol (PAP) uses cleartext passwords to authenticate users (low security) Shiva Password Authentication Protocol (SPAP) used when authenticating Shiva LANRover clients or connecting to Shiva LANRover servers (medium security)

Page 3

Challenge Handshake Authentication Protocol (CHAP) uses a Message Digest 5 (MD5) encrypted 3-way handshake to authenticate clients (high security) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) a version of CHAP that uses MPPE encryption and used for Windows 95 and higher clients (high security) Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) an improved version of MS-CHAP that uses stronger encryption and used for Windows 98 and higher clients (high security). Windows 98 and NT4 clients can only use this protocol for VPN connections. Extensible Authentication Protocol / Transport Layer Security (EAP-TLS) a very high security form of authentication that may use customized devices (i.e. smart cards).

NOTE: Instead of authenticating to a local database, a Remote Access Server may instead forward authentication requests to a central authentication server called a RADIUS (Remote Authentication Dial-In User Service) server for authentication (called a Network Access Protection server in Windows Server 2008). In this case, the Remote Access Server is called a RADIUS client since it must use a RADIUS server to authenticate any of its requests for remote access.

Data Encryption
Another important feature of many remote access connections (VPN only) is that they may encrypt the data sent between the remote access server and the remote access client to secure all communications. This encryption is performed by an encryption protocol; the common encryption protocols used by Windows Server 2008 Remote Access Servers include: Secure Sockets Layer (SSL) an industry standard protocol for many different types of encryption (Web, email, etc.): 128-bit RC4 256-bit AES Internet Protocol Security (IPSec) an industry standard that comes in several flavors called DES (Digital Encryption Standards): 56-bit DES

Page 4 168-bit DES (3DES)

Microsoft Point-to-Point Encryption (MPPE) used to encrypt PPTP VPN connections, it also comes in several flavors: 40-bit MPPE 56-bit MPPE 128-bit MPPE

NOTE: Data encryption protocols are only used if you use MS-CHAP, MS-CHAP v2 or TLS authentication protocols!

Page 5

Configuring a remote access server

To prepare a Windows 2008 server such that it will accept incoming remote access connections (dial-up or VPN), you must first enable the Routing and Remote Access service by opening Start Programs Administrative Tools Routing and Remote Access, right-clicking your server icon and choosing Configure Routing and Remote Access. A wizard will then prompt you for choices that define the default settings for the Routing and Remote Access service as shown below:

Selecting Remote Access server from the wizard will result in the following set of icons in the Routing and Remote Access tool:

Highlighting Remote Access Clients from above will allow you to view and disconnect remote access clients whereas the Ports icon displays available ports for remote access clients (PPTP, L2TP, e1tc.). Remote access policies will be discussed in the next section and allow you to restrict access for clients based on several criteria. The Remote

Page 6 Access Logging folder shown above allows you to create log files; there is one local log file configured by default (%windir %\system32\logfiles\iaslog.log). As well, viewing the properties of your server object will allow you to configure general settings used by the Routing and Remote Access Service as shown below:

The Security tab allows you to configure where login requests are authenticated as well as where logging information will be sent (Windows or a RADIUS server). Furthermore, the Authentication button allows you to configure which authentication methods your remote access server will use:

Page 7

To use the local network, remote access clients must have a certain IP address; the IP tab of your server properties allows you to get these IP addresses from a DHCP server (it will lease 10 IP addresses at a time for remote access clients; if a DHCP server is not available, it will use APIPA) or configure a range that is handed out to remote access clients:

Page 8

The PPP tab determines whether your server will accept multilink connections, as well as whether BAP, LCP extensions (used to improve PPP communication) or compression will be used during a dial-up connection. Finally, the type of events that are written to the Windows Event Log (viewed with Event Viewer) is configured in the Event Logging tab.

Configuring a remote access client

Once a remote access server has been configured, Windows 2000/XP/Vista computers may connect to it by using the Network Connection Wizard in Network and Dial-Up Connections (double-click Make New Connection) and select the appropriate connection from the listing:

Page 9

Remote Access Policies

To prevent unauthorized remote access clients from accessing remote access servers, Windows 2008 uses remote access policies. Remote access policies can be used to allow or deny access to remote access clients based on many different criteria. As well, remote access policies are used to enforce authentication methods, data encryption and other settings such as multilink as required by company needs; this is called the remote access policy profile. NOTE: Unlike most configuration related to user access, remote access policies are stored on the local remote access server and not in Active Directory; hence each remote access server may be customized to provide different access to remote access clients. If there are no remote access policies on a remote access server, then all remote access connections are denied. By default, there are 2 remote access policies on a new remote access server which denies all requests at all times during the day unless your user account properties allow access. The second policy is only read by RADIUS servers and does the same. If there are several policies, the first one that contains conditions that the client matches is analyzed only. Thus, you can simply create a new policy and move it to the top of the policy list to override the default policy. When a remote access server analyzes a policy, it first checks your user account properties in Active Directory for dial-in permissions:

If your dial-in permission is set to Allow access, then you are allowed access. If your dial-in permission is set to Deny access, then you are

Page 10 denied access. For native mode Active Directory domains only, there is a third option that allows you to Control Access through Remote Access Policy; in this case, the policy is then checked to see whether you are allowed or denied. If you are allowed access, then the connection is granted and the remote access policy profile is check to further restrict the nature of the connection (authentication type, data encryption, connection timeout, etc.). To create a new remote access policy, simply right-click the Remote Access Policies container in Routing and Remote Access and choose to create a new remote access policy. A wizard will then appear and prompt you for conditions that match the intended clients, their permissions and remote access policy profile settings. You may change these settings later by viewing the properties of a remote access policy:

Most tabs in this property sheet are self-explanatory, however the Encryption tab requires more in-depth examination; it displays three encryption levels by default: No Encryption Basic (can use 56-bit DES or 40-bit MPPE encryption) Strong (can use 56-bit DES or 56-bit MPPE encryption) Strongest (can use 168-bit DES or 128-bit MPPE encryption)