Hands-On Microsoft

Windows Server 2003

Chapter 9
Configuring Remote Access
Services
Objectives
• Understand Remote Access Services in
Windows Server 2003
• Configure Remote Access Services
• Implement a virtual private network
• Troubleshoot Remote Access Services
and virtual private network installations
• Connect remote users through Terminal
Services
2
Introduction to Remote Access
• Remote access has widespread use today
– Telecommuting and business travel
• Windows Server 2003 enables a server to
double as a remote access server
– Uses the Routing and Remote Access Services
(RRAS) to become a Remote Access Services (RAS)
server
– Can perform normal server functions while
simultaneously handling remote access needs
• A user can dial in to a RAS server, or access it
through the Internet or an intranet
3
4
Using Microsoft Remote Access
Services
• Supports the following client operating systems:
– MS-DOS, Windows 3.1, and 3.11
– Windows 95, 98, and ME
– Windows NT and 2000 (all platforms)
– Windows Server 2003 and XP Professional
• Supports the following connection types:
– Asynchronous and synchronous modems
– Null modem communications
– Cable modems
– Dial-up and high-speed leased telephone lines

5
Using Microsoft Remote Access
Services (cont.)
– T-carrier lines
• Dedicated leased telephone line for speeds up to 44.736
Mbps
– DSL (digital subscriber line)
• Technology using advanced modulation techniques on
regular telephones line for speeds up to 60 Mbps
– ISDN (Integrated Services Digital Network)
• Telecommunication standard for delivering data over digital
telephone lines with a current limit of 1.536 Mbps
– Frame Relay
• WAN communications technology that relies on packet
switching and virtual connections for speeds up to 45 Mbps

6
Using Microsoft Remote Access
Services (cont.)
– X.25
• Older packet-switching protocol for connecting networks at
speeds up to 2.048 Mbps
• Compatible with the following network transport
and remote access protocols
– TCP/IP
– IBX
– NetBEUI
– SLIP, CSLIP
– PPP, PPTP, L2TP

7
Implementing Remote Access
Protocols
• Remote access protocols carry encapsulated
network packets over a WAN link
– The packet is formatted for a network transport
protocol, most commonly TCP/IP
• Serial Line Internet Protocol (SLIP)
– Older remote communications protocol
– Large packet header increases overhead
– Does not support network authentication
– Intended only for asynchronous communication
– Does not support multiple network connection layers
8
Configuring Remote Access
Services
• Compressed Serial Line Internet Protocol
(CSLIP)
– Like SLIP, but compresses header information before
sending packet
• Point-to-Point Protocol (PPP)
– Supports more network protocols
– Automatically negotiates communications with several
network layers at once
– Supports synchronous and asynchronous
communications
– Supports connection authentication

9
Configuring Remote Access
Services (cont.)
• Point-to-Point Tunneling Protocol (PPTP)
– Supplements PPP by enabling remote
communications through the Internet, intranet, or VPN
• Layer Two Tunneling Protocol (L2TP)
– Like PPTP, but allows forwarding on the basis of MAC
addressing as well as IP addressing
• PPP is the most commonly used remote access
protocol
– Available to client workstations with Windows 95 or
later

10
Configuring a Remote Access
Server
• Connect modems into a network either directly
or through an access server
• Set up a Windows server as a RAS server
– Configure the right protocols for dial-up connections
• Configure a DHCP relay agent
• Configure Multilink and Bandwidth Allocation
Protocols
• Configure RAS security
• Set up a dial-up and remote connection
• Configure RAS on client workstations
11
Installing RAS
• Use the Routing and Remote Access tool
• Select Remote access (dial-up or VPN)
• Use a DHCP server for automatic IP addressing
if available; otherwise, use APIPA
• Use a RADIUS server if setting up multiple RAS
servers, standardizing authentication and access
policies, or setting up accounting features
• Avoid using a RAS server as a router

12
13
14
Configuring RAS

15
16
Configuring a DHCP Relay
Agent
• When a RAS server is configured to use DHCP,
the RAS server must be designated as a DHCP
relay agent
• Give the IP address of the DHCP server
• Configure the hop count
– Maximum number of routers that an IP broadcast can
pass through the client, RAS server, and DHCP
server
• Set the boot threshold
– Sets response time given to a local DHCP server
before a remote DHCP server is contacted
17
18
Configuring Multilink and
Bandwidth Allocation Protocol
• Multilink combines two or more communications
channels so they appear as one large channel
(aggregated links)
– Must be implemented in both client and server
• Bandwidth Allocation Protocol (BAP) is used
with Multilink to ensure a connection has enough
speed or bandwidth
– Links are dynamically dropped and added as needed
• Bandwidth Allocation Control Protocol (BACP)
– Like BAP, but selects a preferred client when two or
more clients vie for the same bandwidth
19
20
Configuring RAS Security
• User account access is protected by the
account access security that already
applies through any Group policy or
domain security policy
• Additional security options include:
– Configuring a remote access policy
– Configuring dial-up security
– Configuring clients and client protocols

21
Remote Access Policy
• Conditions
– Set of attributes that are compared to the attributes of
the connection type
– If all conditions are met, permissions are evaluated
• Permissions
– User account access
– Remote access policy permissions
– If permission is granted, profile settings are evaluated
• Profile
– Settings such as authentication, encryption, time
restrictions are compared
22
23
Configuring a Remote Access
Profile

24
Authentication and encryption
• One or a combination of both authentication and
encryption options can be chosen in the remote access
profile
• For authentication, the RAS server negotiates with the
client until it finds an authentication method that works
• Type of encryption:
– IPSec is a set of IP-based secure communications and
encryption standards created through the IETF
– MPPE is an end-to-end encryption technique using special keys
from 40 to 128 bits
– DES uses a secret key between two stations. Triple DEC uses
three keys combined into one long key

25
26
27
28
Configuring Dial-up
• Configure callback security at the user account
– No callback
• Server allows access on the first call attempt
– Set by caller
• Number used for callback is provided by remote computer
– Always callback to
• Number is stored on server
• Configure dial-up connections for the server
• Configure client dial-up connections to RAS

29
Implementing a Virtual Private
Network
• VPNs use LAN protocols and tunneling protocols
to send secure data over a public network
• Cost-effective by using local connections
• VPNs create an encrypted tunnel:
– Establishing a PPP connection with an ISP
– Establishing a second connection with the VPN server
– Client and server agree on how the data will be
encapsulated and encrypted

30
Setting Up a VPN Server
• Install and configure a VPN server using the
Routing and Remote Access tool
• Establish VPN server properties
– Configure a VPN as a router
• Create a VPN remote access policy and profile
settings
– Identical to those of a RAS server
• Configure the number of ports for the WAN
connection
– Both the WAN Miniport (PPTP) and the WAN Miniport
(L2TP)
31
32
Troubleshooting RAS and VPN
Installations
• Hardware solutions:
– Use Device Manager to check for problems
and resource conflicts
– Check cable or telephone line connections for
external devices
– Check internal device card connections and
reseat card if necessary
– Test wall connections separately for modem
connections
– Check configuration in external DSL devices
33
Troubleshooting RAS and VPN
Installations (cont.)
• Software solutions for no connections
– Make sure the RAS or VPN is enabled
– Check the port,TCP/IP, and DHCP configuration
– If using RADIUS, make sure IAS is installed
– Verify that the remote access policy and profile is
consistent with user needs
• Software solutions for limited connections
– Check dial-up connections, user account name and
password, and user permissions
– Verify that client accounts has dial-up access, correct
callback setup, and compatible modems

34
Terminal Services
• Terminal servers enable clients to run
services and software applications on the
server instead of the client
– Allow access from almost any client operating
system
– Enables the use of thin clients for cost
effectiveness
• Thin clients have minimal operating systems
– Centralizes control of how programs are used
35
36
Terminal Services (cont.)
• When installing Terminal Services, install
Terminal Services Licensing as well to
reflect the number of user licenses
• Enable full security for servers without
older applications
• Manage Terminal Services with the
Terminal Services Manager

37
38
Configuring Terminal Services
• Use the Terminal Services Configuration tool to
configure remote connection properties
– One connection is configured for each NIC in the
server
• Set Permissions
– Full control, User access, Guest access, and special
permissions
– Set authentication to none or standard Windows
– Set encryption
• Client compatible, FIPS compliant, high, or low

39
40
41
Configuring Terminal Service
(cont.)
• Configure a remote desktop connection
– Create a shared folder for clients to access the setup
files
– Clients can access the folder and run the setup
program
• Configure Licensing
– Activate the server
– Contact Microsoft to activate the licenses
• Install applications on the Terminal Server
– Use the Add or Remove Programs tool
42
Summary
• A Windows 2003 Server configured for RAS
enables clients to remotely dial in to a server or
a network of servers
• Remote access to Windows Server 2003
network can be through regular dial-up or high-
speed lines, Internet connections, and routers
– Remote traffic over telephone lines is transported
through PPP
– Traffic through the Internet or VPN is transported via
the PPTP and L2TP protocols

43
Summary
• Remote access policies for RAS and VPN
servers are used to manage server availability
and security
• A VPN server is configured using similar steps to
those used for configuring a RAS server
– One server can be configured to offer both RAS and
VPN services
• Troubleshoot both hardware and software in
RAS and VPN connections

44
Summary
• Terminal Services enable users to access a
server and run applications on that server
• For Terminal Services, configure each
connection (NIC) for remote connection
characteristics
– Including security, logon settings, client settings, and
environment
• Users access a terminal server by installing the
client-side software for a remote desktop
connection
45