Remote Access T his chapter covers the remote access services provided with Windows 2000 to enable dial-up access (client and server) for remote connectivity, including dial-up connections to the Internet. Windows 2000 RAS and Telephony Services RAS stands for Remote Access Services. In Windows 2000, RAS enables Windows 2000 clients to dial other systems for access to remote networks, including the Internet, and enables Windows 2000 computers to act as dial-up servers for remote clients. The Routing and Remote Access Service (RRAS) enables a Windows 2000 Server to function as a router. RAS and RRAS are integrated into a single service in Windows 2000. This chapter examines the features in RRAS for dial-up networking that enable a Windows 2000 computer to function as both a dial-up server and dial-up client. You’ll find a detailed explanation of the Routing and Remote Access Service and how to use it for routing in Chapter 12. The following sections provide an overview of these RAS fea- tures. Later sections explain protocol, security, and configura- tion issues. Overview of Windows 2000 RRAS Remote access enables a client computer to connect to a remote computer or network and access the resources of the remote computer or network as if they were local. For exam- ple, users who are frequently on the road can access the com- pany file server(s), printers, mail system, and other resources from remote locations. Clients also can use remote access services to connect to public networks such as the Internet. Figure 15-1 illustrates one implementation of remote access. Cross- Reference 15 15 CHAPTER ✦✦✦✦ In This Chapter Windows 2000 Remote Access Services (RAS) RAS Connection Types and Protocols Configuring RAS Configuring a VPN Server Using Multilink and BAP Using RADIUS Remote Access Policy Security Issues Configuring Dial-Up Networking Connections Using Internet Connection Sharing Troubleshooting RAS Installations Connecting to the Internet ✦✦✦✦ 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 553 554 Part IV ✦ Networking and Communications Services Figure 15-1: RRAS enables remote users to connect to the local computer or network, and also supports dial-out connections from Windows 2000 clients. The Routing and Remote Access Service in Windows 2000 provides three primary functions: ✦ Dial-up client: You can use the RRAS service to create and establish dial-up connections to remote networks, including the Internet, through a variety of media, including modem, ISDN, infrared, parallel ports, serial connection, X.25, and ATM. Windows 2000 dial-up clients support a wide range of authenti- cation protocols and other connectivity options, which are discussed in depth in later sections of this chapter. Support for tunneling protocols enables clients to establish secure connections to remote networks through public networks such as the Internet. ✦ Dial-up server: A Windows 2000 server can function as a dial-up server, allow- ing remote clients to connect to the local server and optionally to the local network through the same types of media support for dial-out connections (see previous). You can also use RAS to support terminal service client ses- sions because RAS issues an IP address to the connecting clients and binds the necessary protocols to the RAS connection. RRAS Server Remote user accesses network shares and printers 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 554 555 Chapter 15 ✦ Remote Access Windows 2000 supports several authentication protocols and can authenti- cate users against local or domain user accounts, or it can use RADIUS (Remote Authentication Dial In User Service), an industry standard authenti- cation mechanism. Once connected, a remote user can browse, print, map drives, and perform essentially all other functions possible from either the local server or local area network. ✦ Routing services: The routing components of RRAS enable a Windows 2000 server to function as a unicast and multicast router. Windows 2000 provides for routing, packet filtering, connection sharing, demand-dial routing, and sev- eral other features that make it an excellent choice for LAN and WAN routing. RRAS in Windows 2000 integrates the remote access and routing services that for- merly were separate services in Windows NT Server. RRAS in Windows 2000 is an extension and improvement upon Windows NT’s Routing and Remote Access Service, which was issued as an add-on for Windows NT Server. Although Windows 2000 RRAS integrates dial-up networking and routing into a single service, they are treated as separate issues in this book because of the different focus for each. One of the key benefits of Windows 2000 RRAS is its integration with the Windows 2000 operating system. On the client side, integration means that once a remote connection is established, the client can access resources on the server transpar- ently as if they were local resources. The client can map remote shares to local drive letters, map and print to remote printers, and so on. Except in very rare cir- cumstances, applications can use remote resources seamlessly without modifica- tion to make them RAS- or network-aware. On the server side, integration means that Windows 2000 can use a single authenti- cation mechanism to authenticate users both locally and from remote locations. RRAS can authenticate against the local computer’s user accounts or accounts in the domain, or it can use an external authentication mechanism such as RADIUS. Through its support for RADIUS, Windows 2000 RRAS enables a Windows 2000 server to function as a gateway of sorts to the network while offloading authentica- tion to another server, which could be any RADIUS platform including a UNIX server. RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a standard, cross-platform protocol for authentication commonly used for dial-in authentication. Windows 2000 RRAS also provides close integration with the Active Directory (AD). This AD integration provides for replication of users’ remote access settings, including access permissions, callback options, and security policies, among others. AD integration also means simplified administration with other AD-related services and properties. Note 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 555 556 Part IV ✦ Networking and Communications Services As you’ll learn later in the section “RAS Connection Types and Protocols,” Windows 2000 RRAS supports a wide range of connection protocols, including PPP, SLIP, and Microsoft RAS Protocol. Windows 2000 RRAS supports authentication methods, including MS-CHAP, EAP, CHAP, SPAP, and PAP. Network protocols supported include TCP/IP, IPX/SPX, NetBEUI, and AppleTalk to support Microsoft, UNIX, NetWare, and Macintosh resources and clients. New Features of Windows 2000 RRAS If you’re familiar with RAS or RRAS in Windows NT, you’ll find all of those same fea- tures in Windows 2000 RRAS. You’ll also find several enhancements to existing features along with many new features, including those discussed in the following sections. AD integration As mentioned previously, Windows 2000 RRAS integrates with the Active Directory. AD integration enables client settings to be replicated throughout the organization to provide expanded access by clients and easier administration. Integration with the AD also can simplify administration by enabling you to browse and manage multiple RRAS servers through the AD-aware RRAS management console snap-in, providing a single point of management for RRAS services in an organization. Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) enable Windows 2000 RAS to dynamically add or remove links in a multilink PPP connection as bandwidth requirements for the connection change. When bandwidth utilization becomes heavy, RAS can add links to accommodate the increased load and enhance performance. When bandwidth utilization decreases, RAS can remove links to make the connection more cost efficient. You configure BAP policies through a remote access policy that you can apply to individual users, groups, or an entire organization. MS-CHAP version 2 Previous versions of RAS supported Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) to authenticate remote clients. MS-CHAP v2 provides stronger security and is designed specifically to support Virtual Private Network (VPN) con- nections, which enable remote clients to establish secure connections to a private network through a public network such as the Internet. MS-CHAP v2 provides sev- eral security enhancements: ✦ LAN Manager coding of responses, formerly supported for backward compati- bility with older remote access clients, is no longer supported for improved security. MS-CHAP v2 no longer supports LAN Manager encoding of password changes for the same reason. 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 556 557 Chapter 15 ✦ Remote Access ✦ MS-CHAP v2 supports mutual authentication, which provides bi-directional authentication between the remote client and the RAS server. Previously, MS- CHAP only provided one-way authentication and did not provide a mechanism for the remote client to determine if the remote server actually had access to its authentication password for verification. Version 2 not only enables the server to authenticate the client’s request, but also allows the client to verify the server’s ability to authenticate its account. ✦ MS-CHAP v2 also provides stronger encryption. The 40-bit encryption used in previous versions operated on the user’s password and resulted in the same cryptographic key being generated for each session. Version 2 uses the remote client’s password, along with an arbitrary challenge string, to create a unique cryptographic key for each session, even when the client password remains the same. ✦ Version 2 provides better security for data transmission, using separate cryptographic keys for data sent in each direction. Extensible Authentication Protocol The Extensible Authentication Protocol (EAP) enables authentication methods to be added to RAS without redesigning the underlying RAS software base, much like new features in NTFS 5.0 enable new functionality to be added to the file system without redesigning the file system (see Chapter 21 for a complete discussion). EAP enables the client and server to negotiate the mechanism to be used to authenticate the client. Currently, EAP in Windows 2000 supports EAP-MD5 CHAP (Challenge Handshake Authentication Protocol), EAP-TLS (Transport Level Security), and redirection to a RADIUS server. Each of these topics is covered in more detail later in this chapter. RADIUS support Windows 2000 RRAS can function as a RADIUS client, funneling logon requests to a RADIUS server, which can include the Internet Authentication Service, also included with Windows 2000, running on the same or a different server. The RADIUS server doesn’t have to be a Windows 2000 system, however, which enables RRAS to also use UNIX-based RADIUS servers or third-party RADIUS services you might already have in place. One of the advantages to using RADIUS is its capability for account- ing, and several third-party utilities have been developed to provide integration with database back-ends such as SQL Server to track and control client access. See the section “Using RADIUS” later in this chapter for detailed information on configuring and using RADIUS. Remote access policies Windows 2000 improves considerably on the flexibility you have as an administra- tor to control a user’s remote access and dial-up settings. Windows NT RAS gave you control only over callback options, and settings were assigned on a user-by- user basis. Although Windows 2000 still lets you assign remote access permissions Cross- Reference 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 557 558 Part IV ✦ Networking and Communications Services through a user’s account, you also can use a remote access policy to define the remote access settings for one or several users. Remote access policies give you a fine degree of control over users’ settings, controlling options such as allowed access time, maximum session time, authentication, security, BAP policies, and more. See the section “Remote Access Policy” later in this chapter for additional infor- mation on configuring and using RAS policies. Support for Macintosh clients Windows 2000 adds remote access support for Macintosh clients by supporting AppleTalk over PPP for Macintosh clients. This enables Macintosh clients to connect to a Windows 2000 RAS server using the standard PPP and AppleTalk protocols. Account lockout Windows 2000 RAS enhances security by supporting account lockout, which locks a RAS account after a specified number of bad logon attempts. This feature helps guard against dictionary attacks in which a hacker attempts to gain remote access by repeatedly attempting logon using a dictionary of passwords against a valid account. You can configure two settings that control lockout — the number of bad logon attempts before the account is locked out, and how long the account remains locked before the lockout counter is reset. The Routing and Remote Access Management Console Microsoft has integrated most administration and management functions into Microsoft Management Console (MMC) snap-ins, and RRAS is no exception. The Routing and Remote Access console snap-in enables you to configure and manage an RRAS server. Figure 15-2 shows the Routing and Remote Access console. Figure 15-2: The Routing and Remote Access console Cross- Reference 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 558 559 Chapter 15 ✦ Remote Access The RRAS console serves as a central control center for managing most RRAS prop- erties. In addition to configuring ports and interfaces, you can configure protocols, global options and properties, and RRAS policies through the RRAS console. Later sections of this chapter explain how to use the RRAS console to perform specific configuration and administration tasks. Open the console by choosing Start ➪ Programs➪ Administrative Tools ➪ Routing and Remote Access. RAS Connection Types and Protocols Windows 2000 supports several connection types and network protocols for remote access. The following sections explore these connection types and network protocols. Serial Line Internet Protocol The Serial Line Internet Protocol (SLIP) is a connection protocol that originated in the UNIX realm. SLIP offers limited functionality in that it does not support error detection or correction. Windows 2000 clients can use SLIP to connect to UNIX servers (or other servers requiring SLIP), but Windows 2000 Server does not support SLIP for dial-in connections. Point-to-Point Protocol The Point-to-Point Protocol (PPP) was developed as a standardized alternative to SLIP that offered better performance and reliability. Unlike SLIP, PPP is designed around industry-designed standards and enables essentially any PPP-compliant client to connect to a PPP server. Windows 2000 supports PPP for both dial-in and dial-out connections. On a Windows 2000 RAS server, PPP enables remote clients to use IPX, TCP/IP, NetBEUI, AppleTalk, or a combination thereof. Windows-based clients including Windows 2000, Windows NT, Windows 9x, and Windows 3.x can use any combination of IPX, TCP/IP, or NetBEUI, but AppleTalk is not supported for these clients. Macintosh clients can use either TCP/IP or AppleTalk. PPP supports several authentication protocols, including MS-CHAP, EAP, CHAP, SPAP, and PAP. Microsoft RAS Protocol The Microsoft RAS Protocol is a proprietary protocol developed by Microsoft to support NetBIOS and is used for Windows NT 3.1, Windows for Workgroups, MS- DOS, and LAN Manager remote access. Clients must use the NetBEUI protocol, and the remote access server acts as a NetBIOS gateway for the client, supporting NetBEUI, NetBIOS over TCP/IP, and NetBIOS over IPX. The Microsoft RAS Protocol is provided for backward compatibility with older Microsoft operating platforms. Unless you are connecting to one of these older systems, choose PPP as your con- nection protocol. 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 559 560 Part IV ✦ Networking and Communications Services Point-to-Point Multilink Protocol and BAP The Point-to-Point Multilink Protocol (PPMP, or simply Multilink) enables multiple PPP lines to be combined to provide an aggregate bandwidth. For example, you might use Multilink to combine two analog 56Kbps modems to give you an aggre- gate bandwidth roughly equivalent to 112Kbps. Or, you might combine both B channels of an ISDN Basic Rate Interface (BRI) connection to provide double the bandwidth you would otherwise get from a single channel. The Bandwidth Allocation Protocol (BAP) works in conjunction with Multilink to provide adaptive bandwidth. As bandwidth utilization increases, BAP enables the client to aggregate additional connections to increase bandwidth and improve per- formance. As bandwidth utilization decreases, BAP enables the client to drop con- nections from the aggregate link to reduce connection costs (in cases where multiple connections incur their own charges). See the section “Using Multilink and BAP” later in this chapter to configure and use multilink connections. Point-to-Point Tunneling Protocol The TCP/IP protocol suite by itself does not provide for encryption or data security, an obvious concern for users who need to transmit data securely across a public network such as the Internet. The Point-to-Point Tunneling Protocol (PPTP) pro- vides a means for encapsulating and encrypting IP and IPX for secure transmission. PPTP is an extension of PPP that enables you to create a Virtual Private Network (VPN) connection between a client and server. PPP frames in a PPTP session are encrypted using Microsoft Point-to-Point Encryption (MPPE) with encryption keys generated using the MS-CHAP or EAP-TLS authentication process. PPTP by itself does not provide encryption, but rather encapsulates the already encrypted PPP frames. In order to provide a secure con- nection, the client must use either MS-CHAP or EAP-TLS authentication. Otherwise, the PPP frames are encapsulated unencrypted (plain text). Figure 15-3 illustrates how PPTP encapsulates data. PPTP is installed by default when you install Windows 2000 RRAS. PPTP is a good choice for creating secure connections to a private network through a public network such as the Internet when the remote network isn’t con- figured to support IPSec. Layer Two Tunneling Protocol Layer Two Tunneling Protocol (L2TP) is a draft protocol that combines the features of PPTP with support for IP Security (IPSec) to provide enhanced security. Unlike Tip Cross- Reference 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 560 561 Chapter 15 ✦ Remote Access PPTP, which relies on MPPE for encryption, L2TP relies on IPSec to provide encryp- tion. Therefore, the source and destination routers must support both L2TP and IPSec. Figure 15-3 illustrates how L2TP encapsulates data. L2TP is installed by default when you install Windows 2000 RRAS. Figure 15-3: PPTP and L2TP use different methods for encapsulation and encryption. L2TP provides better security than PPTP by supporting IPSec and is a better choice for creating VPN connections than PPTP when the remote network is configured to support IPSec. See Chapter 3 for a discussion of Windows 2000 security and IPSec. Transport Protocols As mentioned previously in this chapter, RRAS supports four network protocols: TCP/IP, IPX, NetBEUI, and AppleTalk. A Windows 2000 RAS server supports all four protocols for incoming connections. Windows 2000 RAS clients support all except AppleTalk. When you install RRAS, Windows 2000 enables all currently installed protocols for incoming and outgoing RAS connections. As you’ll learn later in the section “Configuring RAS for Incoming Connections,” you can configure the sup- ported protocols to enable clients to access only the RAS server or access the LAN. You configure access on a protocol-by-protocol basis. TCP/IP As a dial-out protocol, TCP/IP enables you to connect a Windows 2000 client to nearly any TCP/IP-based network including the Internet. You can statically assign the IP address, subnet mask, default gateway, and other settings for the dial-out connection or allow the remote server to assign the connection properties. As a Tip IP Header GRE Header PPP Header PPP Payload including IP datagram, IPX datagram, NetBEUI frame UDP Header L2TP Header IP Header Encrypted by IPSec Encrypted by MPPE L2TP PPTP IPSec ESP Header IPSec ESP Trailer IPSec Auth. Trailer PPP Header PPP Payload including IP datagram, IPX datagram, NetBEUI frame 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 561 562 Part IV ✦ Networking and Communications Services protocol for incoming connections, TCP/IP enables essentially any client that sup- ports TCP/IP and PPP to connect to a Windows 2000 RAS server. As you’ll learn later in the section “Configuring RAS for Incoming Connections,” you can allocate addresses from a static pool or use DHCP to allocate addresses and other connec- tion properties to remote clients. In addition, clients can request a predefined IP address (defined at the client side through the connection properties). IPX The IPX protocol is used primarily in environments where Novell NetWare clients or servers are used. Support for IPX enables a Windows 2000 RAS server to coexist with NetWare servers and enables clients to access NetWare resources through the RAS connection. A Windows 2000 RAS server hosting IPX also serves as an IPX router, handling RIP, SAP, and NetBIOS traffic between the local network and the remote client. In addition to using the IPX protocol, the remote client must run a NetWare redirector. The server must be running the IPX/SPX/NetBIOS-compatible protocol. The Windows 2000 Professional NetWare redirector is Client Service for NetWare. In Windows 2000 Server, the redirector is Gateway Service for NetWare. A Windows 2000 RAS server allocates IPX network numbers and node numbers to connecting clients. The server can generate the IPX network number automatically or, as it can for TCP/IP, allocate numbers from a static pool assigned by an adminis- trator. If assigning a number dynamically, the server first verifies that the number is not already in use on the network. The server then allocates that number to all remote access clients. Assigning the same network number to all clients reduces RIP announcements from the RAS server. NetBEUI NetBEUI is a good protocol choice for small, non-routed networks (NetBEUI is not a routable protocol). Because it is non-routable, NetBEUI can offer some measure of security for a private network that is connected to the Internet. Internal systems that don’t require Internet access can use NetBEUI and be invisible to computers on the Internet. Supporting NetBEUI for Windows 2000 RAS enables NetBEUI clients to dial into the RAS server and gain access to resources shared on the server or on the network by other NetBEUI clients. However, NetBEUI clients will need access to a WINS server on the network where they connect to resolve IP-addressed resources. AppleTalk The AppleTalk protocol is used by Macintosh network clients. Windows 2000 RAS supports AppleTalk to enable remote Macintosh clients to connect to the server and access resources shared by the server or other AppleTalk clients on the net- work. In order to use AppleTalk for RAS dial-in, you must install the AppleTalk protocol on the RAS server. Note 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 562 [...]... To learn more about unauthenticated access, open the RRAS console, open Help, and open the topic Remote Access/ Concepts/ Remote Access Security/Unauthenticated Access Disabling Routing (Remote Access Server Only) If you’re using RRAS to only provide dial-in remote access and don’t require routing, you can disable routing and allow the server to function as a remote access server only This reduces some... Remote Access Policy Although you can rely on global settings on the RRAS server to provide security and enable/disable access, you will find that you have much greater control over remote clients through the use of remote access policies Like other group policies, remote access policies enable you to configure access on a user, group, or global basis Windows 2000 RRAS by default creates a single remote. .. to deny access Double-click the policy and note that the option “Deny remote access permission” is selected This setting applies unless overridden by per-user settings in each user’s account, which effectively disables access for all users unless their accounts are configured to allow access Selecting the option “Grant remote access permission” for this policy enables all users to gain remote access. .. by default creates a single remote access policy You can modify this policy and/or create additional policies to suit your needs You mange remote access policies through the RRAS console In the console, open the server to be managed and then open the Remote Access Policies branch The right pane shows the configured remote access policies The default policy, “Allow access if dial-in permission is enabled,”... must configure the applicable remote access policy to allow the user to request a pre-assigned IP address Second, you must specify the address in the user’s account properties CrossReference You configure the remote access policy through the RRAS console See the section Remote Access Policy” later in this section for detailed information on configuring and managing remote access policies Where you modify... the Remote Access Policy branch to disappear from the RRAS console for the selected RRAS server This is because the remote access policies on the RADIUS server take precedence Also, configuring RRAS to use RADIUS accounting causes the Remote Access Logging branch to disappear from the console, as logging is handled by the RADIUS server 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 585 Chapter 15 ✦ Remote Access. .. denies access In this example, click Add, select Windows-Groups, and click Add Select the Sales group ➪ OK ➪ Next ✦ Grant/Deny: Select which action is applied to the selected criteria In this example, we want the Sales group granted access, so select “Grant remote access permission.” If you wanted to explicitly prevent the Sales group from using remote access, you would instead select the “Deny remote access. .. second step is to enable multilink in the appropriate remote access policy The default policy allows all clients to use the settings defined globally for the RRAS 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 583 Chapter 15 ✦ Remote Access server, so enabling multilink and BAP for the server enables it for all remote clients unless modified by a remote access policy If you want to restrict the use of multilink... if necessary, configure the remote client’s remote access policy to allow EAP, as explained later in the section Remote Access Policy.” Finally, configure the client to use the appropriate EAP type See the section “Configuring Outgoing Dial-Up Networking Connections” in this chapter for a detailed explanation 4667-8 ch15.f.qc 5/15/00 2:06 PM Page 573 Chapter 15 ✦ Remote Access Configuring EAP-RADIUS... RRAS; deselect to prevent remote clients from using IPX for remote connections ✦ Enable network access for remote clients and demand-dial connections: Select this option to allow remote IPX clients to access IPX-based resources (NetWare servers, for example) on the LAN to which the RRAS server is connected; deselect to allow remote IPX clients only access to resources on the RRAS server ✦ Automatically: . Remote Access T his chapter covers the remote access services provided with Windows 2000 to enable dial-up access (client and server) for remote. user’s account, you also can use a remote access policy to define the remote access settings for one or several users. Remote access policies give you a fine