Remote Access

• Enables users to connect to your network from remote locations (working from home, on the road)

Can act as a router

Two methods to gain access:

– Dial-in directly over the telephone system
Direct physical connection between machines
Needs phone modem

– Tunnel through the internet
Virtual Private Network (VPN)
Needs Internet connection

Configuring the server

• Routing and remote access must be enabled

Granting/Denying Remote Access

• The user is granted/denied remote access according to 3 things:
The user’s account properties
The remote access policy (RAP)
The remote access policy profile

• If the user fails any of these then access is denied

RADIUS server
Remote Authentication Dial-In User Service

• If you install IAS (Internet Authentication Service) on a Win2K server it can function as a RADIUS server

• A RADIUS server can act as the central authentication point for all the dial-in servers on a network

• Saves configuring policies on all the dial-in servers

Dialing-in

• Win2K’s Routing and Remote Access Sevice supports two protocols for the connection

– Serial Line Interface Protocol (SLIP)
hardly used, supports legacy systems

– Point-to-Point Protocol
supports IP, IPX, AppleTalk

Authentication

• Secure user authentication is obtained through the use of encrypted exchange of credentials using PPP and the following authentication protocols:

– Extensible Authentication Protocol (EAP)

– Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

– Challenge Handshake Authenticaiton Protocol (CHAP)

– Shiva Password Authentication Protocol (SPAP)

Security

• PPP can use encryption

• Callback
Server calls the user back at a specified number

• Caller ID
Server checks the user is calling from a specified number

VPN’s

• Win2K server supports VPN access using

– PPTP (Point-to-Point Tunneling Protocol)
extension of PPP, encapsulates PPP (which can be encrypted) packets into IP packets, needs an IP network

– L2TP (Layer 2 Tunneling Protocol)
encapsulates PPP packets for sending over IP, X.25, Frame Relay, or ATM networks, needs IPSec for encryption

Routing

If your server has an extra NIC you can configure it as a router. If it has a modem you can configure it for demand-dial routing – Two networks separated by a phone line, your server acts as the router between the two networks, dialing the other network as needed.

Home Page	Subnets and Subnet Masks	NTFS File & Folder Permissions
Permissions	Create a Home Folder	Group Policies
DFS & Auditing	Printing	User Profiles
OSI Layers	Network Components	Winnt .exe command prompts
WINS	Create a Roaming Profile	Domain Groups
IP Address Resolution	Interrupt Requests	MCSA Related Freeware Utils
IP Sec	Remote Access	DNS
Sites

Last Updated 21 February, 2004

Please Email [email protected]

Remote Access

Remote Access

• Enables users to connect to your network from remote locations (working from home, on the road)

Can act as a router

Two methods to gain access:

– Dial-in directly over the telephone system Direct physical connection between machines Needs phone modem

– Tunnel through the internet Virtual Private Network (VPN) Needs Internet connection

Configuring the server

• Routing and remote access must be enabled

Granting/Denying Remote Access

• The user is granted/denied remote access according to 3 things: The user’s account properties The remote access policy (RAP) The remote access policy profile

• If the user fails any of these then access is denied

RADIUS server Remote Authentication Dial-In User Service

• If you install IAS (Internet Authentication Service) on a Win2K server it can function as a RADIUS server

• A RADIUS server can act as the central authentication point for all the dial-in servers on a network

• Saves configuring policies on all the dial-in servers

Dialing-in

• Win2K’s Routing and Remote Access Sevice supports two protocols for the connection

– Serial Line Interface Protocol (SLIP) hardly used, supports legacy systems

– Point-to-Point Protocol supports IP, IPX, AppleTalk

Authentication

• Secure user authentication is obtained through the use of encrypted exchange of credentials using PPP and the following authentication protocols:

– Extensible Authentication Protocol (EAP)

– Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

– Challenge Handshake Authenticaiton Protocol (CHAP)

– Shiva Password Authentication Protocol (SPAP)

Security

• PPP can use encryption

• Callback Server calls the user back at a specified number

• Caller ID Server checks the user is calling from a specified number

VPN’s

• Win2K server supports VPN access using

– PPTP (Point-to-Point Tunneling Protocol) extension of PPP, encapsulates PPP (which can be encrypted) packets into IP packets, needs an IP network

– L2TP (Layer 2 Tunneling Protocol) encapsulates PPP packets for sending over IP, X.25, Frame Relay, or ATM networks, needs IPSec for encryption

Routing

– Dial-in directly over the telephone system
Direct physical connection between machines
Needs phone modem

– Tunnel through the internet
Virtual Private Network (VPN)
Needs Internet connection

• The user is granted/denied remote access according to 3 things:
The user’s account properties
The remote access policy (RAP)
The remote access policy profile

RADIUS server
Remote Authentication Dial-In User Service

– Serial Line Interface Protocol (SLIP)
hardly used, supports legacy systems

– Point-to-Point Protocol
supports IP, IPX, AppleTalk

• Callback
Server calls the user back at a specified number

• Caller ID
Server checks the user is calling from a specified number

– PPTP (Point-to-Point Tunneling Protocol)
extension of PPP, encapsulates PPP (which can be encrypted) packets into IP packets, needs an IP network

– L2TP (Layer 2 Tunneling Protocol)
encapsulates PPP packets for sending over IP, X.25, Frame Relay, or ATM networks, needs IPSec for encryption