Connecting Remote Users to Your Network

Abstract

Businesses today want access to their information on the corporate network from anywhere and at anytime. Whether they are on the road with customers or working from home, providing your employees with remote access to the corporate network is becoming critical. This guide outlines how Windows 2000 can provide telecommuters and mobile computing professionals with access to their private corporate network resources. With integrated dial-up services and virtual private networking, Windows 2000 provides a complete remote access solution for medium-sized networks.

On This Page

Introduction
Selecting a Remote Access Solution
Setup for Dial-up Remote Access Servers
Setup for Virtual Private Networking Servers
Configuring Dial-up Remote Access and the Virtual Private Networking
Setting Remote Access Permissions
Client Configuration and Deployment
Summary
For More Information

Introduction

Businesses today want access to their information anywhere, at any time. Whether on the road with customers or working from home, employees’ need for remote access to the corporate network is becoming critical. Windows 2000 makes it easier to let employees securely connect to the corporate network by integrating the latest remote access technology.

Using the remote access services of Windows 2000 Server, you can configure remote access servers that provide connectivity to the corporate network for authorized users. This transparent connection allows remote access clients to access resources from remote locations as if they were physically attached to the network.

Windows 2000 remote access provides two different types of remote access connectivity:

1. Dial-up remote access
   To gain access to the network with dial-up remote access, a remote access client uses the public telephone network to create a physical connection to a port on a remote access server that sits on the “edge” of the private network. This is typically done by using a modem or ISDN adapter to dial into your remote access server.

2. Virtual private network (VPN) remote access
   A VPN can provide secure remote access through the Internet, rather than through direct dial-up connections. A VPN client uses an IP internetwork to create an encrypted, virtual, point-to-point connection with a VPN gateway that exists on the “edge” of the private network. This is typically done by connecting to the Internet first, and then creating the VPN connection. By using the Internet in this way, companies can reduce their long distance phone expenses and rely on existing infrastructure instead of managing their own.

This guide outlines the steps needed to set up remote access with Windows 2000,and discusses deploying remote access clients. If you already upgraded your Windows NT 4.0 Remote Access Server to Windows 2000, then it should already be working for your remote users. In that case, this document may serve only as a guide setting up another remote access server or virtual private networking server.

Scenario Requirements

Depending on the type of remote access solution, you will need to coordinate with your local telecommunications company or Internet service provider (ISP) to set up remote client connection information. If you are planning to deploy a dial-up solution, your Telco can set up telephone lines that dial directly to your modem(s). If you are planning to deploy a VPN solution, your ISP will need to support the GRE protocol and assign a public IP address to your VPN server in order for remote clients to connect over the Internet.

To configure the server for as a RAS/VPN server, you will need to install the Routing and Remote Access Services (RRAS) that is included with the Optional Windows 2000 components package. To install this component on your Windows 2000 Server, click Start, point to Programs, point to Administrative Tools, click Configure your server, click Networking and click Routing. Follow the instructions on this page to install the RRAS. You must have network administrator rights to configure this setup.

Scenario Tasks

In this guide you perform the following tasks.

Selecting a Remote Access Solution

When deciding on a remote access solution, you should evaluate your remote access needs and understand the benefits and features of Direct Dial and VPN remote access. Companies may choose to use a single method for remote access or deploy both as complementing technologies. For example, some companies have deployed VPN as their primary remote access connection and fall back to Dial-up connections when Internet access is unavailable.

Dial-up Remote Access

Dial-Up Remote Access will meet the needs of companies that have a small remote user population, that are satisfied with analog or ISDN performance, or that have remote users that stay within the local calling area. In a company where the remote user population and long distance telephone expenses are growing quickly or there is a need to for additional broadband support, administrators should consider a VPN solution.

VPN Remote Access

Companies that want to lower their remote access cost and increase their network flexibility can take advantage of VPN Remote Access. Traveling employees can use the same modem they used for long distance dial-up, and leverage the Internet by dialing the local ISP for a virtual connection back to the corporate network. This eliminates the long distance charges or toll calls associated with a dial-up connection.

While this minimizes the dial-up cost for traveling employees, all VPN users can benefit from the technology’s flexible connection medium support. VPNs support analog modems and ISDN as well as dedicated broadband connections like cable and DSL.

Setup for Dial-up Remote Access Servers

In order to support dial-up modem connections into your network, you will need to have your telephone company install a phone line for each analog modem that accepts incoming calls. Your remote access clients will dial these dedicated phone numbers to connect their computer to the remote access server.

In addition, each server-side modem requires a serial port on the remote access server. If you only want to use one or two modems, you can just use the built-in serial ports on your remote access server or install a few PCI or ISA internal modems.

If you require more than two modems in your pool, you will need to use a multi-port serial adapter or a high-density combination card. Multi-port serial adapters allow you to connect a large number of analog modems or ISDN modems to one remote access server. A multi-port serial adapter allows you to install one PCI or ISA card in your computer and create a large number of serial ports (4, 8, 16, 64, etc) for your modems. A high-density combination card combines multiple modems and serial adapters into one device.

For more information on analog modems, ISDN modems and ISDN adapters, and multi-port serial adapters supported in Windows 2000, see the Hardware Compatibility List at https://www.microsoft.com/whdc/hcl/default.mspx?gssnb=1.

Analog modems and ISDN Terminal Adapters are normally installed and configured in Start, Settings, Control Panel, Phone and Modem Options. Many modems are Plug and Play compatible and will be installed automatically after they are connected to a serial port and the computer is either rebooted or the Add New Hardware wizard is run from Control Panel.

Here is how a typical setup may look with multiple modems installed on a multi-port serial adapter with 8 ports.

For more information on installing ISDN hardware or analog modems in Windows 2000, please see the Windows 2000 Help.

Setup for Virtual Private Networking Servers

To allow VPN clients access to your network, you will need to set up a VPN server that is attached to your internal network as well as to the Internet, as shown in the figure below. This is commonly done by connecting one network interface card (NIC) in the VPN server to your company network, and connecting another network card to the Internet. The Internet connection can be a dedicated line such as a cable modem, DSL, a dial-up connection, or an ISDN link.

In this document, for the purposes of setting up a VPN gateway, we assume your Windows 2000-based server is connected to the LAN and has a dedicated DSL connection to the Internet.

We also assume the ISP has pre-assigned a static public IP address that is associated with the external NIC. The internal NIC that connects our VPN server to the private network has a statically configured IP address that is excluded from your DHCP address pool.

Windows 2000 supports two type of remote access VPN technology: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol over IP Security (L2TP/IPSec). This guide focuses on providing basic VPN remote access through PPTP. L2TP/IPSec requires advanced knowledge of encryption and authentication technologies including Public key infrastructure (PKI) and is not covered in this guide. For more information on using L2TP and IPSec, please see the Windows 2000 Server Help and the Windows 2000 Resource Kit.

Configuring Dial-up Remote Access and the Virtual Private Networking

Overview

Depending on your remote access needs, you can deploy dial-up and VPN services on the same machine or separate them onto dedicated servers. For the examples in this document, we configure one Windows 2000 Server as a combined dial-up remote access server and VPN server.

As a best practice, Microsoft recommends that the Domain Controller and the RAS Server/VPN Gateway operate on separate servers. To increase the security of your remote access server, Windows 2000 provides filtering to keep unwanted Internet packets from getting to your server. Plus, a separate VPN server allows you to expand your usage by supporting more remote access clients or setting up advanced configuration options such as demand-dial routing or LAN routing. If you decide to configure VPN on the Domain Controller, Microsoft recommends that you read the Windows 2000 Help on VPN filters and have a good understanding of IP filtering.

Enable Remote Access on a Internet Connection Server

A Windows 2000 Server can be configured as an Internet connection server that provides access to the Internet and shares this connection with local area network clients. This Internet connection server can be enabled as a remote access server.

1. Open the Routing and Remote Access tool from the Administrative Tools folder on the Start Menu.

2. Right click on the server name (ex. LITWARE-1) and select Properties.

3. Check the Remote Access Server box and click OK.

   

Your Internet connection server is now capable of handling remote access and VPN. Click Finish to complete the configuration.

Configuring Remote Access Services

To configure a dial-up RAS and VPN gateway on a Windows 2000 Server

1. Open the Routing and Remote Access tool from the Administrative Tools folder on the Start Menu.

   When you open the tool for the first time, you will see your server name listed in the left side with the instructional text in the right pane.

   

2. To run a wizard to configure your server, right click on the server name and choose Configure and Enable Routing and Remote Access.

3. You will see a Welcome screen next, click Next.

4. You are then shown a list of common configurations to choose from.

   

5. Choose Remote Access Server and click Next. The “Virtual private network (VPN) server” option is used to create a dedicated virtual private networking server. Since we are creating a server that supports both Dial-up and VPN, we will use the Remote access server option.

6. You will see a list of networking protocols for remote clients. Since you will already have TCP/IP networking configured on your network with the DHCP and DNS servers that were set up previously when you set up Active Directory, TCP/IP will be already listed in the Protocols list. Click Next.

7. Since this server is going to be a virtual private networking server and it has two network cards installed, you will be prompted for which network connection to assign remote clients to. Select the network connection for your local network (not the one connected to the Internet) and click Next.

8. Next you will be prompted about IP Address assignment. You should use the default option of Automatically, since the server will use the existing DHCP to assign IP addresses to your remote access clients when they connect. Click Next.

9. Now you will be prompted about using a RADIUS server for authentication. RADIUS servers can be used to manage authentication and remote access group policy. For this guide, we use Active Directory to authenticate remote clients. Choose the default of No and click Next.

10. The final screen will tell you that you have successfully configured your server for remote access. Click Finish.

    Congratulations. You have successfully configured a remote access and virtual private networking server. The wizard automatically configures all your modems and ISDN adapters to be available for remote users. It also configures your server for five PPTP and five L2TP/IPSec connections. The figure below shows a server configured using the wizard with default options when it had an ISDN adapter installed and eight modems on a multi-port serial board.

    

If you do not plan to support virtual private networking at this time, you can change the default settings and remove support for L2TP and PPTP. Also, you can increase the number of allowed PPTP connections. You can even set certain modems to only be available for dial-in if you want to use some of the modems for other purposes such as accepting faxes using Microsoft Fax. This is configured by right clicking on Ports and choosing Properties.

You can select each modem port and click Configure. You can enable or disable each modem or ISDN port for inbound remote access connections. For PPTP or L2TP, you can click on either one and choose Configure. Then you can set the number of allowed connections and enable or disable them completely.

After configuring these options, your server is ready to accept connections from remote access clients using dial-up or virtual private networking. All you have to do now is enable remote access permissions for the users that you want to allow to connect.

Setting Remote Access Permissions

To allow remote users to connect to your network using virtual private networking or dial-up networking, you will need to allow them to connect by giving them access privileges.

1. Open Active Directory Users and Computers from the Administrative Tools folder on the Start Menu.

2. Click on the Users folder under your domain name, shown here as litware.net.

   

3. Right click on the user you want to enable remote access permissions for, and choose Properties. In this case, the user is named “Ras User.”

4. Click on the Dial-in tab. You now see where you can select to Allow or Deny remote access permissions into your network for any user by changing the setting you see below.

   

   You can also set other advanced settings here for each user. For more information on using any of the other options shown here, please see the Windows 2000 Help.

Client Configuration and Deployment

Overview

Windows 2000 provides users with the flexibility to configure their own dial-up client connection using the New Connections Wizard or have a pre-packaged dial-up client pre-configured by the administrator. Large remote access deployments can be complex without tools to centrally configure dial-up clients. Windows 2000 Server provides administrators with the Connection Manager Administration Kit (CMAK), which can create pre-configured dial-up clients that may include a phonebook, help files, and custom applications.

This section focuses on setting up an individual dial-up client using the New Connections Wizard. If you plan on deploying many RAS clients, skip this section and refer to the Windows 2000 help files and the separate guide on configuring CMAK.

Creating a Dial-up Client Connection

To enable your remote users to connect to your network, they will need to have a dial-up or VPN connection created on their computer. Client connections are generally referred to as “connectoids.”

If the computer is running Windows 2000 Professional, you need to complete the following steps to create a dial-up connection on a remote user’s computer.

1. Make sure the appropriate modem or ISDN device is installed properly just as you would install it on a remote access server.

2. Open the Network and Dial-Up Connections folder from either Control Panel or from Settings on the Start Menu.

3. Open the option for Make New Connection. Click Next at the Welcome message. You will then see the options shown below.

   

4. If you are creating a dial-up connection using a modem or ISDN, choose Dial-up to private network and click Next.

5. Enter the phone number that needs to be dialed to connect to your remote access server and click Next.

6. Choose to create the connection for all users. This allows any user on that computer to dial that connection.

7. If you are asked if you want to enable Internet Connection Sharing, choose No.

8. Name your connection and click Finish.

Creating a VPN Client Connection

Creating a VPN connection requires two steps: connecting to the Internet and connecting to the company VPN gateway. If you have a dedicated connection such as a DSL, you will only need to configure a VPN connectoid that connects to the VPN gateway. If you have an analog modem, you will need to connect to your ISP before you can connect to the VPN gateway.

For this guide, we assume that your client will connect to the Internet through an analog modem.

1. Open the Network and Dial-Up Connections folder from either Control Panel or from Settings on the Start Menu.

2. Open the option for Make New Connection. Click Next at the Welcome message. You will then see the options shown below.

   

3. Select Dial-up to the Internet and click Next.

4. Select the option to create a manual Internet connection and click Next.

5. Select the option I connect through a phone line and a modem and click Next.

6. Enter the telephone access number of your ISP and click Next.

7. Enter your ISP account user name and password and click Next.

8. Enter a name for your ISP dial-up (such as Dial-up ISP) connection and click Next. You do not need to set up Internet e-mail at this point. Click Next on the following screens and you will be finished setting up your ISP dial-up client.

9. You will now create a VPN connectoid that will work with your ISP dial-up client. Open the Network and Dial-Up Connections folder from either Control Panel or from Settings on the Start Menu.

10. Open the option for Make New Connection. Click Next at the Welcome message. Select to Connect to a private network through the Internet and click Next.

    

11. By selecting Automatically dial this initial connection as shown below, you can connect to the Internet using your Dial-up ISP connectoid. If you have a dedicated Internet connection such as a cable modem or DSL, you do not need to do this step.

    

12. Enter the Internet IP address of your VPN server, or the host name if you have its IP address registered with your ISP in their DNS server. Click Next.

    

13. Finish the wizard as described in the steps listed above for creating a dial-up connection.

Congratulations. You should now have a dial-up or VPN connection created that will allow the user to connect to your network remotely. Right click on My Network Places and select Properties. Double-click on the VPN connectoid you created.

You will be automatically prompted to login to your ISP through the Dial-up ISP connectoid. Once authenticated with your ISP, it will then connect you to your VPN gateway. You will need to provide your VPN user name and password in order to gain access to your network. Once authenticated with your network, you will now have access the same access as the Dial-up method.

If your users are using Windows 98 or Windows NT 4.0, follow the procedures documented in Help for those products for creating a dial-up or VPN client connection. In addition, ensure that you have the appropriate hardware installed and working for creating a dial-up connection. Note that Windows 98 and Windows NT 4.0, unlike Windows 2000-based clients, do not automatically install virtual private networking support, so you need to make sure the service is installed before beginning.

Summary

This document has been an overview to help you setup basic remote access connectivity for your remote clients using Windows 2000 Server and Routing and Remote Access. Routing and Remote Access has many more advanced features that are beyond the scope of this document, and will allow you to setup a more advanced configuration if needed. For information on advanced configuration options or other concepts you read about in this document, please see the references listed in the next section.

Windows 2000 provides communication and networking solutions that meet today’s businesses need, and provides a reliable and scalable platform that grows with your business. Small and growing businesses will find it easier to set up a network and enable it for remote access connectivity.

For More Information

For the latest information on Windows 2000 Server, check out our Web site at https://www.microsoft.com/windows2000.