The Cable Guy - June 2001

Configuring the Routing and Remote Access Service in Windows 2000

By The Cable Guy

Configuring remote access, virtual private network, or routing settings can be a difficult task. Fortunately, you can use the Routing and Remote Access Server Setup Wizard in Windows 2000 Server to simplify configuration of the Routing and Remote Access service based on a pre-determined role. The Routing and Remote Access Server Setup Wizard provides the following configuration options:

• Internet connection server
• Remote access server
• Virtual private network (VPN) server
• Network router
• Manually configured router

Internet Connection Server

With the Internet connection server option, the Routing and Remote Access server operates in the role of a network address translator (NAT) to create a translated connection between the Internet and your intranet. A NAT translates addresses for packets that are forwarded between intranet and Internet hosts. Translated connections that use computers running Windows 2000 Server require less knowledge of IP addressing and routing. They also provide a simplified configuration for intranet hosts. However, a translated connection might not allow all IP traffic between intranet and Internet hosts.

When you configure a translated connection, you must specify which interface is public (connected to the Internet) and which interfaces are private (connected to your intranet).

When you select the Internet connection server option in the Routing and Remote Access Server Setup Wizard:

1. You are first prompted to select which Windows 2000 feature you want to use for the translated connection:
2. Internet connection sharing (ICS) is a feature in the Network and Dial-up Connections folder. ICS allows you to create a simple translated connection between the Internet and a single intranet network segment.
3. The Network Address Translation (NAT) component of the Routing and Remote Access service allows multiple private interfaces and configuration of addressing, name services, and special ports for inbound traffic.
4. If you select Network Address Translation (NAT), you are prompted to choose the LAN connection that is connected to the Internet. Alternately, you can create a demand-dial interface that connects to the Internet.
5. Next, you are prompted to specify whether you want to enable basic name and address services.
6. If you chose to connect to the Internet through a demand-dial connection, the Demand-Dial Interface Wizard takes you through the process of creating a demand-dial interface.

When you select the Internet connection server option and choose the Network Address Translation (NAT) routing protocol in the Routing and Remote Access Server Setup Wizard, the results are as follows:

1. The Routing and Remote Access service is enabled as either a LAN only or LAN and demand-dial router (depending on whether you chose to use a demand-dial connection).
2. The Network Address Translation (NAT) routing protocol is automatically added as an IP routing protocol, and the selected Internet interface is added and configured as the public interface. All other LAN interfaces are added and configured as private interfaces.
3. The Network Address Translation (NAT) routing protocol is configured with address and name resolution services either enabled or disabled—as specified.
4. If you chose to use a demand-dial connection, five PPTP and five L2TP ports are created. All of them are configured to allow inbound and outbound demand-dial routing connections.
5. The IGMP component is added with the Internet interface configured for IGMP proxy mode. All other interfaces are configured for IGMP router mode. If your Internet service provider (ISP) provides a connection to the Multicast backbone, you can send and receive Internet multicast traffic.
6. If you chose to use a demand-dial connection to the Internet, the interface is created and a default static route is added.

Remote access server

With the Remote access server option, the Routing and Remote Access server operates in the role of a dial-up remote access server. A remote access server authenticates remote access client users and acts as a router or gateway between remote access client computers and the intranet. All services that are typically available to a LAN-connected user (including file and print sharing, Web server access, and messaging) are available through the remote access connection.

When you select the Remote access server option in the Routing and Remote Access Server Setup Wizard:

1. You are first prompted to verify the protocols over which remote access is supported. By default, all of the protocols that are used with remote access are listed. You can install additional protocols as required.
2. Next, you are prompted to select an interface over which DHCP, DNS, and WINS configuration is obtained.
3. Next, you are prompted to determine whether you want to assign IP addresses to remote access clients with DHCP or specify a range of addresses. If you select a specified range of addresses, you are prompted to add one or more address ranges.
4. Next, you are prompted to specify whether you want to use Remote Authentication Dial-In User Service (RADIUS) as your authentication and accounting provider. If you select RADIUS, you can configure both primary and alternate RADIUS servers and the shared secret.

When you select the Remote access server option in the Routing and Remote Access Server Setup Wizard, the results are as follows:

1. The Routing and Remote Access service is enabled as a remote access server, with Windows as the authentication and accounting provider (unless RADIUS was selected and configured). The interface selected is the IP interface from which to obtain DHCP, DNS, and WINS configuration. If specified, static IP address ranges are configured.
2. Five PPTP and five L2TP ports are created. All ports are enabled for inbound remote access connections.
3. All selected protocols are configured to both allow remote access connections and access the network to which the remote access server is attached.
4. The DHCP Relay Agent component is added with the Internal interface. This allows DHCPINFORM packets from remote access clients to be forwarded to the DHCP server that is being used by the remote access server.
5. The IGMP component is added. The Internal interface and the selected interface is configured for IGMP router mode. This allows remote access clients to send and receive IP multicast traffic.

Virtual private network (VPN) server

With the Virtual private network (VPN) server option, the Routing and Remote Access server operates in the role of a VPN server that supports remote access and router-to-router VPN connections. For remote access VPN connections, users run VPN client software and initiate a remote access connection to the server. For router-to-router VPN connections, a router initiates a VPN connection to the server. Alternately, the server initiates a VPN connection to another router.

When you select the Virtual private network (VPN) server option in the Routing and Remote Access Server Setup Wizard:

1. You are first prompted to verify the protocols over which VPN traffic is forwarded. By default, all of the protocols that can be used with a remote access or router-to-router VPN connection are listed. You can install additional protocols if required.
2. Next, you are prompted to select the interface that is connected to the Internet. If the VPN server is not connected to the Internet, you can select <No Internet connection>.
3. Next, you are prompted to select an interface over which DHCP, DNS, and WINS configuration is obtained.
4. Next, you are prompted to determine whether you want to assign IP addresses to either remote access clients or calling routers by using either DHCP or a specified range of addresses. If you select a specified range of addresses, you are prompted to add one or more address ranges.
5. Next, you are prompted to specify whether you want to use RADIUS as your authentication and accounting provider. If you select RADIUS, you are prompted to configure primary and alternate RADIUS servers and the shared secret.

When you select the Virtual private network (VPN) server option in the Routing and Remote Access Server Setup Wizard, the results are as follows:

1. The Routing and Remote Access service is enabled as both a remote access server and a LAN and demand-dial router, with Windows as the authentication and accounting provider (unless RADIUS was chosen and configured). A LAN interface that is not connected to the Internet is selected as the IP interface from which to obtain DHCP, DNS, and WINS configuration. If specified, the static IP address ranges are configured.
2. Exactly 128 PPTP and 128 L2TP ports are created. All of them are enabled for both inbound remote access connections and inbound and outbound demand-dial connections.
3. The selected Internet interface is configured with input and output IP packet filters that allow only PPTP and L2TP traffic.
4. All protocols selected are configured to both allow remote access connections and access the network to which the remote access server is attached.
5. The DHCP Relay Agent component is added with the Internal interface. This allows DHCPINFORM packets from VPN remote access clients to be forwarded to the DHCP server that is being used by the VPN server.
6. The IGMP component is added. The Internal interface and all other LAN interfaces are configured for IGMP router mode. This allows VPN remote access clients to send and receive IP multicast traffic.

Network router

With the Network router option, the Routing and Remote Access server operates in the role of a router that supports LAN and demand-dial routing. As a router, the Routing and Remote Access service forwards IP, IPX, or AppleTalk packets from one network segment to another by referring to an IP, IPX, or AppleTalk routing table. The routing table can be manually or dynamically configured by using routing protocols. These routing protocols allow routers to send routing information to each other, maintaining the routing table so that it reflects the current topology of the internetwork.

When you select the Network router option in the Routing and Remote Access Server Setup Wizard:

1. You are first prompted to verify the protocols that you want to route. By default, all of the protocols that are installed and can be routed are listed. You can install additional protocols if required.
2. Next, you are prompted to specify whether or not you want to use demand-dial connections. If you decide to use them, you are prompted to specify whether you want to assign IP addresses to calling routers by using either DHCP or a specified range of addresses. If you select a specified range of addresses, you are prompted to add one or more address ranges.

When you select the Network router option in the Routing and Remote Access Server Setup Wizard, the results are as follows:

1. The Routing and Remote Access service is enabled as a router that supports either LAN routing only or LAN and demand-dial routing (depending on your selection), with Windows as the authentication and accounting provider. The Routing and Remote Access service selects the IP interface from which to obtain DHCP, DNS, and WINS configuration. If specified, the static IP address ranges are configured.
2. Five PPTP and five L2TP ports are created. All of them are enabled for inbound and outbound demand-dial connections.
3. All protocols selected are enabled for routing.

Note The Routing and Remote Access Server Setup Wizard automatically adds and configures RIP for IPX and RTMP for AppleTalk. Routing protocols for IP are not automatically added or configured.

Manually configured server

With the Manually configured server option, the Routing and Remote Access server operates in the role of both a remote access server and a router that supports LAN and demand-dial routing. When you select this option in the Routing and Remote Access Server Setup Wizard, you are not prompted for any additional choices.

When you select the Manually configured server option in the Routing and Remote Access Server Setup Wizard, the results are as follows:

1. The Routing and Remote Access service is enabled as both a remote access server and a LAN and demand-dial router, with Windows as the authentication and accounting provider. The Routing and Remote Access service selects the IP interface from which to obtain DHCP, DNS, and WINS configuration. DHCP is used for IP address assignment.
2. All protocols that are supported over remote access connections are configured to both allow remote access and demand-dial connections and access the network to which the remote access server is attached.
3. Five PPTP and five L2TP ports are created. All of them are enabled for both inbound remote access connections and inbound and outbound demand-dial connections.
4. The DHCP Relay Agent component is added with the Internal interface.
5. The IGMP component is added. The Internal interface and all other LAN interfaces are configured for IGMP router mode.

For More Information

For more information about the Routing and Remote Access service in Windows 2000, consult the following resources:

• Microsoft technical documents on remote access
• Virtual Private Networking: An Overview
• Windows 2000 Virtual Private Networking Scenario
• "Virtual Private Networking" in the Windows 2000 Server Resource Kit
• Windows 2000 Server Documentation (under Networking \ Routing and Remote Access and Networking\Virtual Private Networks)

For a list of all The Cable Guy articles, click here.