Choosing a Remote Access Policy Type

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use remote access policy settings to validate a variety of connection settings before a connection is authorized and to specify a variety of connection restrictions after the connection is authorized. For example, you can use remote access policies to allow or reject connection attempts based on membership in an Active Directory group or by time of day or day of week; to require a specific authentication method and encryption strength; or to limit the connection based on bandwidth.

The computer on which you create a remote access policy is determined by which authentication provider you use for site-to-site connections. If you use Windows authentication, you create and manage remote access policies on each answering router. If you use RADIUS authentication, as you might if your answering router supports both a site-to-site connection and home or mobile users, you can configure and manage all remote access policies centrally on the IAS server that provides RADIUS authentication for multiple answering routers.

If you use RADIUS as the authentication provider in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition, you can configure a RADIUS attribute to ignore the dial-in properties of a user account in the profile properties of a remote access policy. To support the multiple types of connections for which IAS provides authentication and authorization, you might need to disable the processing of user account dial-in properties. For more information about dial-in properties, see "Dial-in properties of a user accountDial-in properties of a user account" and "Add RADIUS attributes to a remote access policy" in Help and Support Center for Windows Server 2003.

You can use one of three types of remote access policies:

  • Common policy. You can create a common policy, which uses typical settings for a particular access method.

  • Custom policy. You can create a custom policy, which lets you specify a detailed configuration for a particular access method. If you want to manage authorization and connection parameters other than by group or by type of connection, you must configure custom remote access policies. For more information about each possible setting for remote access policy conditions and profiles for a custom policy, see "Elements of a remote access policyElements of a remote access policy" in Help and Support Center for Windows Server 2003.

  • Default policy. If enforcing a high level of security is not important for your organization, you can use one of the existing default policies. Two default remote access policies are created when you enable and configure the Routing and Remote Access service on a demand-dial router or when you install IAS: The Connections to Microsoft Routing and Remote Access server policy and the Connections to other access servers policy. To use the Connections to Microsoft Routing and Remote Access server policy for a site-to-site connection, all you have to do is change the remote access permission on the policy’s Properties page to Grant remote accesspermission.

For more information about using Windows Server 2003 remote access policies, see "Remote Access Policies" in Help and Support Center for Windows Server 2003. For more information about using remote access policies with an Internet Authentication Service (IAS) server, see "Deploying Internet Authentication Service (IAS)" in this book and see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).