Using the remote access server as a corporate remote access server
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using the remote access server as a corporate remote access server
You can use a server running Routing and Remote Access to provide dial-up access to your corporate intranet. If you want the remote access server to support multiple, dial-up networking TCP/IP-based connections, complete the following steps:
Configure the connection to the intranet.
Configure the connection to the dial-up networking clients.
Configure the dial-in ports.
Configure the remote access server.
Configure multicast support.
Configure remote access policies.
The following illustration shows the elements of a server running Routing and Remote Access that provides dial-up access to a corporate intranet.
.gif "Remote access server provides access to intranet")
Configuring the connection to the intranet
The connection to the intranet from Routing and Remote Access is a LAN adapter installed in the computer. To verify that the LAN adapter is compatible with Windows, see Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
Default gateway of a local router.
IP address of DNS and WINS servers of corporate intranet servers.
Configuring the connection to dial-up networking clients
To allow the connection of multiple, simultaneous dial-up clients, you must have modem pooling equipment (hereafter known as the modem bank) with the appropriate connections to the local telecommunications provider.
Remote access hardware devices include an adapter that installs on the server running Routing and Remote Access. To verify that the hardware is compatible with Windows, see Support resources.
The modem bank adapter includes drivers that are installed on the server running Routing and Remote Access so that the modem bank appears as a device with multiple modem ports.
Configuring the dial-in ports
All the modem bank ports are listed as separate ports under Ports in Routing and Remote Access. You should configure all the modem bank ports for remote access.
For more information about configuring ports for remote access, see Configure ports for remote access.
Configuring the remote access server
You can configure the properties of the remote access server in Routing and Remote Access. For more information, see View properties of the remote access server.
To allow multiple dial-up networking clients to access the corporate intranet, you need to configure the following settings:
General
Verify that the Remote access server check box is selected.
Security
Authentication Methods
The server is configured by default to accept certain authentication methods. You can control which authentication methods you accept through remote access policies, except for CHAP.
Authentication Provider
You can verify the credentials of dial-up networking clients by using Windows Authentication or a RADIUS server. If RADIUS is selected, you need to configure RADIUS server settings for your RADIUS server or RADIUS proxy.
Accounting Provider
You can record dial-up client networking activity for analysis or accounting purposes by selecting and configuring an accounting provider.
IP
Verify that the Enable IP routing and Allow IP-based remote access and demand-dial connections check boxes are selected.
If you are using a DHCP server to allocate IP addresses for remote access clients, click Dynamic Host Configuration Protocol (DHCP). If not, click Static address pool and configure the ranges of IP addresses that are dynamically allocated to dial-up networking clients.
If the static IP address pool consists of ranges of IP addresses that are for a separate subnet, then you need to either enable an IP routing protocol on the remote access server computer or add static IP routes for each range to all the routers on the other intranet. If the routes are not added, then remote access clients cannot receive traffic from resources on the intranet.
For more information about configuring IP address pools, see Create a static IP address pool.
Configuring multicast support
Depending on the options selected when the Routing and Remote Access Server Setup Wizard was run, multicast support may already be enabled. To configure multicast support, you need to complete the following steps:
Add the IGMP Router and Proxy routing protocol. For more information, see Add the IGMP routing protocol.
Add the Internal interface to the IGMP routing protocol and configure it in IGMP router mode. For more information, see Enable IGMP router and IGMP proxy mode.
Add the interface that represents the permanent connection to the intranet to the IGMP routing protocol and configure the interface in IGMP proxy mode. For more information, see Enable IGMP router and IGMP proxy mode.
Configuring remote access policies
If you want to authorize remote access to the dial-up networking clients based on the access-by-user administrative model, do the following:
For a stand-alone remote access server, use Local Users and Groups and set dial-in properties to Allow access for those users who will be making remote access connections.
For a remote access server in an Active Directory domain, use Active Directory Users and Computers and set dial-in properties to Allow access for those users who will be making remote access connections.
If you want to grant remote access to the dial-up networking clients based on group membership and an access-by-policy administrative model, do the following:
For a stand-alone remote access server, use Local Users and Groups and set dial-in properties to Control access through Remote Access Policy for all users.
Do one of the following:
For a remote access server that is a member of a Windows 2000 mixed domain, use Active Directory Users and Computers and set dial-in properties to Allow access for all users.
For a remote access server that is a member of a Windows 2000 native or Windows Server 2003 domain, use Active Directory Users and Computers and set dial-in properties to Control access through Remote Access Policy for all users.
Create a group whose members will be able to create dial-up networking connections with the remote access server. For example, create a group named Remote_Users.
Add the appropriate user accounts to the new group.
Delete the default remote access policies.
Create a new remote access policy with the following properties:
Set Policy name to Remote Access if member of RAS_Users (example).
Set the Windows-Groups attribute to RAS_Users (example).
Select the Grant remote access permission option.
For more information, see Remote Access Policies Examples.
For encryption, the default setting allows Microsoft Point-to-Point Encryption (MPPE) when requested by the remote access client. To force encryption for dial-up networking connections, you need to modify the encryption settings on the policy profile to require encryption. For dial-up networking connections, clear the No encryption option and select the following options on the Encryption tab on the properties of the remote access policy profile:
Basic
You should use this option when communicating with Microsoft dial-up networking clients who are using lower encryption. This option uses Microsoft Point-to-Point Encryption (MPPE) and a 40-bit encryption key.
Strong
You should use this option when communicating with Windows Server 2003 family, Windows XP, Windows 2000, Windows Millennium Edition, and Windows 98 dial-up networking clients who are using moderate encryption. This option uses MPPE and a 56-bit encryption key.
Strongest
You should use this option when communicating with dial-up networking clients who are using the highest level of encryption. This option uses MPPE and a 128-bit encryption key.
For more information, see Configure encryption.