Introduction to remote access policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Introduction to remote access policies

In Windows NT versions 3.5, 3.51, and 4.0, authorization was based on a Grant dial-in permission to user option in either User Manager or the Remote Access Admin utility. An individual user configured callback options. For the Routing and Remote Access service and Internet Authentication Service (IAS) in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000, network access authorization is granted on the basis of user account dial-in properties and remote access policies.

Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting.

If a connection is authorized, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions.

For information about connection restrictions that can be configured on a user account, see Dial-in properties of a user account. For information about connection restrictions that can be configured through a remote access policy profile, see Elements of a remote access policy.

Remote access policies validate a number of connection settings before authorizing the connection, including the following:

  • Remote access permission

  • Group membership

  • Type of connection

  • Time of day

  • Authentication methods

  • Advanced conditions:

    • Access server identity

    • Access client phone number or MAC address

    • Whether user account dial-in properties are ignored

    • Whether unauthenticated access is allowed

After the connection is authorized, remote access policies can also be used to specify connection restrictions, including the following:

  • Idle timeout time

  • Maximum session time

  • Encryption strength

  • IP packet filters

  • Advanced restrictions:

    • IP address for PPP connections

    • Static routes

Additionally, you can vary connection restrictions based on the following settings:

  • Group membership

  • Type of connection

  • Time of day

  • Authentication methods

  • Identity of the access server

  • Access client phone number or MAC address

  • Whether unauthenticated access is allowed

For example, you can have policies that specify different maximum session times for different types of connections or groups. Additionally, you can specify restricted access for business partners or unauthenticated connections.

Authorizing access

There are two ways to use remote access policies to grant authorization:

  1. By user

  2. By group

Authorization by user

If you are managing authorization by user, set the remote access permission on the user or computer account to either Grant access or Deny access and, optionally, create different remote access policies based on different types of connections. For example, you might want to have one remote access policy that is used for dial-up connections and a different remote access policy that is used for wireless connections. Managing authorization by user is recommended only when you have a small number of user or computer accounts to manage.

If you are managing authorization by user, the basic process for authorizing a connection attempt occurs as follows:

  • If the connection attempt matches all policy conditions, check the remote access permission setting of the account.

    • If the remote access permission is set to Grant access, apply the connection settings of the policy profile and user account.

    • If the remote access permission is set to Deny access, reject the connection attempt.

  • If the connection attempt does not match all policy conditions, process the next remote access policy.

If the connection attempt does not match all conditions of any remote access policy, reject the connection attempt.

Authorization by group

If you are managing authorization by group, set the remote access permission on the user account to Control access through Remote Access Policy and create remote access policies that are based on different types of connections and group membership. For example, you might want to have one remote access policy for dial-up connections for employees (members of the Employees group) and a different remote access policy for dial-up connections for contractors (members of the Contractors group).

If you are managing authorization by group, the basic process for authorizing a connection attempt occurs as follows:

  • If the connection attempt matches all policy conditions, check the remote access permission of the remote access policy.

    • If the remote access permission is set to Grant remote access permission, apply the connection settings of the policy profile and user account.

    • If the remote access permission is set to Deny remote access permission, reject the connection attempt.

  • If the connection attempt does not match all policy conditions, process the next remote access policy.

If the connection attempt does not match all conditions of any remote access policy, reject the connection attempt.

Notes

  • Setting the remote access permission on user accounts to Control access through Remote Access Policy and not using groups to manage network access is not recommended.

  • For more information about how connection attempts are processed, see Remote Access Policies Examples

Remote access policies and the Routing and Remote Access service

For servers running the Routing and Remote Access service that are configured for the Windows authentication provider, remote access policies are administered from Routing and Remote Access and apply only to the connections of the Routing and Remote Access service server. For servers running the Routing and Remote Access service that are configured for the RADIUS authentication provider, you can no longer configure remote access policies using Routing and Remote Access. If the RADIUS server is an IAS server, remote access policies are administered from Internet Authentication Service.

To centrally manage a single set of remote access policies for multiple remote access or VPN servers using an IAS server, you must do the following:

  1. Install the Internet Authentication Service (IAS) as a Remote Authentication Dial-In User Service (RADIUS) server. For more information, see Checklist: Configuring IAS for dial-up and VPN access.

  2. Configure IAS with RADIUS clients that correspond to each of the Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition remote access or VPN servers. For more information, see Add RADIUS clients.

  3. On the IAS server, create the central set of policies that will be used by all servers running the Routing and Remote Access service. For more information, see Add a remote access policy.

  4. Configure each of the servers running the Routing and Remote Access service as RADIUS clients to the IAS server. For more information, see Use RADIUS authentication.

For more information about deploying IAS for centralized remote access policy management, see Using RADIUS for multiple remote access servers.

Centralized management of remote access policies is also used when you have remote access servers that are running Windows NT 4.0 and the Routing and Remote Access Service (RRAS). You can configure this server as a RADIUS client to an IAS server. However, a remote access server running Windows NT 4.0 without RRAS cannot be configured to use centralized remote access policies.