Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Security TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Security Guidance
Small Business
 Securing Remote Access

  Switch on low bandwidth view
Securing Remote Access
On This Page

Introduction
Before You Begin
Configuring an IAS Server
Creating User Groups and Policies for Remote Access
Configuring a Remote Access Server
Creating a Service Profile
Distributing a Service Profile to Users
Related Information

Introduction

If your company allows or wants to allow users to connect to its intranet from remote locations, you typically want to design a solution that helps your users easily connect to network resources. However, you must also minimize the risk that an attacker can gain unauthorized access to the same resources. Remote access solutions can dramatically increase the productivity and flexibility of users who work from home computers or from mobile devices such as laptops while traveling on the job. However, such solutions also increase the chance that an attacker will:

  • intercept information as it travels between the remote user and your intranet

  • make an unauthorized remote access connection by successfully impersonating a legitimate remote access user

  • gain direct access to information that is stored on computers within your intranet

This guide and the features in the Microsoft Windows Server 2003 operating system can help you design a remote access solution that is reliable, cost-effective, easy to use, and easy to manage. The solution in this guide relies on virtual private network (VPN) technologies that allow remote users to connect to an intranet from Internet-connected computers that are running either the Microsoft Windows XP Professional or Windows XP Home Edition operating system. This guide explains how to configure the solution for a particular environment, and it includes links to more information so that you can customize the solution to help meet the needs of your environment.

The steps in this guide show you how to:

  • Specify which users can connect to your intranet from remote locations and which ports and networking protocols they must use.

  • Set up a remote access server to handle connections from remote locations. You can configure the remote access server to authorize and manage connections based on the use of a preshared key, particular ports, particular addresses, and other factors. You can also configure the server to block connections if a user attempts to connect using an incorrect password a certain number of times. This approach helps prevent attackers from gaining access by submitting random sequences of characters as passwords.

  • Create a customized remote access connection (called a service profile) that you can distribute to users who want to connect to your intranet from remote locations. By creating and distributing a service profile, you can reduce your support costs by simplifying the connection process, and you can help ensure that connections from remote locations use your chosen connection methods and protocols.

When you have completed these steps, your remote access server will allow users to connect using the service profile that you create. Connection requirements will include the use of a specific tunneling protocol and specific ports and the use of a preshared key. Your remote access server will additionally filter traffic to and from your intranet based on additional criteria that you specify.

Note: All of the step-by-step instructions in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps may differ slightly.

The following is an example scenario that might help you understand why a small or medium business might use the steps outlined in this guide.

Contoso Pharmaceuticals wants to allow its employees to work remotely, both from their homes and while traveling on company business. However, the company is concerned about potentially exposing its intranet to unauthorized access and the possibility that sensitive information might be intercepted by unauthorized users. The company is also concerned the demands of a complex remote access solution will put too much of a strain on its small IT department.

Contoso decides to allow virtual private network (VPN) connections from remote users who are not joined to the corporate domain. The company wants to use the most secure tunneling protocol for its connections, Layer Two Tunneling Protocol (L2TP), and to enhance the security of the connections by using Internet Protocol security (IPSec). However, the company does not have the IT staff to maintain a certificate-based solution. The company decides that using a preshared key for its remote access connections will be sufficient for its security needs. To simplify the distribution of the preshared key, to make it easier to troubleshoot remote access connections, and to clearly distinguish its remote access connection for users, the company decides to use the Connection Manager Administration Kit to create service profiles for its users. For extra security, the company decides to encrypt these service profiles with a personal identification number (PIN) that users must type in before they can install service profile.

Before You Begin

This guide describes how to help secure remote access in an environment with a specific set of characteristics. If your environment does not match the environment described in this guide or you must address additional security considerations, you might need to use slightly different steps, or you might want to adjust your configuration. The environment for which this guide was developed has the following characteristics:

  • The telephone and network infrastructure is in place, address space has been leased, and domain names have been registered.

  • All remote computers and laptops are running Windows XP Professional or Windows XP Home Edition, and they can connect to the Internet through an Internet service provider (ISP).

  • The intranet contains four servers running Windows Server 2003, Standard Edition; 75 workstations running either Windows XP Professional or Microsoft Windows 2000 Professional; a wireless access point; a firewall device, and a cable or Digital Subscriber Line (DSL) modem.

    • The first server, SVR1, has been configured with the Active Directorydirectory service to act as a domain controller, and it has also been configured as a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a file and print server. SVR1 has been configured with the private IP address of 192.168.0.2.

    • The second server, SVR2, has been configured with Active Directory to act as a domain controller, and it has also been configured as a DNS server, a DHCP server, and an Internet Authentication Service (IAS) server to provide Remote Authentication Dial-In User Service (RADIUS) authentication. SVR2 has been configured with the private IP address of 192.168.0.3.

    • The third server, SVR3, has been configured as an application server. SVR3 has been configured with the private IP address of 192.168.0.4.

    • The fourth server, SVR4, has been configured with two network adapters. The first network adapter allows traffic to travel between the server and the intranet, and this adapter has been configured with the private IP address of 192.168.0.7. The second network adapter allows traffic to travel between the server and a firewall device, and this adapter has been configured with the private IP address of 192.168.1.2. This guide will describe how to configure SVR4 as a remote access server.

    • A firewall device that has two network adapters and that is capable of network address translation traversal (NAT-T) has been installed between SVR4 and the cable or DSL modem. The network adapter that allows traffic to travel between the firewall and the intranet and SVR4 has been configured with two addresses: the private IP address of 192.168.1.1 for traffic to and from SVR4, and the private IP address of 192.168.0.1 for traffic to and from the rest of the intranet. The network adapter that allows traffic to travel between the firewall and the cable modem has been configured with the public IP address of 206.73.118.2. The firewall has been configured to forward VPN traffic to and from SVR4 (the remote access server) with the appropriate filters and protocols, and the firewall has been configured with other rules to protect the intranet from outside attack. For more information about configuring firewalls for use with IPSec, see "Configuring Firewalls" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=22817.

    • A cable or DSL modem has been installed to allow traffic to travel between the firewall and the Internet. This modem has been configured with the public IP address of 206.73.118.1.

  • Group Policy has been configured on the network, and appropriate Group Policy settings and permissions for existing groups have been applied.

  • All critical hardware updates have been correctly applied to all computers.

  • All service packs have been correctly applied to all computers except those that are running Windows XP, to which only Service Pack 1 has been applied. If Service Pack 1 is not installed on a particular computer or if you do not know whether it is installed, you can go to the "Windows Update" page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22630 and have Windows Update scan your computer for available updates. If Service Pack 1 appears as an available update, install it before proceeding with the procedures in this guide.

  • All computers that are running Windows XP have Internet Connection Firewall (ICF) enabled and correctly configured.

  • Authorized IT personnel have approved the proposed tasks as conforming to internal IT policies and procedures, and legal counsel has recognized these policies and procedures as adhering to applicable laws and regulations.

The following diagram illustrates the environment for which this guide was developed. Occasional references to this example diagram are made throughout this guide in order to clarify steps.

Sample Environment For Securing Remote Access

Sample Environment For Securing Remote Access

Configuring an IAS Server

If you want to provide wireless access for devices such as laptops and PDAs, you can simplify administration by adding an Internet Authentication Service (IAS) server to your intranet. By adding an IAS server, you add centralized connection authentication, authorization, and accounting to your network. The IAS server allows you to use one server to monitor connection attempts, review logs, and administer policies.

Although the configuration and maintenance of wireless devices and IAS servers is beyond the general scope of this guide, it includes some basic configuration steps for the remote access portions of IAS management for your convenience.

  • Install and configure Internet Authentication Service

    1. Click Start, click Control Panel, double-click Add or Remove Programs, and click Add/Remove Windows Components.

    2. Click Networking Services, and click Details.

    3. Select the Internet Authentication Service check box, and finish the wizard.

    4. Click Start, click Control Panel, double-click Administrative Tools, and double-click Internet Authentication Service.

    5. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click OK. When the Server registered dialog box appears, click OK.

    6. In the console tree, right-click RADIUS Clients, and then click New RADIUS Client.

    7. On the Name and Address page of the New RADIUS Client wizard, type the name of the remote access server in Friendly name, type the IP address of the remote access server in Client address (IP or DNS), and then click Next.

    8. On the Additional Information page, type the same shared secret for the remote access server in both Shared secret and in Confirm shared secret.

    9. Click Finish.

Tip: You will need the shared secret again when you configure the remote access server. Make sure that you record the shared secret for the remote access server and keep the secret in a secure place.

Creating User Groups and Policies for Remote Access

As an administrator, one of the problems that you might encounter when planning a remote access solution is that you have little or no control over the computers that your users use to connect. You can use Active Directory to help control which users can connect to your intranet from remote locations and which networking protocol or protocols they must use. By limiting the number of users who can connect to your intranet, you reduce the chance that an attacker can gain access to your network by impersonating a user. By limiting connections to a single tunneling protocol, you reduce the number of ways that an attacker might access your network and you also reduce the chance that an unauthorized party can read your remote access traffic.

The most secure common method for connecting remotely is to use L2TP/IPSec. L2TP is an industry-standard Internet tunneling protocol. IPSec is a suite of cryptography-based protection services and security protocols. IPSec provides computer-level authentication as well as data encryption for VPN connections that use the L2TP protocol. IPSec secures both passwords and data by negotiating between a remote access computer and the remote access server before an L2TP connection is established.

By creating a group in Active Directory and configuring a policy in IAS, you can allow only those users in the group to connect, and you can require users to connect using L2TP/IPsec.

Requirements

To perform the following tasks, you must:

  • Be logged on as a member of the Domain Admins group.

  • Have a list of all users for whom you want to allow remote access.

  • To create a group for VPN connections

    1. On a domain controller, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

    2. In the console tree under your domain, right-click Users, point to New, and then click Group.

    3. In the New Object - Group dialog box, type VPNUsers in Group name, and then click OK.

    4. In the details pane, double-click VPNUsers.

    5. In the VPNUsers Properties dialog box, click the Members tab, and then click Add.

    6. In the Users, Contacts, Computers, or Groups dialog box, in Enter the object names to select, add the users or groups to whom you want to grant remote access permissions, and click OK.

    7. Click OK to save changes to the VPNUsers group.

      Note: This guide assumes that your Active Directory domain is a Windows Server 2003 functional domain. If your Active Directory domain functional level is not Windows Server 2003, you might need to manually enable remote access permissions for all user accounts in the VPNUsers group.

Next, create a remote access policy to ensure that only members of the VPNUsers group can create VPN connections to your intranet.

  • To create a remote access policy for VPN connections

    1. On your IAS server (SVR2 in the diagram), click Start, click Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.

    2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

    3. On the Welcome to the New Remote Access Policy Wizard page, click Next.

    4. On the Policy Configuration Method page, in the Policy name box, type L2TP VPN Access, and click Next.

    5. On the Access Method page, click VPN, and then click Next.

    6. On the User or Group Access page, click Group, and then click Add.

    7. In the Select Groups dialog box, in the Enter the object names to select box, type VPNUsers. Specify the location as the domain of your company, and then click OK. The VPNUsers group is added to the list of groups on the User or Group Access page. Click Next.

    8. On the Authentication Methods page, the MS-CHAP v2 authentication protocol is selected by default. Click Next.

    9. On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes, and click Next.

    10. On the Completing the New Remote Access Policy Wizard page, click Finish.

Tip: If you have other remote access policies, make sure that this new remote access policy is in the correct order for proper implementation.

Now, specify that users must connect using L2TP.

  • To specify the tunneling protocol for the remote access policy

    1. In the details pane of Internet Authentication Service, double-click Remote Access Policies, right-click the L2TP VPN Access policy, and click Properties.

    2. In the L2TP VPN Access Properties dialog box, click Add.

    3. In the Select Attribute dialog box, click Tunnel-Type, and then click Add.

    4. In the Tunnel-Type dialog box, click Layer Two Tunneling Protocol, click Add, and then click OK twice.

Verifying New Settings

To verify the settings that you just configured, open Active Directory Users and Computers, and confirm that the VPNUsers group exists and that it contains all users for whom you want to allow remote access. Open IAS, and confirm that the L2TP VPN Access policy is listed and that its properties are appropriately configured.

Configuring a Remote Access Server

Routing and Remote Access is the service in Windows Server 2003 that provides multiprotocol routing services and dial-up and VPN remote access. By configuring Routing and Remote Access, you can help create a remote access server to meet the needs of your business.

You can configure Routing and Remote Access in many ways; it is designed to be flexible. However you configure Routing and Remote Access, you can do certain things to better secure your remote access server. To help reduce the surface area available for attack, you should remove any ports for tunneling protocols that you do not intend to permit. To help prevent random password attacks, you should limit the number of times that a user can specify credentials before the account is locked out. You can also configure inbound and outbound filters to deny all traffic except that addressed to specific ports and protocols, although this step is less necessary if the remote access server is behind a firewall that performs the same function.

In addition to securing your remote access server, you can configure it to help protect the intranet from direct attacks. If you configure the remote access server to provide network address translation (NAT), the server will act as an IP router that translates addresses for packets being forwarded between the intranet and the Internet. Configuring a remote access server to provide NAT helps provide flexibility with security. You can also secure the VPN connection itself by requiring connections to use L2TP, rather than Point-to-Point Tunneling Protocol (PPTP). If you are not able to deploy certificates, you can still implement L2TP/IPSec by configuring the remote access server and clients to use a preshared key.

Requirements

To perform the following tasks, you must:

  • Be logged on as a member of the Administrators or Domain Admins group.

  • Know the IP addresses of the DHCP server and the IAS (RADIUS) server.

  • Know the preshared key.

  • To configure and enable Routing and Remote Access

Note: Depending on the hardware and configuration of your server, you might see additional pages in the Routing and Remote Access Server Setup Wizard that are not documented in the following steps.

  1. Click Start, click Control Panel, double-click Administrative Tools, and double-click Routing and Remote Access.

  2. In the console tree, right-click the server on which you want to configure and enable Routing and Remote Access (SVR4 in the diagram), and click Configure and Enable Routing and Remote Access.

  3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.

  4. On the Configuration page, click Virtual Private Network (VPN) access and NAT, and then click Next.

  5. On the VPN Connection page, click the interface that connects the server to the Internet in Network interfaces, and click Next.

  6. On the Network Selection page, click the interface that connects the server to the intranet in Network Interfaces, and click Next.

  7. On the IP Address Assignment page, Automatically is selected by default. Click Next.

  8. On the Managing Multiple Remote Access Servers page, click Yes, set up this server to work with a RADIUS server, and click Next.

  9. On the RADIUS Server Selection page, type the IP address of the server running IAS in Primary RADIUS server, type the shared secret in Shared secret, and click Next.

  10. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.

  11. When a message about configuring the DHCP Relay Agent appears, click OK.

Next, configure the DHCP Relay Agent to relay DHCP messages from remote access clients to the DHCP server. This configuration allows DHCP messages to pass from your remote access clients to the DHCP server on your domain controller.

  • To configure the DHCP Relay Agent

    1. In the console tree for Routing and Remote Access, double-click your remote access server, double-click IP Routing, right-click DHCP Relay Agent, and click Properties.

    2. In the DHCP Relay Agent Properties dialog box, type the IP address of the primary DHCP server in Server address, and click Add. Repeat for as many DHCP servers as you have in your network. When all the server addresses appear in the list, click OK.

You can take advantage of the security of L2TP/IPSec without having to deploy certificates by using a preshared key. A preshared key can be any non-null string of any combination of up to 256 Unicode characters. Unicode is a character encoding standard that represents almost all of the written languages of the world, so your choice of characters is not restricted to the alphanumeric characters found on a standard keyboard. Although preshared keys are not as secure as certificates, a preshared key made up of at least 128 Unicode characters, with no obvious pattern, is sufficient for most business needs. A remote access server can use only one preshared key for all connections. If you include a preshared key as part of a Connection Manager service profile, you do not need to choose a key that will be easy for users to type.

  • To configure Routing and Remote Access to use a preshared key

    1. In the console tree for Routing and Remote Access, right-click your remote access server, and click Properties.

    2. Click the Security tab, and select the Allow custom IPSec policy for L2TP connection check box.

    3. Type the preshared key in the Pre-shared Key box, and click OK.

      Tip: To avoid mistyping the preshared key, you can type it into a single document and then cut and paste the key into fields where it is needed, such as the Pre-shared Key box. However, if you choose this method, make sure that the document that contains the preshared key is secured.

Next, remove the PPTP ports from the remote access server. This step provides extra security by reducing the surface area available for attack.

  • To remove PPTP ports

    1. In the console tree for Routing and Remote Access, click your remote access server.

    2. Right-click Ports, and click Properties.

    3. In the Ports Properties dialog box, click WAN Miniport (PPTP), and then click Configure.

    4. Clear the Remote access connections (inbound only) and the Demand-dial routing connections (inbound and outbound) check boxes. In Maximum ports, type 1, and click OK.

    5. A dialog box will appear warning you that you are reducing the number of ports on this device. Click Yes, and then click OK. All PPTP ports will be disabled.

This section describes the basic process for configuring an inbound filter and an outbound filter. It also provides a table of ports and protocols that can help you decide which ones you need for your remote access server.

  • To configure inbound filters

    1. In the console tree for Routing and Remote Access, click NAT/Basic Firewall.

    2. Right-click the interface that connects to the firewall, and click Properties.

    3. On the NAT/Basic Firewall tab of the properties dialog box, click Inbound Filters.

    4. In the Inbound Filters dialog box, click New.

    5. In the Add IP Filter dialog box, click Protocol, and specify the protocol that you want to configure. In Destination port, type the port number that you want, and then click OK.

      Note: For a list of commonly used protocols and ports, see "Protocols and Ports for Filters" later in this section.

    6. In the Inbound Filters dialog box, review all of the filters that you have added, then click Drop all packets except those that meet the criteria below, and click OK to return to the NAT/Basic Firewall tab of the properties dialog box. Click OK again to return to the console tree.

  • To configure outbound filters

    1. In the console tree for Routing and Remote Access, click NAT/Basic Firewall.

    2. Right-click the interface that connects to the firewall, and click Properties.

    3. On the NAT/Basic Firewall tab of the properties dialog box, click Outbound Filters.

    4. In the Outbound Filters dialog box, click New.

    5. In the Add IP Filter dialog box, click Protocol, and specify the protocol that you want to configure. In Destination port, type the port number that you want, and then click OK.

      Note: For a list of commonly used protocols and ports, see "Protocols and Ports for Filters" later in this section.

    6. In the Outbound Filters dialog box, review all of the filters that you have added, then click Drop all packets except those that meet the criteria below, and click OK to return to the NAT/Basic Firewall tab of the properties dialog box. Click OK again to return to the console tree.

Note: Add the remote access server as a RADIUS client on your IAS server, if you have not already done so by following the steps in "Configuring an IAS Server" earlier in this guide. For more information about how to add a RADIUS client, see "To add RADIUS clients" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=20031.

Protocols and Ports for Filters

The following table details some of the common ports and protocols that you might want to allow, depending on your remote access configuration. Not all ports listed here might be required for your remote access server. For example, if you are allowing only L2TP, you would not configure a filter for PPTP. Similarly, this table might not contain all of the ports that your specific network needs.

Ports Used for Protocols

Protocol

Port

Used For

TCP

25

Simple Mail Transfer Protocol (SMTP)

TCP

67

DHCP (if the remote access server uses an external DHCP server)

TCP

80

World Wide Web (HyperText Transfer Protocol (HTTP))

TCP

110

Post Office Protocol, version 3 (POP3)

TCP

1701

L2TP

TCP

1723

PPTP

UDP

53

DNS (for name resolution of external Web sites)

UDP

67

DHCP (if the remote access server uses an external DHCP server)

UDP

500

IPSec

UDP

1701

L2TP

UDP

1723

PPTP

UDP

4500

IPSec with NAT

47

  

Generic Routing Encapsulation (GRE)

50

  

Encapsulating Security Payload (ESP) (for firewalls that use NAT-T)

Note: To support Windows Update, you must allow TCP traffic to travel inbound and outbound on port 80 and UDP traffic to travel inbound and outbound on port 53. Depending on your network configuration, you might have to configure these filters on your remote access server, on your firewall, or both.

The following section describes how to lock out an account for three hours after three failed authentication attempts. Most users should be able to provide the correct password in three attempts. It also describes how to manually restore remote access before the three hours have elapsed.

  • To configure remote access account lockout

    1. On your IAS server (SVR2 in the example), click Start, click Run, type regedit, and click OK. This step opens the registry editor.

      CAUTION: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

    2. Open the HKEY_LOCAL_MACHINE folder, then the SYSTEM folder, then the CurrentControlSet folder, then the Services folder, then the RemoteAccess folder, then the Parameters folder, and then the AccountLockout folder.

    3. Right-click MaxDenials, and click Modify.

    4. In Value data, type 3, and click OK. This value enables remote access account lockout and specifies that a user can type three incorrect passwords before the account is locked out.

    5. Right-click ResetTime (mins), and click Modify.

    6. Click Decimal. In Value data, type 180, and then click OK. This value changes the duration that a user account remains locked out from 48 hours to 3 hours.

    7. Close Registry Editor.

Tip: To manually reset an account that is locked out before specified duration has elapsed, delete the following registry subkey, which corresponds to the user's account name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\
DomainName:UserName .

Verifying New Settings

To verify the settings that you just configured, you can run several tests, including but not limited to:

  • Create a remote access connection on a computer outside the intranet (for example, a home computer) that is configured to use L2TP and that has the correct preshared key. Connect using the credentials of a member of the VPNUsers group. For more information about how to create an L2TP/IPSec remote access connection, see the online Help for the appropriate operating system.

  • Configure the connection to use PPTP and verify that the connection fails, even though the user credentials are correct.

  • Reconfigure the connection to use L2TP, use the wrong password three times, and verify that the user is locked out for three hours.

To best ensure correct configuration, you should test these settings using both a manually created remote access connection and a remote access connection that was created using the Connection Manager Administration Kit, as described in the next section.

Creating a Service Profile

You can allow your users to create their own remote access connections to your network. However, troubleshooting individually created connections can be difficult, particularly for a small IT department. Also, a sufficiently complex preshared key is prohibitively difficult for your users to type in manually. To simplify the distribution of the preshared key and the troubleshooting of any remote access problems with your users, you can create a distributable, customized remote access connection using the Connection Manager Administration Kit. This type of customized connection is called a service profile, and it can greatly simplify remote access for your users. Instead of having to create their own remote access connections, they must only install one.

This section describes how to install the Connection Manager Administration Kit (CMAK) and use it to create a service profile. You can install CMAK on any server, but for security reasons, you should never install it on a server that connects directly to the Internet. The completed service profile is a self-extracting executable file that can be distributed on floppy disks, CDs, or the corporate intranet. For extra security, the service profile is encrypted with a PIN.

Requirements

To perform the following tasks, you must:

  • Be logged on as a member of the Administrators or Domain Admins group.

  • Know the IP address for the external interface of the remote access server.

  • Know the preshared key.

  • Know the PIN.

  • To install the Connection Manager Administration Kit

    1. Click Start, point to Control Panel, and click Add or Remove Programs.

    2. Click Add/Remove Windows Components, click Management and Monitoring Tools, and click Details.

    3. Select the Connection Manager Administration Kit check box, and finish the wizard.

The service profile for this guide will contain a preshared key, and it will be encrypted with a Personal Identification Number (PIN), so that only users with that PIN can install it. To create a Connection Manager service profile that meets your business needs, you can use a planning worksheet. To see an example of a planning worksheet for the Connection Manager Administration Kit, go to "Job Aids for Windows Server 2003 Deployment Kit," and click "Job Aids Deploying Network Services.zip" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=22700.

  • To create a service profile

    1. Click Start, click Control Panel, double-click Administrative Tools, and double-click Connection Manager Administration Kit.

    2. On the Welcome to the Connection Manager Administration Kit Wizard page, click Next.

    3. On the Service Profile Selection page, ensure that New profile is selected, and then click Next.

      Note: File names are limited to eight characters and cannot contain special characters, such as ampersands or dashes.

    4. On the Service and File Names page, type the full name that you want to appear when the user installs and connects with your service profile in Service name (for example, VPN connection to work). Type the file name that you want to use in File name (for example, workVPN), and then click Next.

      Note: File names are limited to eight characters and cannot contain special characters, such as ampersands or dashes.

    5. On the Realm Name page, click Next.

    6. On the Merging Profile Information page, click Next.

    7. On the VPN Support page, select the Phone book from this profile check box. In VPN Server name or IP Address, click Always use the same VPN server, type the external network address for your VPN server, and click Next.

    8. On the VPN Entries page, click the default entry, and click Edit.

    9. Click the Security tab. In Security settings, click Use advanced security settings, and then click Configure.

    10. Under Authentication methods, clear the Microsoft CHAP (MS-CHAP) check box. In VPN strategy, click Only Use Layer Two Tunneling Protocol (L2TP). Select the Use a pre-shared key when using L2TP/IPSec check box. Click OK twice to return to the VPN Entries page, and then click Next.

    11. On the Pre-shared Key page, type the preshared key in Enter key. Ensure that the Encrypt the pre-shared key using a PIN check box is selected, and then type the PIN in Enter PIN and Confirm PIN. Click Next.

      Note: PINs must comprise no fewer than 4 and no more than 15 Unicode characters. Longer PINs are more secure but also more difficult for users to type correctly.

    12. On the Phone Book page, clear the Automatically download phone book updates check box, and click Next.

    13. On the Dial-up Networking Entries page, click Next.

    14. On the Routing Table Update page, click Next.

    15. On the Automatic Proxy Configuration page, click Next.

    16. On the Custom Actions page, click Next.

    17. On the Logon Bitmap page, click Next.

    18. On the Phone Book Bitmap page, click Next.

    19. On the Icons page, click Next.

    20. On the Notification Area Shortcut Menu page, click Next.

    21. On the Help File page, click Next.

    22. On the Support Information page, click Next.

    23. On the Connection Manager Software page, click Next.

    24. On the License Agreement page, click Next.

    25. On the Additional Files page, click Next.

    26. On the Ready to Build the Service Profile page, select the Advanced customization check box, and then click Next.

    27. On the Advanced Customization page, click Connection Manager in Section name, type Dialup in Key name, and type 0 in Value.

    28. Click Apply, and then click Next. A command prompt window will open and close as the profile is created. When the Completing the Connection Manager Administration Kit Wizard page appears, click Finish.

Verifying Settings

Before you copy or distribute your service profile, you should ensure that it works properly. Failing to test a service profile before distribution can result in a lot of unnecessary costs and support issues.

  • To test the service profile

CAUTION: Always test a service profile before distributing it to your users.

  1. Save the executable file that you created with the CMAK wizard onto a floppy disk or other portable media. (For more information about how to do this, see "To prepare the service profile for distribution" in the next section.) Install the service profile on an Internet-connected computer that is outside your corporate network but that meets your corporate requirements (for example, a home computer running Windows XP Home Edition) by double-clicking the executable file.

  2. When asked whether you want to install the profile, click Yes.

  3. When you are prompted for the PIN, type it in, and click OK. If you do not type in a PIN or type in an incorrect PIN, the service profile will not be installed.

  4. When asked for whom to make this connection, ensure that My use only is selected, and click OK.

  5. When the service profile finishes installing, the Connection Manager logon dialog box appears. Type in the user name, password, and domain name of a user account in the VPNUsers group, and click Properties.

  6. Click the Advanced tab. Select the Internet Connection Firewall check box, and clear the Internet Connection Sharing check box, if it is selected. When configuration is complete, click OK.

    Tip: If all of your remote users are running Windows XP, you can automatically configure Internet Connection Firewall and Internet Connection Sharing settings by setting the EnableICF and DisableICS keys in the Advanced Customization portion of the CMAK wizard.

  7. Click Connect, and ensure that the service profile connects correctly to your intranet. If the service profile fails to connect, troubleshoot the service profile by reviewing log files on the remote access computer, the VPN server, and the IAS server and by checking the settings recorded on the planning worksheet for the service profile.

    Tip: If all of your remote users are running Windows XP, you can automatically configure Internet Connection Firewall and Internet Connection Sharing settings by setting the EnableICF and DisableICS keys in the Advanced Customization portion of the CMAK wizard.

Distributing a Service Profile to Users

You can distribute a service profile to users in several ways. For example, you can use any or all of the following methods for distribution: copy the service profile onto floppy disks or CDs and distribute them to your users, preinstall the service profile on your company laptops; and save the service profile to a shared drive on your intranet so that your users can download the profile onto whatever media they want and take it home with them.

Requirements

To perform the following tasks, you must:

  • Be logged in as a member of the Administrators group.

  • Have access to the media device or network location that you want to use to distribute the profile.

  • To prepare the service profile for distribution

    1. On the server on which you created the service profile, open Windows Explorer.

    2. Browse to the Program Files\Cmak\Profiles\ FileName directory, where FileName is the file name that you gave the service profile.

    3. Copy the executable file in this directory to a floppy disk or other portable media device. This file contains the service profile.

CAUTION: If your users use Internet Connection Sharing (ICS) to share an Internet connection between home computers, instruct them not to use the service profile from the ICS host computer. If they install the service profile on the ICS host, instruct them to disable ICS when using the service profile. Otherwise, other users on the home network could inadvertently send their traffic through the connection to your intranet.

Distributing the PIN

After you have decided how you want to distribute the service profile, you must also decide how to distribute the PIN that allows users to install the profile. The PIN should not be distributed in the same place or in the same way as the service profile because doing so increases the likelihood that unauthorized users could install the service profile. For example, do not include the PIN in a text file on the same floppy disk as the service profile. You should distribute the PIN in whatever way best meets your security needs. You can distribute the PIN by telephone, by secure e-mail, or when users sign out installation disks.

Related Information

For more information about the remote access technologies discussed in this guide, see the following:

For more information about advanced technologies and the latest developments, see the following:

© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker