Outsourced dial and a proxy in the perimeter network

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Outsourced dial and a proxy in the perimeter network

This topic describes how IAS can be used as a RADIUS proxy to forward messages between the RADIUS proxies of an outsourced dial service provider and RADIUS servers within an organization intranet. The outsourced service provider offers worldwide Points of Presence (POPs), which the employees of an organization can call. After the call is completed, the employee's computer is connected to the organization's intranet.

This topic describes a configuration for an organization that uses:

  • Two IAS servers.

    Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication, authorization, and accounting. If only one RADIUS server is configured and it becomes unavailable, dial-in and VPN users cannot connect. By using two IAS servers and configuring both primary and secondary IAS proxies in the perimeter network for both the primary and secondary IAS servers, the IAS proxies can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.

  • Custom remote access policies. Remote access policies are configured to specify, based on group membership, the different types of connection constraints for users.

  • Two IAS proxies in the perimeter network.

    To simplify the configuration of the intranet firewall, IAS proxies are used in the perimeter network instead of IAS servers. When IAS servers are used in the perimeter network, you must either configure each IAS server computer with two network adapters (one connected to the perimeter network and one connected to the intranet), or configure the intranet firewall to allow Active Directory traffic between the IAS servers on the perimeter network and all of the domain controllers in the intranet. By replacing the IAS server computers with IAS proxies, the IAS proxy computers do not require two network adapters. Additionally, the intranet firewall is only required to be configured to allow RADIUS traffic between the IAS proxies in the perimeter network and the IAS servers in the intranet.

    Two IAS proxies are used in the perimeter network to provide fault tolerance for RADIUS requests that are sent from the service provider's proxies.

  • Connection Manager.

    To automate service provider dialing, Connection Manager is used to create a profile with all of the phone numbers of the service provider POPs. Remote access users select the location from which they are dialing, and then select the appropriate phone number (POP) from the phone book in the Connection Manager service profile for the service provider. The remote access user connects to the service provider's dial-in access server through Challenge Handshake Password Authentication (CHAP). The realm name portion of the user name is used by the service provider's proxies to forward the authentication requests to an IAS proxy in the perimeter network of the organization.

This topic also describes a configuration for a service provider that uses:

  • Two IAS proxies in the service provider's network.

    The service provider uses RADIUS proxies in its network to forward RADIUS request messages between the dial-in servers of the service provider and the RADIUS servers or proxies of multiple customers across the Internet. Two IAS proxies are used to provide fault tolerance for RADIUS authentication.

  • Dial-up access servers.

    Dial-up servers consist of computers running:

    • Windows Server 2003, Standard Edition

    • Windows Server 2003, Enterprise Edition

    • Windows Server 2003, Datacenter Edition

    • Windows 2000 and the Routing and Remote Access service

    • Third-party network access server (NAS) devices

The following illustration shows the outsourced dial configuration using IAS proxies in the organization's intranet.

Business partner extranet access

Note

  • This topic only describes how to configure IAS. It does not describe the configuration of Active Directory domains or Connection Manager. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS for this example, complete the following steps:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server on a domain controller.

  • Configure the secondary IAS server on a different domain controller.

  • Configure RADIUS authentication and accounting on VPN servers.

  • Configure the primary IAS proxy in the perimeter network.

  • Configure the secondary IAS proxy in the perimeter network.

  • Configure the intranet and Internet firewalls to support RADIUS traffic.

  • Configure the primary IAS proxy at the service provider.

  • Configure the secondary IAS proxy at the service provider.

  • Configure RADIUS accounting and authentication on the dial-up access servers at the service provider.

Configuring user accounts and groups

To configure user accounts and groups, do the following:

  1. Ensure that all users who are making remote access connections have a corresponding user account.

  2. Manage your network access by group by setting the remote access permission user accounts to Control access through Remote Access Policy. For more information, see Configure remote access permission for a user.

  3. Organize your remote access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For more information, see Group scope.

  4. Because the outsourced service provider requires the use of Challenge-Handshake Authentication Protocol (CHAP) authentication for the dial-in connection, you must enable support for reversibly encrypted passwords for the appropriate domains. For more information, see Enable reversibly encrypted passwords in a domain.

Configuring the primary IAS server on a domain controller

To configure the primary IAS server on a domain controller, do the following:

  1. On the domain controller, install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the IAS server is authenticating connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, see Authentication across forests.

  4. Enable file logging for accounting and authentication events. For more information, see Configure log file properties.

  5. Add the IAS proxies in the perimeter network as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  6. Create remote access policies that accurately reflect your remote access usage.

    For example, to configure a custom remote access policy to permit members of the Contractors group to connect from 8:00 AM to 5:00 PM, Monday through Friday, use the New Remote Access Policy Wizard to create a new custom remote access policy with the following settings:

    • Policy name: Contractor connections

    • Conditions: Windows-Groups matches Contractors

    • Permission: Grant remote access permission

    • Profile settings, Dial-in Constraints tab: Allow access only on these days and at these times is set to 8:00 AM to 5:00 PM, Monday through Friday.

    To configure a remote access policy that requires members of the Executives group to use EAP-TLS authentication and 128-bit encryption, use the New Remote Access Policy Wizard to create a common remote access policy with the following settings:

    • Policy name: High security connections for executives

    • Access Method: Dial-up access

    • User or Group: Select Group, and then specify the Executives group (example).

    • Authentication methods: Select Extensible Authentication Protocol (EAP) and, in Type, select Smart Card or other Certificate. If you have multiple computer certificates, click Configure, select the appropriate computer certificate, and then clear all other check boxes.

    • Policy Encryption Level: Select the Strongest encryption (MPPE 128-bit) check box, and then clear all other check boxes.

    For additional examples of remote access policies, see Remote Access Policies Examples.

    If you have created new remote access policies, either delete the default remote access policies, or ensure that they are the last policies to be evaluated. For more information, see Delete a remote access policy and Change the policy evaluation order.

Configuring the secondary IAS server on a different domain controller

To configure the secondary IAS server on a different domain controller, do the following:

  1. On the other domain controller, install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, see Authentication across forests.

  4. Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS authentication and accounting on the VPN servers

To configure each VPN server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  1. If the VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS servers in the perimeter network as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the VPN server is a computer running Windows NT server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT server 4.0 online Help for instructions about how to configure the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.

  3. If the VPN server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers).

Configuring the primary IAS proxy in the perimeter network

To configure the primary IAS proxy in the perimeter network, do the following:

  1. On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. If needed, configure additional UDP ports for RADIUS messages that are sent by the service provider's RADIUS proxies. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  3. Add the service provider's RADIUS proxies as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  4. Create a connection request policy that forwards RADIUS request messages based on the realm name of your organization.

    Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group and where the realm name matches the realm name of the user accounts in your organization. Clear the check box that removes the realm name for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers within your intranet.

    For more information, see Add a connection request policy.

  5. Delete the default connection request policy named Use Windows authentication for all users. For more information, see Delete a connection request policy.

Configuring the secondary IAS proxy in the perimeter network

To configure the secondary IAS proxy on another computer in the perimeter network, do the following:

  1. On another computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Copy the configuration of the primary IAS proxy to the secondary IAS proxy in the perimeter network. For more information, see Copy the IAS configuration to another server.

Configuring the intranet and Internet firewalls to support RADIUS traffic

To configure the intranet and Internet firewalls to support RADIUS traffic, do the following:

  1. Configure the intranet firewall to allow RADIUS traffic between the IAS proxies in the perimeter network and the IAS servers in the intranet.

  2. Configure the Internet firewall to allow RADIUS traffic between the IAS proxies in the perimeter network and the IAS proxies in the service provider's network.

    For more information, see IAS and firewalls

Configuring the primary IAS proxy at the service provider

To configure the primary IAS proxy at the service provider, do the following:

  1. On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the service provider's network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. If needed, configure additional UDP ports for authentication and accounting messages that are sent by the service provider's dial-up access servers. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  3. Add the service provider's dial-up access servers as RADIUS clients of the IAS proxy. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  4. Create a connection request policy that forwards RADIUS request messages based on the realm name of the service provider's customer.

    Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group and where the realm name matches the realm name of the customer's organization. Clear the check box that removes the realm name for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS server Group Wizard to create a remote RADIUS server group with members that include the two IAS proxies in the customer's perimeter network.

    For more information, see Add a connection request policy.

  5. Delete the default connection request policy named Use Windows authentication for all users. For more information, see Delete a connection request policy.

Configuring the secondary IAS proxy at the service provider

To configure the secondary IAS proxy on another computer in the perimeter network, do the following:

  1. On another computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the service provider's network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Copy the configuration of the primary IAS proxy to the secondary IAS proxy in the service provider's network. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS accounting and authentication on the dial-up servers at the service provider

To configure each dial-up server to use the primary and secondary IAS proxies in the service provider's network for the authentication, authorization, and accounting of dial-up connections, do the following:

  1. If the dial-up or VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS proxies in the service provider's network as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the dial-up or VPN server is a computer running Windows NT server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT server 4.0 online Help for information about how to configure the primary and secondary IAS proxies in the service provider's network as RADIUS servers for RADIUS authentication.

  3. If the dial-up or VPN server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS proxies in the service provider's network).

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.