Appendix A - Procedures

  • Article

Appendix A - Procedures

Enabling the Routing and Remote Access Service

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
    By default, the local computer is listed as a server.
    To add another server, in the console tree, right-click Server Status, and then click Add Server.
    In the Add Server dialog box, click the applicable option, and then click OK.

  2. In the console tree, right-click the server you want to enable, and then click Configure and Enable Routing and Remote Access.

  3. In the Routing and Remote Access Server Setup wizard, click Next.

  4. In Common Configurations, click Manually configured server, click Next, and then click Finish.

  5. When prompted, start the Routing and Remote Access service.

Note: If this server is a member of a Windows 2000 Active Directory domain and you are not a domain administrator, instruct your domain administrator to add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. The domain administrator can add the computer account to the RAS and IAS Servers security group by using Active Directory Users and Computers or with the command netsh ras add registeredserver.

Creating a Static IP Address Pool

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, right-click the server for which you want to create a static IP address pool, and then click Properties.

  3. On the IP tab, click Static address pool, and then click Add.

  4. In Start IP address, type a starting IP address, and then either type an ending IP address for the range in End IP address or type the number of IP addresses in the range in Number of addresses.

  5. Click OK, and then repeat steps 3 and 4 for as many ranges as you want to add.

Note: If the static IP address pool consists of IP addresses ranges that are for a separate subnet, then you need to either enable an IP routing protocol on the remote access server computer or add static IP routes consisting of the {IP Address, Mask} of each range to the intranet routers. If the routes are not added, then remote access clients cannot receive traffic from intranet resources.

Enabling EAP

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. Right-click the server name for which you want to configure EAP, and then click Properties.

  3. On the Security tab, click Authentication Methods.

  4. In the Authentication Methods dialog box, select the Extensible authentication protocol (EAP) check box, and then click OK.

Note: When you enable EAP, all installed EAP types are enabled. By default, EAP-MD5 CHAP and EAP-TLS are installed and enabled. To see the installed EAP types, click EAP Methods.

Adding PPTP or L2TP Ports

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, click the server for which you want to configure PPTP or L2TP ports.

  3. In the details pane, right-click Ports, and then click Properties.

  4. In the Ports Properties dialog box, click either WAN Miniport (PPTP) or WAN Miniport (L2TP), and then click Configure.

  5. In Maximum ports, type the number of ports, and then click OK.

  6. Click OK to save changes to ports properties.

Setting a Phone Number on a Device

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, click the server for which you want to set a phone number.

  3. In the details pane, right-click Ports, and then click Properties.

  4. In the Ports Properties dialog box, click the device that corresponds to the dial-up or VPN equipment, and then click Configure.

  5. In Phone number for this device, type the phone number for the port. For VPN ports, type the IP address of the VPN server Internet interface.

  6. Click OK.

Adding PPTP Packet Filters

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, double-click the server for which you want to configure PPTP packet filtering.

  3. Double-click IP Routing.

  4. Click General.

  5. In the details pane, right-click the interface that is connected to the Internet and then click Properties.

  6. On the General tab, click Input Filters.

  7. In the Input Filters dialog box, click Add.

  8. In the Add IP Filter dialog box, select the Destination network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click Other. In Protocol number, type 47, and then click OK.

  9. In the Input Filters dialog box, click Add.

  10. In the Add IP Filter dialog box, select the Destination network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click TCP. In Destination port, type 1723, and then click OK.

  11. In the Input Filters dialog box, click Add.

  12. In the Add IP Filter dialog box, select the Destination network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click TCP [established]. In Source port, type 1723 and then click OK.

  13. In the Input Filters dialog box, click Drop all packets except those that meet the criteria below, and then click OK.

  14. On the General tab, click Output Filters.

  15. In the Output Filters dialog box, click Add.

  16. In the Add IP Filter dialog box, select the Source network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click Other. In Protocol number, type 47, and then click OK.

  17. In the Output Filters dialog box, click Add.

  18. In the Add IP Filter dialog box, select the Source network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click TCP. In Source port, type 1723, and then click OK.

  19. In the Output Filters dialog box, click Add.

  20. In the Add IP Filter dialog box, select the Source network check box. In IP address, type the IP address of the VPN server or demand-dial router's Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click TCP [established]. In Destination port, type 1723, and then click OK.

  21. In the Output Filters dialog box, click Drop all packets except those that meet the criteria below, and then click OK.

  22. Click OK to save changes to the interface.

Adding L2TP Packet Filters

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, double-click the server for which you want to configure L2TP packet filtering.

  3. Double-click IP Routing.

  4. Click General.

  5. In the details pane, right-click the interface connected to the Internet, and then click Properties.

  6. On the General tab, click Input Filters.

  7. In the Input Filters dialog box, click Add.

  8. In the Add IP Filter dialog box, select the Destination network check box. In IP address, type the IP address of the VPN server or demand-dial routers Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click UDP. In Source port, type 500. In Destination port, type 500, and then click OK.

  9. In the Input Filters dialog box, click Add.

  10. In the Add IP Filter dialog box, select the Destination network check box. In IP address, type the IP address of the VPN server or demand-dial routers Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click UDP. In Source port, type 1701. In Destination port, type 1701, and then click OK.

  11. In the Input Filters dialog box, click Drop all packets except those that meet the criteria below, and then click OK.

  12. On the General tab, click Output Filters

  13. In the Output Filters dialog box, click Add.

  14. In the Add IP Filter dialog box, select the Source network check box. In IP address, type the IP address of the VPN server or demand-dial routers Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click UDP. In Source port, type 500. In Destination port, type 500, and then click OK.

  15. In the Output Filters dialog box, click Add.

  16. In the Add IP Filter dialog box, select the Source network check box. In IP address, type the IP address of the VPN server or demand-dial routers Internet interface, and in Subnet mask, type 255.255.255.255. In Protocol, click UDP. In Source port, type 1701. In Destination port, type 1701, and then click OK.

  17. In the Output Filters dialog box, click Drop all packets except those that meet the criteria below, and then click OK.

  18. Click OK to save changes to the interface.

Configuring Automatic Certificate Allocation

  1. Log on as a domain administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In Active Directory Users and Computers, right-click the domain that contains your certificate authority (CA) and then click Properties.

  4. Click the Group Policy tab, click Default Domain Policy, and then click Edit.

  5. In Group Policy, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, and then click Public Key Policies.

  6. Right-click Automatic Certificate Request Settings, click New, and then click Automatic Certificate Request.

  7. In the Automatic Certificate Request Setup wizard, click Next.

  8. In Certificate templates, click Computer, and then click Next.

  9. Select your certificate authority, click Next, and then click Finish.

  10. Close the Group Policy console.

  11. To obtain a certificate immediately on the VPN server through auto-enrollment, either restart the VPN server computer or type secedit /refreshpolicy machine_policy at a Windows 2000 command prompt.

Copying the IAS Configuration to Another Server

  1. At a command prompt, type netsh aaaa show config  path**\file.txt**. This stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a UNC path.

  2. Copy the file you created to the destination computer and, at a command prompt on the destination computer, type netsh exec  path**\file.txt**. A message appears indicating whether the update was successful.

Note: You do not need to stop IAS on the destination computer to run the netsh exec command. When the command is run, IAS is automatically refreshed with the updated configuration settings. This procedure replicates all remote access policy, registry, and logging configuration.

Registering RADIUS Clients

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

  2. Right-click Clients, and then click New Client.

  3. In Friendly name, type a descriptive name.

  4. In Protocol, click RADIUS, and then click Next.

  5. In Client address (IP or DNS), type the DNS name or IP address for the client. If you are using a DNS name, click Verify. In the Resolve DNS Name dialog box, click Resolve, and then select the IP address you want to associate with that name from Search results.

  6. If the client is a NAS and you are planning to use NAS-specific remote access policies for configuration purposes (for example, a remote access policy that contains vendor-specific attributes), click Client Vendor, and select the manufacturer's name. If you do not know the manufacturer name or it is not in the list, click RADIUS Standard.

  7. In Shared secret, type the shared secret for the client, and then type it again in Confirm shared secret.

  8. If your NAS supports using digital signatures for verification (with PAP, CHAP, or MS-CHAP), click Client must always send the signature attribute in the request. If the NAS does not support digital signatures for PAP, CHAP, or MS-CHAP, do not click this option.

Note: If IAS receives an access request from a RADIUS proxy server, IAS cannot detect the manufacturer of the NAS that originated the request. This can cause problems if you plan to use authorization conditions based on the client vendor and have at least one client defined as a RADIUS proxy server.

  • Passwords (shared secrets) are case-sensitive. Be sure that the client's shared secret and the shared secret you type in this field are identical to each other and conform to the password rules.

  • If the client address cannot be resolved when you click Verify, make sure that the DNS name you typed is correct.

  • The friendly name that you provide for your RADIUS clients can be used in remote access policies to restrict access.

Configuring RADIUS Authentication

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, right-click the server name for which you want to configure RADIUS authentication, and then click Properties.

  3. On the Security tab, in Authentication provider, click RADIUS Authentication, and then click Configure.

  4. In the RADIUS Authentication dialog box, click Add.

  5. In the Add RADIUS Server dialog box, configure the settings for your RADIUS authentication server, and then click OK.

Configuring RADIUS Accounting

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the console tree, right-click the server name for which you want to configure RADIUS authentication, and then click Properties.

  3. On the Security tab, in Accounting provider, click RADIUS Accounting, and then click Configure.

  4. In the RADIUS Accounting dialog box, click Add.

  5. In the Add RADIUS Server dialog box, configure the settings for your RADIUS accounting server, and then click OK.