Internet Connection Services for MS RAS, Standard Edition
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Welcome to Internet Connection Services for RAS
Welcome to Internet Connection Services for Microsoft® Remote Access Service (RAS), a set of software components designed to help corporations and Internet Service Providers (ISPs) build comprehensive Internet access solutions, including dial-up Virtual Private Networks (VPN). Whether you are building an Internet service or managing a corporate network, Internet Connection Services for RAS helps you quickly implement a custom remote access network. With Internet Connection Services for RAS, you can provide your subscribers or your employees with a seamless connection experience, a global dial-up service, and secure connections over the Internet to a private network. Internet Connection Services for RAS also gives you the technology you need to centrally manage remote access to your network over the Internet.
About This Document
Getting Started with Internet Connection Services for Microsoft Remote Access Service is written for anyone interested in learning more about this product. It provides an overview of the product and describes basic tasks you can perform with the software.
This book contains the following sections:
Welcome to Internet Connection Services for RAS
An overview of this book and a list of server requirements
A Guided Tour
A brief description of the features included with Internet Connection Services for RAS and an example of how they can help you provide a value-added, secure connection experience to your subscribers or employees
Understanding Internet Connection Services for RAS
An introduction to basic Internet Connection Services for RAS concepts and an overview of tasks you can perform with Internet Connection Services for RAS software
Setting up Internet Connection Services for RAS
An overview of the setup and configuration processes and instructions for installing Internet Connection Services applications.
Document Conventions
The following text formats are used throughout this document.
Convention |
Meaning |
|---|---|
Bold |
Indicates the actual commands, words, or characters that you type in a dialog box or at the command prompt. Hypertext links also appear in bold. |
Italic |
Indicates a placeholder for information or parameters that you must provide. For example, if the procedure asks you to type filename, you must type the actual name of a file. |
Monospace |
Represents examples of screen text or entries that you might type at the command line or in initialization files. |
Server Requirements
The following list describes the minimum hardware and software requirements for your server computer:
Intel® Pentium 133 MegaHertz (MHz) or faster processor
32 Megabytes (MB) of Random Access Memory (RAM)
27 MB of free hard disk space to install the applications
18 MB of free hard disk space to run the applications
CD-ROM drive
VGA or Super VGA monitor compatible with Window NT® Server version 4.0
Microsoft® Mouse or compatible pointing device
Windows NT Server version 4.0
Windows NT 4.0 Option Pack
A Guided Tour
Now that you know where to find the information you need, you're ready to learn more about Internet Connection Services for Microsoft® Remote Access Service (RAS). This section introduces you to Internet Connection Services for RAS, describes the individual features of the product, and provides real-world examples that describe what you can do with the software. The following section will answer these questions:
What is Internet Connection Services for RAS?
What's included with Internet Connection Services for RAS?
What can you do with Internet Connection Services for RAS?
What are the benefits for Internet service providers using Internet Connection Services for RAS?
What are the benefits for corporations using Internet Connection Services for RAS?
What is Internet Connection Services for RAS?
With the rapid growth of Internet communications, many people today are faced with different aspects of the same challenge: how to take advantage of Internet technology. Computer users want to know how they can quickly get connected to the Internet to access information. Internet service providers want to know how they can provide value-added features that differentiate their service. Corporations want to know how they can take advantage of Internet technology to reduce the cost of remote access and provide secure, inexpensive dial-up services, and a full, rich telecommuting solution to their corporate network.
Internet Connection Services for RAS is designed to help corporations build a comprehensive remote authentication and telecommuting solution over the Internet.
The Microsoft Windows platform provides a rich set of networking capabilities. Personal Computers equipped with Microsoft Windows can create dial-up connections to either an Internet service provider (ISP) or to a corporate network. Windows NT Remote Access Service (RAS) can receive dial-up sessions and provide secure dial-up connectivity to a corporate LAN. Through a technology called tunneling, Windows NT offers secure, virtual private networking to corporate LANs over the Internet.
Internet Connection Services for RAS is an additional set of services that builds on the features of Microsoft Windows and Windows NT Server to allow you to enhance your connectivity to a corporate network or to an Internet service provider. Internet Connection Services for RAS is comprised of three major applications:
Connection Manager Administration Kit (CMAK). Connection Manager, which is available for Windows 95 and Windows NT provides an integrated and customizable dialer by which users can access the Internet or Virtual Private Networks (VPNs). Using the Connection Manager Administration Kit (CMAK), ISPs or corporations can customize the Connection Manager to their needs.
Connection Point Services. Runs on Microsoft Windows NT Server and allows administrators to centrally manage the distribution of phone books containing information on network access phone numbers.
Internet Authentication Services (IAS). Runs on Microsoft Windows NT Server and allows users to authenticate against the Windows NT SAM database using the Remote Authentication Dial-In User Service (RADIUS) protocol. The current version of IAS supports the Password Authentication Protocol (PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication methods.
What's Included in Internet Connection Services for RAS?
This section introduces the components included in Internet Connection Services for RAS and describes how each one is used.
Connection Manager Administration Kit
The Connection Manager Administration Kit is a step-by-step wizard that guides you through the process of customizing and pre-configuring the Microsoft Connection Manager dialer. Connection Manager is a customized dialer, which allows you to provide users with a quick and easy way to connect to the Internet and a corporate private network. With the Connection Manager Administration Kit, you can use your own custom icons, tailored help files, and special animated graphics to control the look of your Connection Manager dialer. You can also control the functionality of Connection Manager. For example, Connection Manager supports Connect Actions. Connect Actions are small executable programs that start when the dialer connects or disconnects to the Internet or a corporate private network. You can use Connect Actions to differentiate your service and provide a simple connection experience by automating tasks for your users.
Microsoft Connection Manager is designed to help you provide generic access to the Internet as well as secure access over the Internet to a private corporate network. If you're using Internet Connection Services for RAS to build a VPN solution, you can use the Connection Manager Administration Kit to build a dialer that is pre-configured to support secure connections with Point-to-Point Tunneling Protocol (PPTP). By providing a custom dialer that automatically supports PPTP, you can ensure the security of your private network without burdening your employees with complex configuration.
Connection Point Services
Connection Point Services is a comprehensive phone book management system. It provides you with a central location for adding, removing, and distributing access numbers for both public and private networks.
Connection Point Services can communicate with the Connection Manager dialer to automatically provide the most current access numbers to your customers and employees. Once Connection Point Services is set up, updated phone numbers are transferred to the dialer when a user connects to your network. With Connection Point Services, you can reduce the cost of technical support and easily share access numbers with other corporations or Internet service providers.
Connection Point Services can handle multiple phone book support and integration. Integration between public and private phone books is seamless, making for smooth migration from in-house networking to out-sourced virtual private networking. Also, with Connection Point Services, a corporation can work with several ISPs to ensure comprehensive roaming capabilities.
Internet Authentication Services
Internet Authentication Services provides a way for Internet service providers to control access to their service. Internet Authentication Services uses the Remote Authentication Dial-In User Service (RADIUS) protocol to authenticate users and track how much time they spend online. Internet Authentication Services also lets Internet service providers control which areas of the network their individual subscribers can access.
With Internet Authentication Services, ISPs can use information in Microsoft Windows NT Server account database to authenticate network users.
What Can You Do With Internet Connection Services for RAS?
Internet Connection Services for RAS is designed to help Internet service providers build and enhance their service. Internet Connection Services for RAS is also designed to help companies implement a complete remote authentication solution and provide a foundation for rich telecommuting solutions over the Internet.
Internet Connection Services for RAS enables you to do the following:
Provide a customized, seamless connection experience to users connecting to the Internet or a Virtual Private Network (VPN)
Provide global dial-up networking (roaming) services
Provide VPN and remote access over the Internet
Centrally administer access to a heterogeneous collection of Network Access Servers (NAS), using the Remote Authentication Dial-In User Service (RADIUS).
This section uses real-world examples to highlight what you can do with Internet Connection Services for RAS.
Provide a Seamless Connection Experience
To demonstrate how you can use Internet Connection Services for RAS to enhance your Internet service, this section uses a fictitious company named Acme, Inc. (AI). AI is a large Internet Service Provider. With the explosive growth of Internet communications over the last few years, AI has expanded their service to meet growing demands. As their business expands, AI is constantly looking for new ways to provide better service to their customers, and at the same time reduce operating costs. They are also looking for new business opportunities to generate revenue in a highly competitive industry. To help deal with both these issues, AI implemented Internet Connection Services for RAS.
AI uses Internet Connection Services for RAS to provide better service to their customers. Network operators at AI used the Connection Manager Administration Kit to create a custom-built client dialer that makes connecting to their service quick and easy. The custom dialer is pre-configured with all the information users need to access the AI network. It also includes custom help files and technical support numbers.
With a custom dialer, AI customers never have to worry about complex configuration. When they start Connection Manager, it automatically verifies that the dialer and operating system software are installed correctly. For example, it checks to make sure modems are installed correctly and that the correct network protocol is being used. If something is not working correctly, the appropriate wizard is displayed to help walk a user through the problem. This feature makes end users more self-sufficient and can provide significant cost savings to AI by reducing technical support calls to their service.
To ensure that their customers always have updated access numbers, AI implemented Connection Point Services. Connection Point Services is integrated with Connection Manager to automatically and transparently provide updated access numbers to AI customers.
Provide Global Dial-Up Networking Services
In order to expand their business, AI has signed agreements with other Internet service providers all over the world to provide global access to its customers. Each ISP that AI works with has a standards-based RADIUS server installed on their network. If the other ISPs also have a RADIUS proxy installed, they can forward authentication requests to AI for access verification. This feature, commonly referred to as roaming, lets AI customers transparently use a wide range of Internet service providers while maintaining a financial commitment to only AI. Acme, Inc. also uses Internet Authentication Services to provide a dial-up Virtual Private Network to selected corporations.
Note The Commercial edition of Internet Authentication Services includes proxy capability.
The following diagram illustrates how an Internet service provider can use a recommended configuration of Internet Connection Services for RAS on their network.
.gif "Cc750057.bcg1(en-us,TechNet.10).gif")
Provide Virtual Private Network and Remote Access over the Internet
To demonstrate how corporations can use Internet Connection Services for RAS to build Virtual Private Networks, this section uses a fictitious company named Humongous Insurance (HI). HI is a large company that sells all types of insurance to both consumers and corporate clients. Using dedicated lines and large modem pools, Humongous Insurance offered its employees remote access to the corporate network.
Unfortunately, the cost of supporting modem pools, dedicated phones lines, and toll-free numbers was very expensive. To reduce costs, Humongous Insurance partnered with a local Internet service provider and deployed Internet Connection Services for RAS to out-source their remote access needs. The Internet service provider they chose to work with was Acme, Inc, an international service provider with access numbers all over the world (through their partnerships with other ISPs).
To get started, Humongous Insurance purchased Microsoft Windows NT version 4.1 software with support for Point-to-Point Tunneling Protocol (PPTP). PPTP provides a highly secure, encrypted connection across a public network, such as the Internet.
The network administrators at HI set up two computers on their corporate network, a dedicated PPTP server and an Internet Authentication Services. Both computers were set up on the same domain as the HI corporate domain controller. A domain controller uses a Windows NT Server user database to control access to the network. When Internet Authentication Services is set up on a network, it automatically integrates with the domain controller to authenticate employees.
At the same time, the network operators at AI implemented the Microsoft Windows NT 4.0 Option Pack, including Internet Connection Services for RAS, on their own network. They also set up a Remote Authentication Dial-In User Service (RADIUS) proxy server. After it was set up, they configured it to recognize authentication requests from Humongous Insurance employees and forward them to the Internet Authentication Services on the HI network. This way, HI can maintain control over the remote access permissions associated with their employees.
The network operators at AI were also responsible for implementing Connection Manager and Connection Point Services. Using the Connection Manager Administration Kit, they built a custom dialer for Humongous Insurance employees. To make the connection experience both secure and simple, the dialer includes automatic support for PPTP. It also includes corporate and ISP support numbers and customized Help files. To help HI employees easily recognize the dialer, AI added the Humongous Insurance logo to the Windows desktop, a process known as branding.
When HI employees start Connection Manager, all they have to do is type their user name. The custom dialer is pre-configured to automatically add their corporate realm, @ai.com, to their user name. This reduces the complexity of the single login experience for the employee. It also reduces support costs for Acme, Inc.
To help support employees at Humongous Insurance, AI integrated the Connection Manager dialer with Connection Point Services. Every time a new access number is added to the AI Internet service, it is automatically transferred to each employee through the Connection Manager dialer. Having up-to-date access numbers makes it easy for HI employees to access their corporate resources and for AI to seamlessly update and expand their network with more local access numbers.
Using Internet Connection Services for RAS, HI employees are able to make a secure, local connection to their private corporate network from anywhere in the world. When they want to connect to their network, they simply use their custom-built Connection Manager to dial a local AI access number. A RADIUS proxy server located on the AI network recognizes them as a Humongous Insurance employee and forwards the authentication request to the Internet Authentication Services on the HI network. The HI Internet Authentication Services uses the company's local domain controller to grant or deny access to specific areas on the corporate network. During this process, a secure connection is established between the employee and the PPTP-enabled server on the HI corporate network, using MS-CHAP authentication. All of these operations are completely transparent to the HI employee.
The following picture describes how Humongous Insurance and Acme, Inc. used Internet Connection Services for RAS to build secure connections over the Internet to the HI corporate private network.
.gif "Cc750057.bcg2(en-us,TechNet.10).gif")
Administering Heterogeneous Network Access Servers
To demonstrate how corporations and ISPs can use Internet Connection Services for RAS to administer heterogeneous collections of Network Access Servers, this section uses a fictitious company named Humongous Insurance (HI). HI is a large company that sells all types of insurance to both consumers and corporate clients. Using dedicated lines and large modem pools, Humongous Insurance offered its employees remote access to the corporate network.
Humongous Insurance used Network Access Servers (NAS) from a variety of vendors, including Microsoft Remote Access Servers (RAS). Since HI is administering a heterogeneous network of NAS devices, they wish to use the Remote Authentication Dial-In User Service (RADIUS) to provide unified administration across their multi-vendor network. Since HI wishes to maintain a single, unified user database, they store their user information in the Windows NT Server directory.
Since HI is concerned about dial-up security, they wish to ensure that all data transmitted over the phone lines is encrypted and that access is provided using encrypted authentication. For this reason HI chose to support Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
What are the Benefits of Using Internet Connection Services for RAS?
Internet Connection Services for RAS is designed to help two different groups of people, corporations and Internet service providers. This section uses both groups to highlight the benefits of using Internet Connection Services for RAS.
Benefits for Internet Service Providers
Internet Connection Services for RAS provides Internet service providers with the tools they need to lower support and development costs, expand their business, and improve their customer connection experience.
Lower Support Costs
To significantly reduce the need for technical support calls, Internet service providers can use Connection Point Services and Connection Manager together. Connection Point Services enables ISPs to maintain a phone book with up-to-date access numbers, also known as Points of Presence (POPs). Connection Manager can then be used to automatically deliver the updated phone book to individual subscribers and employees. The update occurs each time the user dials the Internet service. It is completely transparent to the user. Connection Point Services and Connection Manager ensure that users have the most up-to-date access information for their location and service needs.
ISPs can also use Connection Manager to provide their users with a transparent solution for reducing support costs. Each time the user dials the Internet service, Connection Manager transparently checks their software configuration. For example, Connection Manager can:
Ensure that the modem is correctly installed.
Ensure that the Windows TCP/IP software is correctly installed.
Ensure that the PPTP software is correctly installed.
If Connection Manager determines that these components are incorrectly installed, Connect Manager deploys the appropriate wizard to guide the individual subscriber or employee through the process of resolving the problem. In many cases, Connection Manager can transparently correct the problem. For example, ISPs can provide their individual subscribers with transparent support for dial-up networking (DUN). If the clients computer is not already set up to take advantage of DUN, Connection Manager transparently configures the computer. By providing the individual subscriber with an immediate or transparent resolution for technical support issues, the employees become more self-sufficient.
Expand Your Business
Many Internet service providers have built their business on the traditional flat-fee, unlimited access for consumers. Unfortunately, competition and pricing pressures have resulted in a thin margin business for ISPs. To stay competitive, ISPs today are looking for ways to expand their business into areas that yield greater profitability. With Internet Connection Services for RAS, ISPs have the technology to provide value added services to their customers.
One way ISPs can use Internet Connection Services for RAS to expand their business is to form roaming alliances with other ISPs. Roaming alliances allow ISPs to leverage their current comprehensive network without spending a great deal of money building new Points of Presence. With a RADIUS proxy server (one will be available in the Commercial edition of Internet Authentication Services), groups of ISPs can forward authentication requests between networks. That means, individual subscribers and employees can use any ISP number that is part of the alliance to access the Internet or corporate resources.
Each time an ISP joins a roaming alliance, Connection Point Services enables them to quickly exchange lists of phone numbers. And if their users are using Connection Manager as their dialer, ISPs can also automatically distribute their phone book updates. As a result, remote users always have an updated phone book of local numbers to call for remote Internet access.
ISPs can also expand their business by providing secure, dial-up VPN service to corporations. With Internet Authentication Services, corporations can authenticate employees against information in a Windows NT Server database, and provide them with secure, encrypted access to a corporate private network. ISPs can sell Internet account access wholesale to corporations, thus simplifying their billing and administration. Additionally, ISPs can use the Internet Authentication Services to monitor usage and provide specific accounting information to corporate cost centers.
Using Internet Connection Services for RAS, ISPs can offer the following advantages to corporations:
An immediate reduction in long distance calling charges, 800 number usage, and support costs
Complete out-sourcing of modem pools
A seamless, secure, and cost effective Internet access service
Expanded availability of corporate access points
Instant scalability
By offering these advantages to corporations, ISPs can cultivate new business relationships and attain higher, more attractive margins.
Improve the Individual Subscriber Experience
Getting connected to the Internet can be a frustrating experience for novice users. Frequently, individual subscribers and employees are forced to manually change options in their dialer software and choose correct access numbers before they can reach their Internet service. With Internet Connection Services for RAS, all configuration is done by the Internet service provider. Using the Connection Manager Administration Kit, an ISP can build a custom dialer with all the options their users need to quickly connect to the Internet. A custom dialer improves the user's experience by reducing the need for technical support personnel. The novice user connects using an interface that is pre-configured and customized to their situation.
Benefits for Corporations
Internet Connection Services for RAS provides corporations with the technology to reduce the cost of remote access and provide their employees with secure, inexpensive global access to the corporate private network.
Increase Security
Internet Connection Services for RAS provides companies with a secure, single point of administration to manage internal and remote access users. By integrating Internet Connection Services for RAS with a Windows NT Server corporate directory service , corporations do not have to maintain a separate database for employees. When an employee is added to the corporate directory service, the corporation has the ability to limit the employees access to corporate resources during their secure connection. By providing a single point of administration for managing internal and remote access users, the corporation is able to define and enforce network access rights.
Enhance Employee Productivity
Most corporate employees who travel today require secure access to their corporate resources from anywhere in the world. With Internet Connection Services for RAS, corporations can work with an ISP to provide their employees with a low cost connection that is simple and secure.
Using Connection Manager, a corporation can provide their employees with a transparent logon process, no matter where they are calling from. The corporation gives employees a custom dialer that includes transparent support for PPTP and the use of dial-up networking. This enables employees to seamlessly connect to their corporate private network without having to set up the service or call technical support. If the employee's computer is not already set up to use DUN, Connection Manager automatically configures the computer. By providing employees with transparent PPTP support and dial-up networking, corporations can ensure the security of their corporate private network without requiring employees to configure their dialer software.
To improve the employee experience even further, the custom dialer can include help files, support numbers, and online documentation that are specific to the employee's corporation and that make the business' policies explicit. If the employee has a question and would like to contact technical support, they can use the support numbers to seek assistance. By providing employees with a familiar, comfortable connection environment, they'll be able to focus on working efficiently, productively, and self-sufficiently.
Lower Remote Access Costs
For corporations, providing cost-effective, remote access has been a difficult challenge. Modem pools and dedicated phone lines are costly and time-consuming to setup and maintain. Until now, the alternatives have been limited. Now, with Internet Connection Services for RAS, companies have an affordable solution for providing seamless and secure remote access to a corporate private network.
By using the technology behind Internet Connection Services for RAS and PPTP, corporations can be used to turn the Internet into a Virtual Private Network. VPN's let corporations provide secure, encrypted access to corporate resources using public networks, such as the Internet. In addition to saving money on long distance charges and 800 numbers, businesses can use secure connections through the Internet to escape the cost of managing large modem pools, purchasing specialized hardware and software, and hiring dedicated support personnel. With Internet Connection Services for RAS, corporations save time and money by out-sourcing the hardware and management needed to implement remote access to their networks.
Now that you're familiar with Internet Connection Services for RAS as a whole, you're ready to learn about basic tasks you can perform with each individual application. The following section provides more detailed information about the individual applications included with Internet Connection Services for RAS, as well as a description of what they are and how they work.
Understanding Internet Connection Services for RAS
This section introduces you to each of the Internet Connection Services for Microsoft® Remote Access Services (RAS) components and provides an overview of how they work.
Using Connection Point Services to Manage Access Numbers
Connection Point Services (CPS) provides you with a central location for adding, removing, and distributing network access numbers. Connection Point Services is responsible for automatically checking the employee's current phone book and, if necessary, downloading phone book updates. In addition, CPS provides the functionality to easily merge a corporate phone book of access numbers with one or more phone books from an Internet Service Provider (ISP).
Connection Point Services is composed of Phone Book Service and Phone Book Administration. You can use these components to accomplish the following:
Create and maintain multiple phone books (public and private)
You can use Phone Book Administrator to populate a new phone book or edit an existing one. You can use the administration tool interface to create and maintain the phone book database and post the new phone book information to the Phone Book Service.
Download phone book updates
Phone Book Service compares the phone book information on the employee's computer with the most recent files available in the Connection Point Services database. If there is updated phone book information, Phone Book Service downloads the information to the employee's computer. CPS ensures that the employee has the most up-to-date directory of access numbers.
Building a Custom Dialer Using the Connection Manager Administration Kit
The Connection Manager Administration Kit (CMAK) is a wizard that enables you to create a custom connectivity solution. You can use CMAK to customize the Connection Manager dialer. Connection Manager resides on the client's computer and is used to connect to the Points of Presence (POPs) that the corporation or ISP provide for Internet access. You can use the Connection Manager Administration Kit and Connection Manager to accomplish the following:
Customize the Connection Manager dialer
The Connection Manager Administration Kit is a wizard that steps you through the process of creating a customized Connection Manager dialer for your customers. CMAK enables you to customize the dialer by including:
customized icons for the desktop.
a branded logon screen with animation.
support numbers and help files that are unique to the customer's organization.
the language the dialer will display to the customer.
Connect Actions that the dialer will perform.
Connect Actions are small executable programs that perform specific functions, such as transparently installing software or starting and closing down applications. They also perform specific maintenance tasks. For example, you can set up Connection Manager to check for new mail upon connection or start Internet Explorer. Connect Actions can be launched when the employee establishes a connection or when the employee disconnects from the service.
Establish a connection.
An employee can use the Connection Manager dialer to establish a connection to the Internet or the corporate private network. For example, when establishing a connection, the Connection Manager dialer can automatically disable or enable PPTP based on the selection of a phone number. If an employee selects an ISP phone number and PPTP is enabled, the employee will be provided with a transparent encrypted tunnel over the Internet.
Using Internet Authentication Services to Control Network Access
Whether you're an Internet Service Provider or a corporation, you can use Internet Authentication Services to seamlessly authenticate users. Internet Authentication Services uses the Remote Authentication Dial-In User Service (RADIUS) protocol for authentication and accounting purposes. You can use Internet Authentication Services to accomplish the following:
You can monitor usage for accounting purposes.
You can use Internet Authentication Services to monitor usage for accounting purposes. For example, you can record each request and response for authentication. Information such as client log-in time, client log-off time, and connection speed can be stored and sent to a database. Using this information, an ISP can monitor network usage and generate precise billing statements for their corporate customers.
Now that you're familiar with the individual Internet Connection Services for RAS components, you're ready to install them. The following section provides instructions for setting up basic hardware and installing Internet Connection Services for RAS.
Setting Up Internet Connection Services for RAS
You can use Internet Connection Services for RAS in many different ways. You can combine all the Internet Connection Services for RAS with a Microsoft Windows NT PPTP-enabled Server to build a comprehensive remote access system. This section describes two different ways to configure Internet Connection Services for RAS and contains instructions for setting up each one. It includes the following information:
An overview of setting up Internet Connection Services for RAS
A list of minimum and recommended hardware and software requirements
Instructions for installing Internet Connection Services for RAS applications
An overview of configuring Internet Connection Services for RAS
Installation Overview
Whether you use Internet Connection Services for RAS to provide better Internet service or to offer remote access to your corporate private network, there are some basic steps you must follow to set up your system. This section provides a brief overview of that process. The following list describes the steps required for setting up Internet Connection Services for RAS. You will find details on each of these steps later in the section:
Verify hardware requirements.
Set up your hardware.
Install platform software.
Install Internet Connection Services for RAS applications.
Configure and deploy Internet Connection Services for RAS applications.
Verifying Hardware Requirements
Before you install Internet Connection Services for RAS, you should ensure that you have the required minimum hardware. To set up a minimal configuration of Internet Connection Services for RAS, you need two computers. The first computer, which will be used to install Phone Book Services and Internet Authentication Services, is your server computer. The second computer, which will be used to install the Connection Manager Administration Kit (CMAK) and the Phone Book Administrator tool, is your administrative computer. This section describes the minimum hardware and software requirements for each component in Internet Connection Services for RAS.
Server Requirements
Whether you're setting up a minimal configuration of Internet Connection Services for RAS or a more complex configuration, all your computers must meet some basic requirements. The following list describes the minimum hardware and software requirements for your server computer:
Intel® Pentium 133 MegaHertz (MHz) or faster processor
32 Megabytes (MB) of Random Access Memory (RAM)
27 MB of free hard disk space to install the applications
18 MB of free hard disk space to run the applications
CD-ROM drive
VGA or Super VGA monitor compatible with Window NT Server version 4.0
Microsoft® Mouse or compatible pointing device
Windows NT Server version 4.0
Windows NT 4.0 Option Pack
Administrative Requirements
To help you build and administer your remote access system, you can set up an administrative computer. The administrative computer is usually located on a distributed computer somewhere on your network and contains Internet Connection Services for RAS applications, such as the Connection Manager Administration Kit and the Phone Book Administrator component of Connection Point Services.
For the administrative computer, you can use any hardware or operating system that meets the minimum requirements for Connection Manager Administration Kit and Phone Book Administration. The following table lists Internet Connection Services for RAS applications that you should install on your administrative computer, describes how much disk space is required to install them, and lists which platforms they run on.
Application |
Disk Space |
Platform |
|---|---|---|
Connection Manager Administration Kit |
5 MB |
Windows 95 or Windows NT version 4.0 Server or Workstation with Windows NT Service Pack 1 or higher |
Phone Book Administration |
2 MB |
Windows 95 or Windows NT version 4.0 Server or Workstation |
Setting Up Your Hardware
You can use Internet Connection Services for RAS applications in many different ways. This section highlights two common uses for Internet Connection Services for RAS and gives an overview of how the hardware is set up for each one.
Using Internet Connection Services for RAS with an Internet Service
You can use all the applications included in Internet Connection Services for RAS to expand your business and provide better service to your customers. The following diagram illustrates a minimal configuration of Internet Connection Services for RAS on an ISP network.
.gif "Cc750057.bcg3(en-us,TechNet.10).gif")
Using Internet Connection Services for RAS with a Corporate Private Network
You can also use Internet Connection Services for RAS applications with a Windows NT PPTP-enabled server to provide secure remote access to a corporate private network. Corporations can team up with Internet service providers and use Internet Connection Services for RAS technology to build secure connections through the Internet to a corporate private network. The following diagram illustrates a minimal configuration of Internet Connection Services for RAS on a corporate private network.
.gif "Cc750057.bcg4(en-us,TechNet.10).gif")
Note For sites with a homogenous environment of Windows NT servers using Windows NT Remote Access Service to provide dial-up networking and VPN access, it is recommended that administrators use Windows NT authentication without going through a RADIUS server.
Installing Platform Software
Before you install Internet Connection Services for RAS applications, you prepare the computers you are going to use to run the software. You prepare the computers by installing basic platform software. The following section describes how to set up a server computer and install platform software. It also describes how to set up an administrative computer so you can install Internet Connection Services for RAS administrative applications.
Setting Up a Server Computer
The purpose of the server computer is to host all of the server applications included with Internet Connection Services for RAS. Server applications include the Internet Authentication Services and the Phone Book Service. However, before you can install these applications, you must install and configure your platform software.
Installing Windows NT Server
The first step in setting up your server computer is to install Windows NT Server with IIS version 2.0. When you run the Windows NT Setup program, you are prompted to install IIS. If the appropriate option is selected, IIS version 2.0 files are automatically installed with the WWW service, the Gopher service, and the FTP service. After Windows NT is installed, you must install the Windows NT Service Pack to upgrade your computer to IIS version 3.0. Use the following steps to install Windows NT Server.
To install Windows NT Server
On your server computer, install Windows NT Server version 4.0.
For information about installing Windows NT Server, see the Windows NT version 4.0 documentation.
Establish and assign Windows NT administrator privileges to anyone who will be administering your server.
Installing Windows NT Service Pack 3
After Windows NT is installed, you're ready to install the Windows NT Service Pack 3. The Service Pack provides useful updates to the Windows NT Server version 4.0 software. Use the following steps to install Windows NT Service Pack.
To install the Windows NT Service Pack 3
Log on to your server as a Windows NT administrator.
Insert Windows NT 4 Option Pack compact disc 1 into the appropriate drive.
The compact disc automatically starts and the Windows NT 4 Option Pack Setup window is displayed.
Enter your registration information.
Start the Windows NT Service Pack setup. Follow the prompts and accept all the default options to install Windows NT Service Pack 3.
When you have finished, you must restart your computer.
Installing Microsoft Internet Explorer Version 4.0
To view the online documentation provided with Internet Connection Services for RAS, you must have Internet Explorer version 4.0 or later. You can also use another compatible Web browser. If you want to read the documentation before you begin setting up Internet Connection Services for RAS, you should install Internet Explorer version 4.0 or another compatible Web browser on your administrative computer or your server computer. Use the following steps to upgrade your Web browser software.
Note To help you provide a better experience to your subscribers or employees, you can use Internet Explorer Administration Kit to build a custom browser. Combined with connect actions and a custom-built Connection Manager dialer, a custom browser can significantly improve the connection experience by making it quick and easy.
To install Internet Explorer version 4.0
Verify that you are logged onto your server as an administrator.
Start the Windows NT 4 Option Pack Setup program. It prompts you to automatically install Internet Explorer 4.0.
The files are copied to your hard disk. When you have finished, you must restart your computer.
Setting up a PPTP Server
To build secure connections over the Internet, you must have a Windows NT 4.0 PPTP-enabled server. PPTP is a tunneling protocol that makes it possible to set up secure connections over the Internet. With PPTP, you can support two different types of tunneling, voluntary and compulsory. Voluntary tunneling is initiated by the client computer. It does not require support from an ISP, nor does it require support in network devices, such as bridges or routers. Compulsory tunneling is initiated by a PPTP-enabled server that resides on the ISP network. As a result, it requires support on edge Network Access Servers or routers, but does not require support on clients or intermediate devices. The following diagram illustrates the difference between voluntary and compulsory tunneling.
.gif "Cc750057.bcg5(en-us,TechNet.10).gif")
Voluntary tunneling requires a PPTP-enabled client. Currently, PPTP-enabled clients are available from Microsoft for Microsoft Windows 95 or Windows NT operating systems, and from third-parties for Macintosh and Microsoft Windows 3.1 operating systems. If your system supports a variety of platforms for which there are no PPTP clients available (such as UNIX), then you should select an ISP that implements compulsory tunneling.
Note Compulsory tunneling requires a PPTP-enabled Network Access Server (NAS) or router.
Regardless of which type of tunneling you implement, you must have a PPTP-enabled server. If you are a corporation, you should set up a dedicated PPTP-enabled server on your corporate network. Use the following steps to set up a PPTP server.
Important PPTP supports multiple network protocols, such as IP, IPX, and NetBEUI. In order for two computers to establish a tunnel over the Internet, both computers must be using the same network protocol.
To set up a PPTP server
Set up any computer with the Microsoft Windows NT 4.0 Server operating system.
Establish and assign Windows NT administrator privileges to anyone who will be administering your server.
Log on to the computer as an administrator.
Open the Windows NT Control Panel.
Double-click the Network icon.
On the Protocols tab, select your network protocol under Network Protocols.
Click Properties.
On the IP Address tab, click Advanced.
Click the Enable PPTP Filtering check box.
Setting Up an Administrative Computer
To help you build and administer your server computer, you can set up an administrative computer to host all Internet Connection Services for RAS administrative applications. These applications include the Phone Book Administrator tool and the Connection Manager Administration Kit. When you set up the administrative computer, you should verify that it meets basic hardware requirements. Use the following steps to set up the administrative computer.
To set up an administrative computer
Set up any computer with the Microsoft Windows 95, or with the Microsoft Windows NT operating system.
Verify that this computer meets all hardware requirements listed earlier in this section.
Installing Windows NT Option Pack and Internet Connection Services for RAS
You can choose which Internet Connection Services for RAS to install from the Windows NT 4 Option Pack Setup Program. When you run the Setup program, you are also prompted to install IIS 4.0. If the appropriate option is selected, IIS version 4.0 files are automatically installed with the WWW service, the Gopher service, and the FTP service.
To install Windows NT 4 Option Pack and Internet Connection Services for RAS
On your server computer, install Windows NT 4 Option Pack with Internet Information Server version 4.0.
For information about installing Windows NT 4 Option Pack, see the Windows NT version 4.0 documentation.
Read the license agreement, and if you accept it, click Accept.
When prompted, click Custom. (If you have already installed any part of the Windows NT 4.0 Option Pack, click Add/Remove)
In the Select components lists, make sure Internet Connection Services for RAS is selected.
Click Internet Connection Services for RAS, then click Show Subcomponents, and then click the components you want to install.
Restart your server computer.
In order for the registry updates to take effect, you must restart your computer. After your computer is restarted, it is ready to be configured. For configuration information, see the appropriate section later in this document.
Deploying Internet Connection Services for RAS on an Internet Service
After all your Internet Connection Services for RAS applications are installed, you're ready to configure them. Depending on how you're going to use Internet Connection Services for RAS, you might configure the applications differently. This section uses an example configuration to describe how to deploy Internet Connection Services for RAS on your Internet service.
The example configuration is a common scenario in which an ISP and a corporation have deployed Internet Connection Services for RAS to build secure remote access to a corporate private network using the Internet. In this configuration, the ISP is responsible for deploying Connection Point Services and Internet Authentication Services on their network. They are also responsible for installing Connection Manager Administration Kit and building a custom dialer for the corporate customer, with automatic support for PPTP and a customized look and feel.
The following list describes the steps an ISP must go through to deploy Internet Connection Services for RAS applications with a corporation:
Identify all RADIUS attributes used by the corporation.
Identify usage patterns for prefixes and suffixes in the corporate realm name.
Install a RADIUS proxy. Provide the UDP port number and IP address (or DNS name and password) to the corporation.
Install Windows NT 4.0 Option Pack, including Internet Connection Services for RAS.
Start Internet Authentication Service and set authentication service properties.
Register Network Access Server (NAS) clients.
Create new RADIUS profiles or use existing RADIUS profiles.
On your server computer, start the Phone Book Administrator tool and enter corporate access numbers.
Build a custom phone book for the corporation.
Start Connection Manager Administration Kit Wizard.
Create a custom dialer with support for PPTP, if necessary.
Develop a strategy for distributing the custom dialer to your corporate customer.
Note The Commercial edition of Internet Authentication Services includes proxy capability.
Deploying Internet Connection Services for RAS on a Corporate Network
After all your Internet Connection Services for RAS applications are installed, you're ready to configure them. Depending on how you're going to use Internet Connection Services for RAS, you might configure the applications differently. This section uses an example configuration to describe how to deploy Internet Connection Services for RAS on your corporate network.
The example configuration is a common scenario in which an ISP and a corporation have deployed Internet Connection Services for RAS to build secure remote access to a corporate private network using the Internet. In this configuration, the corporation is responsible for deploying Internet Authentication Services on their network.. The ISP network has a RADIUS proxy server installed. The authentication server on the corporate network is configured as a RADIUS client so authentication requests can be forwarded from the RADIUS proxy server on the ISP network. For a detailed illustration of this configuration, please see "Using Internet Connection Services for RAS with a Corporate Private Network."
The following list describes steps a corporation must go through to deploy Internet Connection Services for RAS applications with an Internet service provider.
Determine usage patterns for prefixes and suffixes in the corporate realm name.
Install Windows NT 4.0 Option Pack, including Internet Connection Services for RAS.
Start Internet Authentication Services and set authentication service properties with the UDP port number or numbers from your Internet service provider.
Register the RADIUS proxy servers located on the ISP network as RADIUS clients.
Create RADIUS profiles.
Register your authentication providers.
Create a realm for each of your authentication providers.
Provide the ISP with a list of corporate access numbers.
For detailed information about configuring Internet Connection Services for RAS components, see the complete Internet Connection Services for RAS documentation provided with the Windows NT 4.0 Option Pack documentation.
Note The Commercial Edition of Internet Authentication Services includes proxy capability.
.gif "Cc750057.spacer(en-us,TechNet.10).gif")