Configuring Router Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Adding demand-dial router user accounts to an Active Directory group reserved for demand-dial routers simplifies administration by letting you centrally manage the list of demand-dial routers on your network. If you decide to manage authorization by group rather than by each router’s individual user account, you must set the remote access permission on each calling router’s user account to either Control access through Remote Access Policy or Allow access and then create a remote access policy based on connection type and group membership.

For example, if multiple calling routers will use a VPN connection, you can create an Active Directory global group called VPN-Routers and add the user account of each calling router to that group.

Then, create a remote access policy with two conditions:

• Set NAS-Port-Type to Virtual (VPN). A network access server (NAS) is a server that accepts point-to-point connections from a calling router, or other remote client, and then acts as a gateway to the network for the calling router; the NAS-Port-Type is the media type that a calling router uses to access the site of the answering router).

• Set Windows-Group to VPN-Routers.

Finally, configure the profile for the remote access policy, selecting an authentication method and encryption strength.