Configure a Remote Access Policy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use a remote access policy to validate a variety of connection settings before a connection is authorized, and to specify a variety of connection restrictions after the connection is authorized.
Configure the Default Policy or Create a New Policy
Configuring the Routing and Remote Access service on a demand-dial router or installing IAS on a computer running Windows Server 2003 creates two default remote access policies. You can use the Connections to Microsoft Routing and Remote Access server default policy for your site-to-site connection. However, if you want more precise control over connection requirements than the default policy provides, you can create a common or a custom remote access policy.
To enable the default policy
Note
- Do not perform these steps if you plan to create a common or custom remote access policy, described next.
To enable the default policy, do one of the following:
If you use Windows authentication, on the answering router open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name. (Use Windows authentication for a site-to-site only connection.)
If you use RADIUS authentication, on the IAS server open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service. (Use either Windows or RADIUS authentication if the answering router for the site-to-site connection also supports remote access users.)
In the console tree, click Remote Access Policies. In the details pane, right-click the default policy Connections to Microsoft Routing and Remote Access server, and then click Properties.
Select Grant remote access permission. (The default selection is Deny remote access permission.)
To add a common or custom remote access policy
Note
- Do not perform these steps if you plan to use the default policy, described earlier.
To add a common or custom remote access policy, do one of the following:
If you use Windows authentication, open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name.
If you use RADIUS authentication, open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service.
In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy. Use the New Remote Access Policy wizard to create a common policy, as shown in Table 10.16, or to create a custom policy, as shown in Table 10.17.
Table 10.16 Creating a Common Remote Access Policy by Using the New Remote Access Policy Wizard
Wizard Page | Action |
---|---|
Policy Configuration Method |
Select Use the wizard to set up a typical policy for a common scenario, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters. |
Access Method |
Select VPN or Dial-up, as appropriate. |
User or Group Access |
Click Group, click Add, and then type the group name you created earlier, such as BranchOfficeRouters. |
Authentication Methods |
Either accept the default method, MS-CHAP v2, or choose Extensible Authentication Protocol (EAP) and specify its type (either MD5-Challenge or Smart card or other certificate). |
Policy Encryption Level |
Select Strongest encryption, and clear any other selections. |
Table 10.17 Creating a Custom Remote Access Policy by Using the New Remote Access Policy Wizard
Wizard Page | Action |
---|---|
Policy Configuration Method |
Select Set up a custom policy, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters. |
Policy Conditions |
If this is a dial-up (non-VPN) connection:
-or- If this is a VPN connection:
|
Permissions |
Select Grant remote access permission. |
Profile |
If you want to change the defaults, click Edit Profile, and then make the desired changes. For example, click Edit Profile, select the Encryption tab, select Strongest encryption, and clear any other selections. |