Configure a Remote Access Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use a remote access policy to validate a variety of connection settings before a connection is authorized, and to specify a variety of connection restrictions after the connection is authorized.

Configure the Default Policy or Create a New Policy

Configuring the Routing and Remote Access service on a demand-dial router or installing IAS on a computer running Windows Server 2003 creates two default remote access policies. You can use the Connections to Microsoft Routing and Remote Access server default policy for your site-to-site connection. However, if you want more precise control over connection requirements than the default policy provides, you can create a common or a custom remote access policy.

To enable the default policy

Note

  • Do not perform these steps if you plan to create a common or custom remote access policy, described next.

  1. To enable the default policy, do one of the following:

    • If you use Windows authentication, on the answering router open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name. (Use Windows authentication for a site-to-site only connection.)

    • If you use RADIUS authentication, on the IAS server open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service. (Use either Windows or RADIUS authentication if the answering router for the site-to-site connection also supports remote access users.)

  2. In the console tree, click Remote Access Policies. In the details pane, right-click the default policy Connections to Microsoft Routing and Remote Access server, and then click Properties.

  3. Select Grant remote access permission. (The default selection is Deny remote access permission.)

To add a common or custom remote access policy

Note

  • Do not perform these steps if you plan to use the default policy, described earlier.

  1. To add a common or custom remote access policy, do one of the following:

    • If you use Windows authentication, open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name.

    • If you use RADIUS authentication, open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service.

  2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy. Use the New Remote Access Policy wizard to create a common policy, as shown in Table 10.16, or to create a custom policy, as shown in Table 10.17.

Table 10.16   Creating a Common Remote Access Policy by Using the New Remote Access Policy Wizard

Wizard Page Action

Policy Configuration Method

Select Use the wizard to set up a typical policy for a common scenario, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters.

Access Method

Select VPN or Dial-up, as appropriate.

User or Group Access

Click Group, click Add, and then type the group name you created earlier, such as BranchOfficeRouters.

Authentication Methods

Either accept the default method, MS-CHAP v2, or choose Extensible Authentication Protocol (EAP) and specify its type (either MD5-Challenge or Smart card or other certificate).

Policy Encryption Level

Select Strongest encryption, and clear any other selections.

Table 10.17   Creating a Custom Remote Access Policy by Using the New Remote Access Policy Wizard

Wizard Page Action

Policy Configuration Method

Select Set up a custom policy, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters.

Policy Conditions

If this is a dial-up (non-VPN) connection:

  1. Click Add.

  2. Select Windows-Groups, click Add twice, and then specify the group name you created earlier (such as BranchOfficeRouters). Click OK twice to return to the Policy Conditions page.

  3. Click Add, and select NAS-Port-Type. Click Add, and select the appropriate device type, such as Async (Modem), ISDN Async V.100, ISDN Async V.120, or ISDN Sync. Then click Add.

  4. Click Add, select Authentication Type, click Add, select either MS-CHAP v2 or EAP, and then click Add.

  5. Select and configure any other attributes for which you want to specify a setting.

-or-

If this is a VPN connection:

  1. Click Add.

  2. Select Windows-Groups, click Add twice, and then specify the group name you created earlier (such as BranchOfficeRouters). Click OK twice to return to the Policy Conditions page.

  3. Click Add, select NAS-Port-Type, click Add, select Virtual VPN, and then click Add.

  4. Click Add, select Tunnel-Type, click Add, select either Point-to-Point Tunneling Protocol or Layer 2 Tunneling Protocol (as appropriate), and then click Add.

  5. Click Add, select Authentication-Type, select either MS-CHAP v2 or EAP, and then click Add.

  6. Select and configure any other attributes for which you want to specify a setting.

Permissions

Select Grant remote access permission.

Profile

If you want to change the defaults, click Edit Profile, and then make the desired changes. For example, click Edit Profile, select the Encryption tab, select Strongest encryption, and clear any other selections.