Remote Access for Electronic, Inc.

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Remote access for Electronic, Inc.

This section describes how remote access is configured for a fictional company by using the features available in the Windows Server 2003 family. While your network configuration may be different than described here, you can apply the basic concepts.

Electronic, Inc. is an electronics design and manufacturing company that has implemented a remote access solution that connects dial-up and VPN remote access users to the Electronic, Inc. intranet.

To deploy a remote access solution for Electronic, Inc., the network administrator performs an analysis and makes design decisions regarding:

• The network configuration

• The remote access policy configuration

• The domain configuration

The network configuration

The key elements of the network configuration are:

• The Electronic, Inc. corporate intranet uses the private network address block of 172.16.0.0 with a subnet mask of 255.240.0.0.

• The remote access server computer is connected to an intranet network that contains a router that connects to the rest of the Electronic, Inc. corporate intranet. The network ID of the intranet network segment attached to the remote access server computer is 172.31.248.0 with a subnet mask of 255.255.255.0.

• The remote access server computer is configured with a static pool of IP addresses that represents the separate subnet of 172.31.252.0 with a subnet mask of 255.255.252.0.

The following illustration shows the network configuration of the Electronic, Inc. remote access server.

Based on the network configuration of the Electronic, Inc. corporate campus intranet, the remote access server computer is configured as follows.

1. Install hardware in the remote access server

The network adapter that is used to connect to the intranet segment is installed according to the adapter manufacturer's instructions. Once the driver is installed and functioning, the adapter appears as a local area connection in the Network Connections folder.

2. Configure TCP/IP on the LAN adapter

The IP address of 172.31.248.1 with the subnet mask 255.255.255.0 is configured. DNS and WINS server addresses are also configured. A default gateway is not configured.

3. Install the Routing and Remote Access service

The Routing and Remote Access Server Setup Wizard is run. Within the wizard, both remote access and LAN and demand-dial routing are enabled, and all ports are enabled for both routing and remote access. For more information, see Enable the Routing and Remote Access service.

4. Configure a static IP address pool

A static IP address pool with a starting IP address of 172.31.252.1 and an ending IP address of 172.31.255.254 is configured. This creates a static address pool for up to 1,021 remote access clients.

For more information, see Create a static IP address pool.

5. Configure a static route on the remote access server computer to reach intranet locations

To reach intranet locations, a static route is configured on the remote access server computer with the following settings:

• Interface: The LAN adapter attached to the intranet

• Destination: 172.16.0.0

• Network mask: 255.240.0.0

• Gateway: 172.31.248.2

• Metric: 1

For more information, see Add a static route.

6. Configure a static route on the router to reach remote access clients

To reach remote access clients, a static route is configured on the router with the following settings:

• Interface: The LAN adapter attached to the network segment of the remote access server

• Destination: 172.31.252.0

• Network mask: 255.255.252.0

• Gateway: 172.31.248.1

• Metric: 1

This static route is propagated to the other routers in the Electronic, Inc. intranet through the use of routing protocols.

For more information, see Add a static route.

The remote access policy configuration

To ease the transition from a Windows NT 4.0 environment, the network administrator for Electronic, Inc. decides on an access-by-user administrative model. Remote access is controlled by setting the dial-in permission of individual user accounts to either Allow access or Deny access. Remote access policies are used to apply different connection settings based on group membership. The default remote access policies are deleted.

The domain configuration

To take advantage of the ability to apply different connection settings to different groups, the following groups are created:

• DialUp_Users

  Used for dial-up remote access connections.

• VPN_Users

  Used for remote access VPN connections.

Based on this configuration, the following remote access scenarios are described:

• Dial-up remote access for employees

• VPN remote access for employees

• Centralized authentication by using IAS

Note

• The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.