The Cable Guy - September 2001
Managed Remote Access with the Connection Manager Components of Windows 2000
Deploying a Windows 2000 remote access solution consists of deploying both the remote access servers and their support infrastructure, and then creating the configuration of remote access clients. For information about deploying a Windows 2000 remote access VPN server, see Planning and Installing a Windows 2000 Remote Access VPN Server (the January 2001 The Cable Guy column).
To deploy the configuration of remote access clients, each client must be configured to make a connection with the deployed servers. For a small business with a small number of clients, each can be configured manually. When configuring the dial-up or connections for an enterprise that consists of hundreds or thousands of clients, the following issues arise:
- The exact procedure used to configure a dial-up or VPN connection varies, depending on the version of Windows running on the client computer.
- To prevent configuration errors, it is preferable to have the information technology (IT) staff-not end users-configure the dial-up or VPN connection.
- To best utilize IT staff resources, a configuration method must be able to scale to hundreds or thousands of client computers.
- A VPN connection might need a double-dial configuration, in which the user must access the Internet through a dial-up connection before creating a VPN connection with the organization intranet.
Even more issues arise when an organization outsources dial-up or VPN access to a third party dial-up or Internet service provider (ISP). In this case, there might not be a single phone number used to reach the Internet or organization intranet (such as a toll-free number). In an outsourced dial configuration, there might be multiple local phone numbers that employees of an organization can use, depending upon physical location. A number of companies are taking advantage of the Internet by contracting with ISPs to utilize their worldwide access points so that users can make a local dial-up connection to the Internet, and then create a VPN connection to their organization intranet.
Connection Manager (CM) is the solution for issues associated with configuring dial-up or VPN connections for an enterprise and for outsourced dial configurations. CM is a set of components included with Windows 2000 Server that consist of the following:
- Connection Manager (CM) client dialer
- Connection Manager Administration Kit (CMAK)
- Connection Point Services (CPS)
Connection Manager Client Dialer
The Connection Manager (CM) client dialer is software that is installed on each remote access client. It includes advanced features that make it a superset of basic dial-up networking. At the same time, CM presents a simplified dialing experience to the user. It limits the number of configuration options that a user can change, ensuring that the user can always connect successfully. For example, with the CM client dialer, a user can:
- Select from a list of phone numbers to use, based on physical location.
- Use customized graphics, icons, messages, and help.
- Automatically create a dial-up connection before the VPN connection is made.
- Run custom actions during various parts of the connection process, such as pre-connect and post-connect actions (executed before or after the dial-up or VPN connection is completed).
A customized CM client dialer package, also known as a profile, is a self-extracting executable file that is created by a network administrator with the Connection Manager Administration Kit (CMAK). The CM profile is distributed to VPN users via CD-ROM, e-mail, Web site, or file share. When the user runs the CM profile, it automatically configures the appropriate dial-up and VPN connections. The Connection Manager profile does not require a specific version of Windows-it will configure connections for computers running Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition, Windows 98, and Windows 95.
Connection Manager Administration Kit
The Connection Manager Administration Kit (CMAK) is an optional management tool installed from:
- Add/Remove Programs (in Control Panel) on a computer running Windows 2000 Server.
You must specify Connection Manager Components in the Management and Monitoring Tools category of Windows components.
- Windows 2000 Administration Tools on a computer running Windows 2000 Professional.
You must run the Adminpak.msi file from the I386 folder on a Windows 2000 Server CD-ROM.
After it is installed, you can run Connection Manager Administration Kit from Administrative Tools.
CMAK is a Wizard that guides you through a variety of options when configuring a CM profile and creates the profile to distribute to your dial-up and VPN users.
Connection Point Services
Connection Point Services (CPS) allows you to create, distribute, and update custom phone books. Phone books contain one or more Point of Presence (POP) entries. Each POP has a telephone number used to access a dial-up network or the Internet. Phone books give users complete POP information, so when they travel, they can connect to different corporate or Internet access points based on location, rather than having to use a toll-free or long distance number.
Without the ability to update phone books, users would not only have to contact their organization's technical support staff to obtain changes in POP information; they would also have to reconfigure their client dialer software.
CPS is a combination of:
- Phone Book Administrator
A tool used to both create and maintain phone book files, and publish new or updated phone book files on the phone book server.
- A phone book server
A computer running Windows 2000 Server and Internet Information Services (IIS) (including the FTP Publishing Service) and an Internet Server Application Programming Interface (ISAPI) extension that processes phone book update requests from CM clients. The phone book server hosts a PBSData FTP virtual directory, which contains one or more phone book files that include the information about the POP access numbers and their locations.
The Phone Book Administrator is a tool that is installed by running Pbainst.exe from the VALUEADD\MSFT\MGMT\PBA folder on the Windows 2000 Server or Windows 2000 Professional CD-ROMs. Once installed, you can run Phone Book Administrator from Administrative Tools. It is not required to run the Phone Book Administrator on the phone book server.
You can use the Phone Book Administrator to create phone book entry (.pbk) and region (.pbr) files and publish them as a .cab file in the SystemRoot\Program Files\Phone Book Service\Data\PhoneBookFileName folder of the phone book server (the PBSData FTP virtual directory). Also included in the .cab file is a file that indicates the version of the phone book. To publish the phone book, you must have write permissions to the PBSData FTP virtual directory on the phone book server. The phone book entry file is configured with the name of the phone book server and a user name and password for credentials to access the PBSData FTP virtual directory.
After the phone book is configured and published to the PBSData FTP virtual directory, the CM profile is created with CMAK and configured with:
- The Automatically download phone book updates standard post-connect action (on the Post-Connect Actions page in the CMAK Wizard).
- The name of the phone book file (on the Phone Book page in the CMAK Wizard).
- The names of the phone book file and the phone book server (on the Phone-Book Updates page in the CMAK Wizard).
How phone book updates work
Updating the phone book occurs as a post-connect action. After the connection is made, the CM client dialer sends an HTTP request to the phone book server. Included in the request is the name of the phone book file and the version currently installed on the client. The ISAPI extension running on the phone book server receives the HTTP request and, based on the version installed on the client and the version published on the phone book server, sends an HTTP response with one of the following:
- A message indicating that no update is required.
- A .cab file containing phone book files for a full update.
- A .cab file containing phone book files for an incremental update.
A full update is sent if the phone book is not installed or if the version number of the phone book installed on the client is more than 4 versions old. Otherwise, an incremental update is sent.
Deploying Connection Manager for Managed Remote Access
The following are the basic steps for deploying Connection Manager for Windows 2000:
- Designate a computer running Windows 2000 Server and IIS with the FTP Publishing Service as the phone book server. This computer can be an existing IIS server or a low-end computer that will be a dedicated phone book server.
- Install Connection Manager Components on the phone book server.
- Install the Phone Book Administrator on a computer running Windows 2000.
- Use the Phone Book Administrator to configure a phone book.
- Use the Phone Book Administrator to publish the phone book files on the phone book server.
- Install the Connection Manager Administration Kit on the computer running Windows 2000 that will be used to create CM profiles. Use CMAK to create a CM profile with the appropriate phone book file and instructions to obtain updated phone books.
- Distribute the CM profile to dial-up or VPN users.
For detailed information about deploying CM, see the Windows 2000 Server Documentation link below. For an example of a CM deployment, see the Deployment Lab Scenario links below.
Note Although the focus of this article is the deployment of dial-up or VPN remote access client for end-user organizations, ISPs can also use Connection Manager to create custom dialers for their customers-complete with a phone book of local ISP POPs.
For More Information
For more information about Connection Manager in Windows 2000, consult the following resources:
- Windows 2000 Server Documentation (Networking\Connection Manager Administration Kit and Networking\Connection Point Services)
- Connecting Dial-up Remote Access Users to an Intranet (A Windows 2000 Resource Kit Deployment Lab Scenario)
- Connecting Remote Users Across the Internet Using PPTP (A Windows 2000 Resource Kit Deployment Lab Scenario)
For a list of all The Cable Guy articles, click here.