Remote Access Overview

The Routing and Remote Access service (RRAS) is integrated in Windows 2000 and Windows Server 2003 and provides connectivity for remote users and remote offices to the corporate network. RRAS make it possible for remote users to perform their tasks as though they are actually physically connected to the corporate network. A remote access connection enables services such as file and print sharing to be available to remote users. To access network resources, remote access clients can use standard Windows tools.

Dial-up networking allows a remote access client to establish a dial-up connection to a port on a remote access server. The configuration of the dial-up networking server determines what resources the remote user can access. Users that connect through a dial-up networking server, connect to the network much like a standard LAN user accessing resources.

Remote access VPNs provides a common environment where many different sources such as intermediaries, clients and off-site employees can access information via web browsers or email. Many companies supply their own VPN connections via the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Email, database and office applications use these secure remote VPN connections.

The different remote access client types are listed below:

  • Dial-up client: A dial-up client uses a physical connection to the remote access server to establish a connection to it. A dial-up client can access resources in much the same manner as if they are actually physically connected to the network. Dial-up clients can:
    • Access network resources and services.
    • Share files.
    • Map network drives, and perform other operations, based on the access that is allowed.

    You should utilize a dial-up client when the following conditions are present:

    • The Internet cannot be used to access resources on the corporate network because of security issues.
    • The throughput provide by a dial-up connection adequately meets the requirements of remote access clients – they are able to perform the various functions which they need to.
    • The expense of phone lines and modems are affordable.
  • VPN client: A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish a connection to the network.
  • Wireless client: These clients connect to the network through radio frequencies such as infrared frequencies.

When determining user requirements for remote access, a few issues that need to be initially addressed are:

  • Determine what operating systems are being used by clients.
  • Determine the computers which are being used by clients.
  • Determine what the bandwidth needs of users are.
  • Determine what connections can be supported.
  • Determine whether clients’ current Internet connections can be used for VPN connections.
  • Determine how often users will need to connect to the network.

Configuring Dial-up RAS clients and VPN clients

The process for configuring a dial-up remote access client and a VPN client are almost similar. The primary difference between configuring a dial-up remote access client and a VPN client are explained below:

  • When configuring a dial-up remote access client, you specify the phone number of the remote access server.
  • When configuring a VPN client, you specify the IP address of the server.

After a connection is established, you can change the connection’s properties through the connection’s Properties dialog box. The configuration settings that you can configure through the various tabs on the Dial-Up Connection Properties dialog box are:

  • General tab: The configuration settings that you can configure on the General tab are:
    • Configure the VPN server’s IP address or hostname
    • Specify the phone number to use with the specific connection.
    • Specify the connection which should be established prior to the VPN connection being established.
    • Modify the settings of the existing modem that the connection uses
    • Modify the modem that the connection uses.
    • Specify whether the dialing rules apply for RAS connections.
    • Specify whether the connection shows a status icon when the connection is active. For dial-up connections, the Show Icon In Taskbar When Connected checkbox is enabled by default.
  • Options tab: The configuration settings that you can configure on the Options tab pertain to the dialing and redialing of the connection. The settings on the Options tab are organized into two sections, namely the Dialing Options section and the Redialing Options:
    • Dialing Options: The dialing options that you can set are listed below. These settings control the dial-up networking’s interface actions:
      • Display Progress While Connecting checkbox; tracks the progress of the attempted connection. This option is enabled by default.
      • Prompt For Name And Password, Certificate, Etc. checkbox; prompts for any credentials needed to authenticate the connection to the server. The option is enabled by default.
      • Include Windows Logon Domain checkbox; the domain name of the domain currently logged on to is included with the authentication credentials. The option is disabled by default.
      • Prompt For Phone Number checkbox; shows the phone number in the connection dialog box so that it can be edited prior to dialing.
    • Redialing Options: These settings control the activities that occur when the remote end is busy. The redialing options that you can set are:
      • Redial Attempts box; for specifying the number of attempts that occur to establish the connection before abandoning it. The default value for the Redial Attempts setting is 3.
      • Time Between Redial Attempts setting; for indicating the wait period before reattempting the connection.
      • Idle Time Before Hanging Up setting; for specifying the idle time for the connection before the call is terminated.
      • Redial If Line Is Dropped checkbox; when enabled, the number is automatically redialed when you are disconnected.
  • Security tab: The configuration settings that you can configure on the Security tab control the security of the connection. This includes options for authentication protocols and encryption. The settings on the Security tab are also organized into two sections, namely the Security Options section and the Advanced Security Settings:
    • Security Options: The settings that you can configure when you select the Typical (Recommended Settings) option are:
      • Validate My Identity As Follows; used to specify whether secured passwords, unsecured passwords, or smart card authentication is used. The default setting is unsecured passwords.
      • Automatically Use My Windows Logon Name And Password checkbox; for secured passwords, provides the remote end with the logon credentials used to log on to the domain/computer.
      • Require Data Encryption checkbox; for secured passwords and smart card authentication, specifies whether an encryption method should be negotiated between the remote server and the client.
    • Advanced Security Settings: The settings that you can configure when you select the Advanced (Custom Settings) option are listed below. The Advanced Security Settings dialog box is accessed by clicking the Settings button after you have selected the Advanced (Custom Settings) option:
      • Data Encryption drop down list; includes options that specify whether to encrypt either end of network connections through IPSec. The options are No Encryption Allowed – the server will drop the connection if the client cannot provide encryption; Optional Encryption – the call continues if encryption cannot be provided; Require Encryption – the client has to request encryption, and is not allowed to connect if the remote server cannot provide it; Maximum Strength Encryption – a connection can only be established if the client and server support the same level of encryption.
      • Logon Security setting; specifies the authentication protocols which the client utilizes. The available options are Use Extensible Authentication Protocol (EAP) and Smart Card Or Other Certificate.
      • Allow These Protocols setting; specifies the authentication protocols that the client can use. Authentication protocols options include CHAP, MS-CHAPv1, MS-CHAPv2, PAP and SPAP. The authentication protocols that are by default selected when the Allow These Protocols option is enabled are CHAP, MS-CHAPv1 and MS-CHAPv2.
    • Networking tab: The configuration settings that you can configure on the Networking tab are explained below:
      • Type Of Dial-Up Server I Am Calling setting; specifies the type of server being called. The options are PPP and SLIP, with PPP being the default setting.
      • You can select the Install, Uninstall, and Properties buttons to control the protocols installed on the machine, and to control the settings of the protocols. The typically selected options are Internet Protocol (TCP/IP) and Client For Microsoft Networks.
    • Sharing tab: The configuration settings that you can configure on the Sharing tab are for RAS clients only:
      • Enable Internet Connection Sharing For This Connection
      • Enable On-Demand Dialing

How to install the Routing and Remote Access Services (RRAS)

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access management console.
  2. In the console tree, select the remote access server that you want to configure. Select the Action menu, and then select the Configure and Enable Routing and Remote Access. Alternatively, you can right-click the server that you want to configure, and then select Configure and Enable Routing and Remote Access from the shortcut menu.
  3. The Routing and Remote Access Server Setup Wizard initiates.
  4. On the initial page of the Routing and Remote Access Server Setup Wizard, click Next.
  5. On the Configuration page, select the Remote Access (Dial-Up Or VPN) option and then click Next.
  6. On the Remote Access page, select either the VPN server checkbox, or the dial-up server checkbox, or both of these checkboxes. Click Next.
  7. When the Macintosh Guest Authentication page is displayed, click the Allow Unauthenticated Access For All Remote Clients option if you want the RRAS server to accept anonymous remote access. Click Next.
  8. On the IP Address Assignment page, accept the default setting of Automatically, or select the From A Specified Range Of Addresses button. Click Next.
  9. On the Managing Multiple Remote Access Servers page, select the No, Use Routing And Remote Access To Authenticate Connection Requests option, and then click Next.
  10. On the Summary page, click Finish.
  11. The RRAS service starts.

How to configure the VPN client

  1. On the client computer open Control Panel.
  2. Right-click Network Connections and then select open from the shortcut menu.
  3. Click New Connection Wizard to start the New Connection Wizard.
  4. Click Next on the Welcome to the New Connection Wizard page.
  5. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.
  6. Click Virtual Private Network Connection, and click Next.
  7. Enter a name for the connection and click Next.
  8. Specify the external IP address of the VPN server, or the FQDN of the VPN server, and then click Next.
  9. Select the Anyone’s use – If you want the connection to be available to everyone who uses the computer and then click Next.
  10. When the Completing the New Connection Wizard page appears, click Finish.
  11. The logon dialog box is displayed after you click the Finish button to complete the New Connection Wizard.

How to allow multilink connections from remote access clients

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
  2. In the console tree, right-click the server that you want to work with, and then click Properties from the shortcut menu.
  3. The server Properties dialog box opens.
  4. Switch to the PPP tab.
  5. Select the Multilink Connections checkbox to allow multilink connections from remote access clients.
  6. If you do not want to allow multilink connections, simply disable the Multilink Connections checkbox.
  7. If you select the Multilink Connections checkbox, it is recommended that you enable the Dynamic Bandwidth Control Using BAP Or BACP checkbox. This allows the server to add or drop PPP connections based on the rise and fall in available bandwidth.
  8. Click OK.

How to grant dial-in permission for user accounts

  1. Click Start, Administrative Tools, and then click Computer Management to open the Computer Management console.
  2. Double-click Local Users and Groups.
  3. Double-click Users.
  4. Double-click the specific user account that you want to grant access for to open the Properties dialog box of the user.
  5. Click the Dial-in tab.
  6. Click Allow access, and then click OK.
  7. On the client computer, access the Network Connections folder, and then double-click the VPN connection that you want to configure.
  8. Specify the user account credentials, and then click Connect.

How to enable remote access for specific user

  1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console.
  2. In the console tree, expand the domain that contains the user account that you want to enable remote access for.
  3. Select the Users container.
  4. In the right pane, locate the user account that you want to configure.
  5. Right-click the specific user account and then select Properties from the shortcut menu.
  6. The Properties dialog box of the user opens.
  7. Click the Dial-in tab.
  8. In the Remote Access Permission area, click the Allow Access option.
  9. Click OK.

How to enable remote access based on remote access policy

  1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console.
  2. In the console tree, expand the domain that contains the user account that you want to enable remote access for.
  3. Select the Users container.
  4. In the right pane, locate the user account that you want to configure.
  5. Right-click the specific user account and then select Properties from the shortcut menu.
  6. The Properties dialog box of the user opens.
  7. Click the Dial-in tab.
  8. In the Remote Access Permission area, click the Control Access Through Remote Access Policy option.
  9. Click OK.

How to configure inbound dial-up connections on a computer running Windows 2000 Professional

  1. Click Start, Settings and then click Network And Dial-Up Connections.
  2. When the Network And Dial-Up Connections dialog box opens, double-click Make New Connection.
  3. The Network Connection Wizard starts.
  4. Click Next on the Welcome to the Network Connection Wizard page.
  5. On the Network Connection Type page, click the Accept Incoming Connections option and then click Next.
  6. On the Devices For Incoming Connections page, in the Connection Devices list, choose the modem device for the computer. Click Next./li>
  7. On the Incoming Virtual Private Connection page, click the Allow Virtual Private Connections option and then click Next.
  8. On the Allowed Users page, select the Administrator option and then proceed to click the Properties button.
  9. The Administrator Properties dialog box opens.
  10. Switch to the Callback tab.
  11. Verify that the correct settings are specified on the tab. Click OK and click Next.
  12. On the Networking Components page, select the Internet Protocol TCP/IP option and then click the Properties button.
  13. When the Incoming TCP/IP Properties dialog box opens, select Specify TCP/IP addresses.
  14. Specify the appropriate address in the From box and in the To box, and then click OK and click Next.
  15. Click Finish.

How to configure outbound connections on a computer running Windows 2000 Professional

  1. Click Start, Settings and then click Network And Dial-Up Connections.
  2. When the Network And Dial-Up Connections dialog box opens, double-click Make New Connection.
  3. The Network Connection Wizard starts.
  4. Click Next on the Welcome to the Network Connection Wizard page.
  5. On the Network Connection Type page, click the Connect To A Private Network Through The Internet option. Click Next.
  6. On the Destination Address page, enter the appropriate address and then click Next.
  7. On the Connection Availability page, click the Only For Myself option and then click Next.
  8. Click Finish to complete the Network Connection Wizard.
  9. The Connect Virtual Private Connection dialog box automatically opens.
  10. Provide the proper use name and password details.
  11. Click the Connect button.

How to manage remote access clients

You can use the Routing And Remote Access console to both examine and manage remote access clients that have established connections to the remote access server. The various activities that you can perform are:

  • View and examine the status of connected remote access clients.
  • Send a message to one or multiple remote access clients.
  • Disconnect remote access clients.

How to view the status of connected remote access clients

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
  2. In the console tree, select Remote Access Clients.
  3. All currently connected remote access clients are displayed in the details pane of the Routing And Remote Access console.
  4. Right-click the user name that you want to examine, and then select Status from the shortcut menu to view the status of the connection.

How to send a message to a remote access client

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
  2. In the console tree, select Remote Access Clients.
  3. In the details pane, right-click the user name that you want to send the message to, and then select Send Message from the shortcut menu.
  4. The Send Message dialog box opens.
  5. Type the message that you want to send to the user name that you have selected.
  6. Click OK.

How to send a message to all remote access clients

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
  2. In the console tree, right-click Remote Access Clients and then select Send To All from the shortcut menu.
  3. When the Send Message dialog box opens, type up the message that you want to send to all connected remote access clients.
  4. Click OK.

How to disconnect remote access clients

  1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
  2. In the console tree, select Remote Access Clients.
  3. In the details pane, right-click the user name that you want to disconnect, and then select Disconnect from the shortcut menu.

Troubleshooting Dial-Up Remote Access Connections

A few guidelines for troubleshooting dial-up remote access connections are listed below:

  • For a dial-up remote access connection to be established between a remote access server and remote access clients, the Remote Access Server option should be enabled on the General tab of the Properties dialog box of the remote access server. You can use the Routing And Remote Access management console to verify that the Remote Access Server option is enabled.
  • Ensure that the settings of the remote access policy and the settings configured in the properties of the remote access server are not conflicting.
  • The remote access server, the remote access policy, and the dial-up remote client should all be configured to minimally use one common authentication protocol. You can view this information on the Security tab of the Dial-Up Connection Properties dialog box.
  • If MS-CHAP v1 is the authentication protocol being used, ensure that the user password is not more than 14 characters.
  • The remote access server, the remote access policy, and the dial-up remote client should all be configured to minimally use one common encryption strength. You can verify this information on the Security tab of the Dial-Up Connection Properties dialog box.
  • Ensure that the number of modem devices specified in the Ports node of the Routing And Remote Access management console can cope with the specified number of concurrent remote access connections.
  • The remote access server either assigns addresses to clients from a predefined static address pool or through a DHCP server on the network.
    • For address assignment from the static address pool, ensure that the address pool can handle the required concurrent client connections.
    • For address assignment through the DHCP server, ensure that the DHCP server’s scope can handle the blocks of 10 addresses needed by your remote access server.
  • The dial-up remote access connection must have the correct permissions for the connection to be established. You can verify the permissions specified for the connection by examining the remote access policies and the dial-in properties of the specific user account.
  • A few guidelines for troubleshooting modems that are not operating:
    • Ensure that the modem cable is not faulty.
    • Check whether the modem is compatible.
    • Verify that the modem is connected correctly to the computer’s port. Verify that the power is turned on.
    • Check that the correct number was dialed.
    • Check whether the phone lines support the speed of the modem. Try using a lower bps rate.
    • The issue might be that the modem cannot work with the modem of the remote access server. Here, you might need to use the same modem type being used by remote access server.
    • Verify that you have the necessary remote access permission, and that your user account is valid.
    • Check whether the remote access server is running.
  • If you continuously receive an error message, indicating that the remote access server is not responding, a few guidelines to solve this issue are listed below:
    • Check whether you can connect to the server from a different workstation to ascertain whether the issue is specific to one workstation.
    • Check whether the remote access server is running and operating correctly.
    • Verify whether the modem vendor has released new software updates. There might be an issue with the version of the modem software that you are using.
    • If the modem and telephone line appear to not be operating as they should be, use modem diagnostics to verify that the modem is operating as it should. There might also be excessive static on the phone line.
    • There could be a switching mechanism between the remote access client and server which is preventing the connection from being established. You should attempt using a lower bps rate.
    • The issue might be that the modem you are using is conflicting with the modem of the server. You should attempt using a lower bps rate.
    • If the modem is experiencing a problem connecting and there is quite some static on the telephone line, attempt using a lower bps rate. The issue might be that the modem cannot connect at a higher data rate.
    • You can verify the quality of your phone line with the telephone company.
  • If you receive a no answer message when attempting to connect via ISDN, try the following strategies. A few possible causes for this type of issue is also listed:
    • Try dialing later. The line might be too busy or an existing poor line condition could be hindering the connection.
    • Check that the ISDN adapters are installed and that they are set up correctly.
    • Check whether the phone number is configured correctly. You can contact the telephone company to determine the numbers that the ISDN line owns.
    • Verify that the remote access server is up and running, and verify that the modem is connected.
    • Verify that your DigiBoard adapter is current.
    • Verify that the Service Profile Identifier (SPID) is configured correctly.
    • You should enable line-type negotiation.
  • If remote access client connections to the remote access server are continuously being dropped, try the following strategies:
    • Check whether the modem cable is connected correctly. It could have been disconnected.
    • Verify that the modem settings are correct.
    • Verify whether the modem vendor has released new software updates. There might be an issue with the version of the modem software that you are using.
    • It could be that the phone has call waiting, and this is hindering the connection. Disable call waiting and then try again.
    • You could have been disconnected because of an inactivity period. Try once more.
    • If somebody picked up the phone, you would have been automatically disconnected. Try calling once more.