In the last Daily Drill Down of our discussion about Windows RRAS, I showed you how to configure a Windows 2000 RRAS server to function as a Network Address Translation (NAT) server. In this Daily Drill Down, we’ll take a look at configuring a Windows 2000 RRAS server to function as a remote access server (RAS), handling incoming connections for remote clients.
What is a remote access server?
The term “remote access server” can refer to a server that performs a range of remote access services, instead of just providing the ability for clients to dial into the company LAN. Both Windows 2000 Professional and Windows 2000 Server can act as remote access servers, albeit with different restrictions on each platform.
On the Windows 2000 Professional side, you can configure a workstation to allow incoming connections through dial-up (one at a time), giving the remote caller the ability to use resources stored on the local computer or on the LAN, depending on how RRAS is configured. Under Windows 2000 Server, RRAS can support multiple concurrent remote access clients for those same purposes, essentially limited only by the number of available incoming connections. For example, if you have a modem pool of 48 modems, Windows 2000 Server will support all of those connections concurrently.
A RAS connection that connects the client to the dial-up server is called a point-to-point remote access connection. A RAS connection that connects the client to the LAN is called a point-to-LAN remote access connection. Regardless of the type, the remote clients can access resources on the server or LAN as if their computers were connected locally to the server or LAN. For example, clients can open and save files and use printers, just as they can locally.
Remote access is not the same thing as remote control. With a remote control application such as Symantec’s pcAnywhere, the client uses the remote control application to log onto and run applications on a remote computer. The applications run on the remote computer rather than on the client’s local computer. In effect, the remote control application gives the client a long-distance keyboard, mouse, and display for the remote computer.
Remote access makes the client’s local computer a part of the remote network. Applications run on the client’s local computer, not on the remote computer (except when the client executes a network-enabled application). Remote control applications can’t exist without remote access—the client either dials into the remote computer directly or dials into the LAN. So, if you need to use a remote control application to manage a remote server, for example, you’ll need a remote access connection to the server or to the server’s LAN before the remote control application can do anything. Depending on the remote control application, that connection might take the form of a public Internet connection, using the remote server’s and client’s existing connections to the Internet as the means of communication.
Setting up the hardware
Whether you’re configuring a Windows 2000 Professional computer to enable single connections or a Server computer to handle a modem pool, your first step in setting up a remote access server is to configure the hardware for the incoming connections. These connections might come in through one or more modems connected to the computer’s communications ports, through a multiport communications card handling multiple modems, a modem pool/communications server connected to the LAN, or even a network interface.
While you can certainly grow the server’s capabilities later on, you need to determine your clients’ current needs and plan for that growth. Choosing the right communications hardware is a big part of that process. If the bandwidth needs aren’t critical, modems and Public Switched Telephone Network (PSTN) lines (standard voice lines, or Plain Old Telephone Service—POTS) are an easy and relatively inexpensive solution. If you’re installing multiple lines, choose one number as the primary dial-up number and have your communications provider configure the lines in a hunt group. If one line is busy in the hunt group, the incoming call rolls to the next available line. There are several options for hunt groups that can address such problems as a ring-no-answer due to a hung modem. Check with your provider for details to decide what best fits your needs.
PSTN is certainly not the only option, nor is it the best option in terms of performance. PSTN will give you a maximum of 33.6 Kbps for connections. Even though 56-Kbps modems are standard nowadays, you can’t simply install individual 56-Kbps dial-up modems to PSTN lines and have them connect at the full rate. To support 56-Kbps dial-up connections, you’ll need a channelized T1 (24 channels or dial-up lines per T1) and the appropriate remote access hardware to accommodate the incoming calls.
If you choose to get a channelized T1, things can get a bit complicated. Your communications provider assigns a phone number to each channel, and as with the PSTN option, you’ll want to set up a hunt group for the numbers with a single primary dial-up number. The communications hardware for this type of connection setup typically takes the form of a network device that contains one or more communications cards with onboard modems. The T1 connects to the device and the device connects to the network. Depending on the firmware provided with the device, you can use either Windows 2000 authentication or RADIUS (the IAS service in Windows 2000).
ISDN is a third connection option. Basic Rate Interface (BRI) provides two 64-Kbps channels, and Primary Rate ISDN (PRI) provides twenty-three 64-Kbps channels. ISDN functions in some ways like a PSTN dial-up connection except that the connection is digital rather than analog and provides better throughput.
Other connection options include X.25 and ATM (Asynchronous Transfer Mode) over ADSL (Asymmetric Digital Subscriber Line). Windows 2000 supports only X.25 smart cards—X.25 adapters that connect computers directly to an X.25 public network. ATM is a standard communications protocol for high-speed data links. ADSL is a relatively new communications mechanism that employs standard copper phone lines to achieve very high data transfer rates.
In deciding which type of connection is right for you, check with your local communications provider to determine what services they offer. Some services, such as ADSL, may not be available in your area. If you can’t get ISDN or ADSL, for example, you’ll probably have to choose between PSTN and digital 56 Kbps. The speed at which your users need to connect will be the primary deciding factor in your decision, but cost will no doubt be a major consideration as well.
If you choose an external communications device, such as a modem pool, you generally will not use the RRAS service to provide dial-up services for clients. Instead, the device’s firmware, once configured, handles the task of assigning IP addresses and performing other tasks to service the RAS clients. In this situation, the server will typically perform two functions: host the configuration-management software for the device or provide authentication services, or both. Depending on the communications device, the system might use either RADIUS or Windows 2000 integrated authentication. If it uses the former, you can use IAS as the authentication service, which enables the server to process RADIUS authentication requests from the communications equipment, authenticating users against local or domain accounts. If the device relies on Windows 2000 integrated authentication, the device’s software will likely include a service that enables the device to interface with the Windows 2000 authentication mechanisms.
Configuring the RRAS server through the wizard
After the hardware is set up and functioning, you’re ready to configure the server as a RAS server. You can configure the server through the RRAS wizard or manually. If you choose the wizard option, the wizard prompts you for the following information:
- Protocols: Select the installed protocols you need to support for remote access users or add protocols if they’re not already installed.
- Network connections: Select the network interface to which remote access clients will be assigned. Typically this is a LAN interface. If you have multiple interfaces on the server, however, you need to decide which one the clients will be placed on.
- IP address assignment: If you’re using TCP/IP as one of the network protocols for RAS clients, you need to decide how IP addresses are assigned to the clients. You can assign addresses through DHCP if a DHCP server is available on the network. If no DHCP server is available, the server assigns IP addresses automatically. Or, you can specify a range of addresses the server will use to assign address leases to clients. If you choose this latter option, the wizard prompts you to specify the address range.
- Use RADIUS: You can choose at this point to configure RRAS to use RADIUS for authentication, specifying the IP addresses or DNS names of the primary and secondary RADIUS servers, as well as the RADIUS secret. You can choose not to configure RADIUS if you’ll be using Windows 2000 integrated authentication or want to configure RADIUS properties later.
Whether you use the wizard to configure the RAS server for incoming connections or configure the server manually, you’ll use the RRAS console to configure and fine-tune settings. One of the configuration tasks you’ll need to perform is to configure the remote access ports.
In the RRAS console under the server you’ll find a Ports branch. Clicking the branch displays the installed ports in the right pane. You’ll notice that if you configure the server for remote access through the wizard, RRAS automatically adds 10 VPN ports—five PPTP and five L2TP. The other installed communications devices (such as local modems) will also show up on the list. Double-clicking a port on the list displays a status dialog box containing line speed, connection statistics, network registration (address, for example), and other information, as shown in the background of Figure A. You can also use this dialog box to reset a port, as would be required when a modem is hung.
|Use the Configure Device dialog box to configure port properties.|
Right-click Ports in the left pane and choose Properties to configure ports. In the resulting dialog box, select the port you want to configure and click Configure to set these properties:
- Remote access connections (inbound only): Select this option to enable incoming remote access connections to the selected port type.
- Demand-dial routing connections (inbound and outbound): Select this option to enable demand-dial connections for the selected port type.
- Phone number for this device: Use this setting to specify the phone number associated with the device. See the following discussion for more information on configuring the phone number.
- Maximum ports: Use this setting to specify the maximum number of connections for the selected port type. For example, you might use this setting to limit the number of L2TP connections that can be active at one time. Windows 2000 doesn’t change the number of ports shown in the RRAS console until you stop and restart the service.
The phone number property isn’t needed unless you’re supporting multi-link connections or restricting users through remote access policies to a specific dial-up number. With multi-link, the phone number is used for BAP-enabled connections, and the server sends the phone number of the connection to the remote client when the client’s system requests another connection. If you’re using a hunt group for your phone number pool, you needn’t specify individual numbers for each port. The phone number property is also used for the Called Station ID property in the remote access profile. If the specified number doesn’t match the value for Called Station ID in the remote access profile, RRAS rejects the connection.
The Windows 2000 RRAS service provides many different things for your network. One of the most common purposes it serves is as a remote access server. In this Daily Drill Down, I’ve shown you how to configure Windows 2000 to function as a remote access server. In the next Daily Drill Down in this series, I’ll show you how to create RRAS policies and implement VPNs using the Windows 2000 RRAS.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.