Configure Remote Access on Windows Server 2008 R2


In this section I will look at configuring
remote access. Now days with more people working away from the office and even at home, remote
access is an important topic to understand. In this video I will first look at the 3 stages
that make up a remote connection. It is important to understand these steps to help you troubleshooting
network problems. Next I will look at Nat. Nat is a technology that allows one public
IP address to be used by many computers. On smaller networks and at home you may however
want to consider using internet connection sharing. This is simpler to NAT but requires
a dedicated computer to access the internet. If you want to allow VPN access into you company,
Microsoft offers remote access service. One I look at how remote access service works
and how to install it, I will have a closer look at the VPN protocols that make it work.
Depending on which operating systems you are using with remote access server will determine
which protocols you make available on it. Next I will look at network policy server.
With remote access there are a lot of settings to configure, network policy server helps
you to configure these settings throughout your environment. Lastly I will look at radius.
Radius is a system that allows you to centralized control of remote access. In other words,
who has access and keeping records of who accesses what.
When looking at remote access it makes it easier to look at it in 3 stages. The first
is connection. The connection stage makes the physical connection between the 2 parties.
At this stage encryption and protocols are decided.
When troubleshooting connection problems, make sure that both sides of the connection
support the same protocols and encryption. If they don’t, a connection will not be
made. If a connection cannot be made the next stage, authentication cannot occur.
The authentication stage identifies who the connection is been made by. Typically the
connection is identified by username and password or certificates. You could however use IP
addresses as well but this is seen as not been very secure.
The last stage of remote access is authorization. Authorization determines what they can access.
This is done through IP filters which either allow or block connections to certain IP addresses
and NTFS permissions which block or allow access to files.
When troubleshooting remote access problems try to keep these stages in mind. If you are
not being prompted for a username and password the problem is probably a connection problem.
If you keep getting denied access the problem may be with your certificate or user name
and password. If everything seems to be working and your
connection is up and running but you can’t see or access anything, the problem is probably
with authorization. Remember to keep these 3 stages in mind when troubleshooting network
problems. With IP version 4 addresses starting to run
out, systems had to be devised to help use the available IP addresses a lot better. One
of these systems is NAT. Nat standards for network address translation.
The concept behind NAT is that many computers communicates with a Nat Device. The NAT device
communicates with the internet. As shown here, 4 computers are connected to the same NAT
device and share the one public IP address. NAT is very scalable and could be used for
100’s or even 1000’s of computers. As you can see on the left hand side, each client
computer has its own IP address but the IP address is a private IP address.
NAT is usually found in most D S L modems and is the reason why you can connect multiple
computers to the same D S L modem. NAT was designed to better utilized the remaining
IP version 4 addresses. With the larger address space in IP version
6, Nat is not required for IP version 6 since IP addresses in IP version 6 are far from
being scarce. If you want to use NAT with windows you will require windows server. Client
operating systems like Windows Vista and windows 7 do not support NAT.
In the real world you probably won’t see windows used for NAT as Nat is usually done
with hardware devices. NAT is primary aimed at large business, if you have a small business
or are a home user you may want to look at something like ICS.
ICS, or internet connection sharing is used when one computer shares it’s connection
with other computers. For example, imagine this computer was connected to the internet
but the DSL modem used is a USB modem and thus can only be connected to one computer
at a time. Later on you wanted to connect some more computers
up to the internet. Since the DSL modem only has one USB connection you can’t connect
up any more computers to the connection. With internet connection sharing you could connect
the other computers up via the main computer. The down side with internet connection sharing
is that the computer that is accessing the internet must always be on for the other computer
to access the internet. One common use for internet connection sharing is when you place
a wireless device on your network for example a laptop.
You can of course upgrade your D S L modem to one that supports wireless, but another
solution is to install a network card in the computer running ICS. This will allow your
laptop to connect to the internet using it wireless adapter without having to upgrade
any of your existing networking gear. Let’s have a look at how to configure ICS.
ICS works off an existing network connection, to access an existing network connection,
open the control panel and select the option view network status and tasks. From here you
need to select change adapter settings from the right hand side.
This will show you all the currently installed network connections. The one that I am interested
in is my I S P connection which is a dial up connection. ICS works on almost any type
of connection. To configure it, select the properties of the connection and then select
the tab sharing. On the sharing tab select the option allow
other network users to connect through this computers internet connection. Next I need
to select which adapter the other computers are connected to, in this case it will be
local area connection. You will also notice the option establish
a dial-up connection whenever a computer on my network attempts to access the internet.
This will essentially bring up the connection automatically when one of the computers on
your network requests it. ICS is now set up and will allow computers
connected to local are connection to access the internet. If I select the button settings,
this allows me to set up port forwarding. Port forwarding will forward a request for
a particular services to a particular computer. If I were to select remote desktop and enter
in work station 10. All remote desktop connections that come through this internet connection
will be directed to work station 10. If you don’t set up any port forwarding than all
incoming services will remain on the computer with ICS enabled. Now that you have an understanding
of ICS, let’s have a look at remote access service it’s bigger brother.
The Microsoft Remote Access Service provides two basic services for clients. The first
is dial up services. The client will access the RAS server through a modem. Generally
the modem will be in a bank of modems rather than a standalone modem. The RAS server will
provide access to the production network for the client connect to that modem.
RAS also provides, VPN access. Over the years VPN access has become more common and now
days it is rare for anyone to use modem access. When VPN is used, the client creates a tunnel
over the public internet to access the RAS server.
This means the RAS server needs to have access to the internet. For this reason, the RAS
server is normally a member server and placed on the D M Z or perimeter network. Doing this
helps prevent the RAS server being compromised and if it is, helps prevent the rest of the
network being compromised as well. To install the Remote access server, launch
server manager from the start menu under administrative tools. From the left hand side select the
option add roles and then select add roles from the right hand side. If you have watched
the previous video on routing, you would remember me doing the same thing as I am going to do
now and that is select network policy and access services.
If I now move on to the components screen I need to select routing and remote access
component. You will notice that the routing component is also select. This is not required
for remote access so I will deselect it. I can now move on and start installing the role.
Depending on the speed of your server, this role will generally take a few minutes to
install. Once completed I can close server manager and then launch the routing and remote
access server tool from administrative tools under the start menu. Routing and remote access
in windows server 2008 has not changed that much from windows server 2003 and windows
server 2000, so if you have some previous experience in remote access you should not
have to many problems configuring it on windows server 2008.
In order to start using remote access, you need to configure it. To do this, right click
on the remote access server, in this case RAS 1 and select the option configure routing
and remote access. This will launch the routing and remote access server wizard.
In this particular case I want to set up this server to allow remote access so I will leave
it on the default option at the top, remote access dial up and VPN. On the next screen
you get to decide if you want this server to support connections via VPN or via Dial
UP, in this case I will select both. On most servers providing remote access they
will have more than one network card. One network card will generally be connected to
the internet and the other will be connected to the production network.
I will in this case select the second network card as it is the network card that my client
are connected to. Notice also the option “enable security on the selected interface by setting
up static packet filters”. This means the local firewall will be configured
to deny anything other than VPN traffic. This is one good reason to use the wizard to ensure
that these rules are created. Be warned however, ticking this tick box will deny all traffic
through that network card that is not a remote connection.
You will no longer be able to receive pings, contact domain controllers or retrieve web
pages. If have a second network card that will perform these duties tick this tick box,
if not it is probably best not to tick this box.
On the next screen you can decide where the clients will get their IP addresses from,
this can either be from a pool you enter in or from the DHCP server. I have a DHCP server
on the network, however for this example I will enter in a manual range.
For a client to operate on the network, it needs to be allocated a IP address from the
production network. The RAS server makes the client think that it is directly connected
to that network and other devices on the network will think that it is directly connected.
When I set up a RAS server on a network I like to manually enter in a range of IP addresses
as this helps with troubleshooting. If you have a range of IP addresses that you know
is just been used for VPN, when you see one of those IP addresses in a log file you know
that it came from a remote connection. When you enter in the range of IP addresses,
you only need to enter in the start IP address and the amount of IP addresses that your want
to use. Windows will automatically work out the end IP address for you.
Once you have configure how you want your clients to obtain their IP addresses, you
will need to decide if you want to use radius or not. Radius is an authentication system.
I will cover radius in more detail later in this video.
For the present just think of radius as a system that authenticates users on the network.
Radius is often used when you have multiple remote access servers and you want to authenticate
them all using one system. Once IPress finish, Routing and remote access
will be installed. Remote access services does not take long to install. Once done your
RAS server is ready to go. You may how ever want to do some more configuration to the
server depending on what type of clients will be connecting. Let’s have a look at the
protocols RAS supports. The first is PPTP. PPTP or point to point
tunneling protocol and was developed by Microsoft and thus is supported by most Microsoft operating
system. If you are using a non Microsoft operating system you will need to use anther protocol
to connect the VPN server. PPTP is becoming obsolete by newer protocols
but may be your only choice if you have some older windows operating systems that need
to connect up to your VPN server. The protocol only supports TCP IP which now days with the
popularly of the protocol may not present a problem.
The protocol requires TCP port 1723 to be open to operate effectively. The next protocol
is L2TP or layer two tunneling protocol. This protocol is and open standard so you can use
it to connect your non Microsoft clients. L2TP also supports multiple protocols, not
just TCP IP. L2TP can use Ipsec for encryption assuming that you are using certificates in
your organization. The down side with L2TP is that it is not supported on older operating
systems. L2TP uses TCP port 1701 and UDP port 500 for
communication and also has IP version 6 support. L2TP is a better protocol in a lot of ways
but because of its lack of backward support it is not uncommon for VPN servers to have
both PPTP and L2TP both configured. With both installed the client can decide which one
they want to use. The disadvantage with both these protocols
is that they require ports to be open on the firewall to operate that may not normally
be open. A lot of administrator don’t like opening additional port on their firewalls
which brings us to the last protocol. SSTP or secure socket tunneling protocol addresses
some of the problems with firewalls by using SSL for encryption. SSL uses port 443 to transfer
traffic. Because of this, SSTP has better firewall support because port 443 may all
ready be open as it is commonly used by web traffic to encrypt data.
The protocol also supports certificates for authentication if your organization has a
certificate authority. The protocol is designed for client access and thus can’t be use
for site to site access. The protocol is new to Windows server 2008 and has limited support
for older clients. When SSTP first arrived you needed to have
windows vista with service pack 1 or above. Since then Microsoft has added support to
windows XP with the release of service pack 3. SSTP is a good protocol to use and gives
you a lot of features if you clients support it. Let’s have a look at how to configure
and connect to RAS server. First of all I want to see what protocols
are enabled on my RAS server. To this, select ports. Here you can see all the ports that
are currently waiting connections. You can see a port waiting for an SSTP connection
and further down a port waiting for a PPTP connection.
If a client was connected to this server, the status would change from inactive to connected.
If I now right click on ports and select properties, you can see all the protocols I just talked
about. If IPress configure for SSTP, you can see
here that by default it is enabled and accepting Remote access connections. SSTP can only be
used for incoming connections so you will notice that the options for outgoing are grayed
out. You will also notice that the maximum ports
is set to 128 by default. This means that this server can accept 128 SSTP connections.
Bear in mind that when I set up the IP Address pool I only allocated 50 IP addressees.
If you are planning on have a lot of incoming connections, make sure that you maximum ports
is high enough to support them and also you have a big enough pool of free IP addresses.
If I now select PPTP and again press configure, you will notice that again I have the option
to enable or disable incoming connections. I also have the option to enable or disable
demand dial connections. Demand dial connections will create a connections as required. For
example, if you had two branches offices connected by VPN, a demand dial connection will bring
up the connection when the client attempts to use it.
The next protocol is L2TP, you can see the options are the same as the other protocols.
If you want to disable any of these protocols just clear the relevant check box. The last
of the RAS protocols is IKE. This is essentially IPSec meaning if you want
to make a native IPSec connection RAS supports it. This may be a good option for you if you
have none windows computers that want to connect up to RAS.
To start using RAS you need to make a connection from a client computer. To do this, I will
switch to my windows 7 computer. I will use a windows 7 as a client for this demonstration
as it is more than likely that a non windows server 2008 will be used to connect to RAS.
To create the new connection, open the control panel and then select” view network status
and tasks”. This will take you into the network and sharing center. To start the new connection
wizard, select the option set up a new connection or network.
Depending on which version of windows you are running, the wizard may be a little different
and may be launched from a different location. In this case, the option I want is connect
to a workplace. This wizard can also be used to create a dial
up connection, in this case I want a VPN connection so I will select use my internet connection.
The next screen will ask if you want to set up an internet connection to connect to the
VPN server. You would select this option if you needed
to dial up to an ISP using a modem or you had to connect via a different connection.
When configured correctly, whenever this VPN connection is activated the connection to
the internet will first be opened before trying to connect to the RAS server.
On this screen I need to enter in the IP address or server name of the RAS server, I can also
give the connect a suitable name. At the bottom of the screen you will notice the option allow
other people to use this connection. Ticking this option will allow other users
on the computer to connect up using this connection. If this connection connects back to your head
office for example, ticking this option allows you to set up the connection using the administrator
and than any user that logs onto the computer will be able to use the connection.
On this screen you can enter in the username and password for this connection. Just to
prove a point, I am going to user the domain administrators user name and password which
has access to everything on the network. If you are creating a shared connection, it
is often a good idea to tick the tick box remember this password. If you don’t tick
this tick box, a user will be prompted each time the connect is run for a password.
The connection does not take long to create, once created I can select connect or disconnect
and go down to VPN work and press connect to start the connect up. You will notice that
the connection will fail to connect. Windows will come back saying there was an
error verifying the username and password even though I used a domain administrators
account. This is because no user by default has access to the RAS server. To fix this
problem, I need to switch to my domain controller. To enable access to the administrator, I need
to make a change to the domain administrators account. To do this, I need to run active
directory users and computers found in administrative tools under the start menu.
All I need to do is locate the administrators account under the users “o u”. Select
the properties on the administrator account and then go to the dial in tab. On this tab
you can see by default dial in access is determined by the N P S network policy.
I don’t have N P S configured on this network as yet. N P S is a system designed to help
you control access to your network. Why is it required? Well if you look at the options
above, if I want to enable access for the administrator I need to select the option
allow access. If you have a network with 1000’s of users you need a system like N P S to simplifier
administration. In a moment I will look at how we can use
N P S to configure our network, if I now go back to my windows 7 clients and press the
redial button, you will notice that the computer now connects up to the network.
You will notice that under connections, work VPN has appeared. This computer is now connected
to the work network and to other computers it will appear as if it is on the network
even though it is accessing the network through the RAS server.
To demonstrate this, if I now open a command prompt from the start menu and run the command
IP config. You will notice that computer now has and IP Address of 10 dot 0 dot 0 dot 151.
This is one the IP addresses that I allocated to the RAS server earlier using the configuration
wizard. Imagine on a large network with 100’s or even 1000’s of users having to manually
go into active directory and configure them to be allow access to the network via remote
access. Back in the windows NT days, this is what
you had to do. Now days we can use N P S to do the hard work for us.
N P S or network policy server allows you to create rules defining how users can connect
to your network. If you have used remote access services before, you may notice N P S is simpler
to remote access policy. Network policy server replaces remote access
policy and improves on it. The main role of N P S is to provide, authentication and authorization
settings. On a large network it is essential to have something like network policy server
to deploy settings, otherwise trying to administrator dial in services using active directory and
manually tick and un tick boxes for individual users would be a night mare.
Also as you will see, there are a lot of things you can do with Network Policy Server that
you can’t do by modifying the settings in active directory or using the routing and
remote access tool. Let’s have a look how to use Network policy server.
I already have the routing and remote access tool open from the previous demonstration.
All I need to do is select remote access logging and policies, right click it and select launch
N P S. To see what policies have already been created, select the folder network polices.
You can see here by default that two polices have already been created. There are created
during the installed and you can see they both have an access type of deny. The second
policy checks the time and checks it rule lists for a match.
It’s rule list is set for 24 7 so anything that makes it to this policy is going to be
denied. This policy acts as a catch all to ensure any connections that do not match a
policy are denied. To create a new policy, right click network policies and select new.
For the policy name I will enter in company VPN and for the type of policy I will select
remote access server. You will notice that there are a lot of other type of policies
available. This is one of the reasons for the name change from remote access policies
because the polices have expand to include more than remote access.
On the specify condition you need to enter in some conditions this policy will check
for. You can enter in more than one set of conditions, for example you could enter in
a user group and a date and time condition. As you can see, there are a lot of different
conditions you can set. You can even set conditions based on the protocols been used. In this
particular case I want to create a policy for domain users so I will select windows
groups. From here, it is a simple matter of looking
up the domain users group in active directory and adding it. Once added any user in the
domain users group will be effected by this policy. On this screen you need to select
whether this is an allow or deny policy. In this particular case I want to allow all
domain users to be able to connect to my RAS server. Notice the tick box access is determined
by user dial-in properties. If I tick this tick box, if the condition of the policy are
meet, network policy server will than refer to active directory and either allow or deny
based on the settings in active directory. On this screen you can set the authentication
types, at the top you have E A P types. This basically refers to devices like smart cards.
At the bottom of the screen you have other authentication methods.
Later in the course I will go into more details about these authentication methods. On this
screen you can configure some constraints for your connections. First there is the idle
timeout. If you set a value here, for example 15 minutes, if the user does not perform any
activity for 15 minutes they will be disconnected. The session time out when set will determine
how long a session will be allowed to run for before it is disconnected. The called
station ID can be used to determine where the connection is been made from. If the connect
ion is not been made from an authorized station it will be disconnected.
Day and time restrictions allow the connection only to be made at certain times and if running
outside these times they will be disconnected. With VPN’s and high speed networks, a lot
of these settings are no longer used on most networks.
When you had a network with limited modems, setting like these needed to be set up to
allow a fair access to these facilities. Without settings like these, modem banks would become
jammed and end users would not be able to connect.
With VPN, one server can handle a high amount of connections so fair play issues hardly
ever come up. The last constraints setting is N A S port types. These settings relate
to the type of media the connection comes over.
If you want certain settings for wireless and different settings for wired networks
you could set them here. For example, you could require a higher encryption standard
for wireless than VPN traffic. On the next screen you can configure even more settings.
The first two options relate to RADIUS. If your clients are using radius to connect to
your server, you can send additional options to the client if you wish. If your vendor
has special radius attributes, you can use the next option vendor specific.
The multilink sections refers to using multiple modems together to give you a higher speed.
With high speed internet now days, this is hardly worth the effort setting up, but it
is on by default if you choose to use it. In the IP filters section, you can set IP
filters to block certain traffic. As you can see in the dialog you can set IP addresses
and select different protocols. This allows you to restrict incoming connections from
certain addresses and also stop them connecting to certain locations.
On the encryption screen you can set what type of encryption standard will be allowed.
It is important to note that no encryption is ticked by default. On your network you
may want to clear this tick box. Depending on how old the clients are that
are connecting to your server you may want to deselect lower encryption options. Remember
that high encryption does also put more load on your server, in some cases you may want
to deselect the higher options if you are having performance problems on your server.
The last section let’s you have more control over how the IP address is allocated to the
client. If you want to set static IP addresses or want to let the client choose their own
IP address you will need to set it here. That’s it, press finish and your new policy
has been created. Notice now the policy is the first in the list. This is important.
Policy are evaluated in order until a match is made. If you for example you had the deny
policy first, all connections would be denied regardless of what you set in the other polices.
When troubleshooting policy problems, make sure you look at any policies that are before
the policy in question. If a match is made, windows will not look at the policy.
The last thing that I want to look at is radius. Radius stands for remote authentication dial
in user service. Radius allow for the central management of authentication, authorization
and accounting also known as triple A. If you have a large organization and you want
to centralized administration of your remote connections you should consider installing
a radius server or multiple radius servers throughout your organization.
Radius over the years has expanded from the dial up service that it was originally aimed
at. I have seen radius set up to use smart cards and secure tokens. When a client connections
up to a RAS server, the RAS server will connect to the radius server and either allow or deny
the user. Radius is an open standard so you will find
it is used with other products, not just Microsoft products. If you want to centralize your authentication,
authorization and accounting consider installing a radius server.
When you start configuring your network for remote access remember, a lot of protocols
and devices are used when a remote connection is made. This means there are a lot of places
where problems can occurs. When troubleshooting break the problem down into smaller parts.
Can you ping the other side, if so the connection is fine, the problem may be with authorization.
Check the firewall rules the connection is passing through. Certain protocols require
some non standard ports to be open. If these ports are being blocked on the client, server
or a firewall in between the connection than the connection will fail. Remote access can
be a lot of effort to set up, but when it is running well it is worth the effort.

91 Comments

Add a Comment

Your email address will not be published. Required fields are marked *