Windows Server 2008 : Configuring Remote Access (part 3)

Dial-Up

Dial-up by definition is the method used to connect a device to a network using a modem and a public telephone service. Dial-up access works in the same exact manner as a telephone connection does. The only true difference is that the two ends of the connections have computer devices communicating rather than people. Dial-up access utilizes normal telephone lines and because of this, the quality of the connection can suffer. Data rates are also limited. The maximum data rate with dial-up access for many years was 56Kbph. ISDN provides faster rates but are still limited compared to cable and DSL.

Dial-up networking using Windows Server 2008 include some of the following components:

• Dial-up Networking Servers You can configure a server running RRAS to provide dial-up networking access to an entire network, or restrict access to the shared resources of the remote access server only.

• Dial-up Networking Clients Remote access clients must be running Windows Server 2008, Windows Server 2003, Windows XP, Windows 2000, Windows NT to have access to the RRAS.

• Remote Access Protocols Remote access protocols are used to negotiate connections and provide framing for LAN protocol data that is sent over a wide area network (WAN) link. RRAS supports LAN protocols such as TCP/IP, which enable access to the Internet. RRAS supports remote access protocols such as PPP.

• WAN Options Clients can dial in by using standard telephone lines and a modem or modem pool. Faster links are possible by using ISDN. You can no longer connect remote access clients to remote access servers by using X.25 or ATM with Windows Server 2008.

• Security Options Windows Server 2008 provides logon and domain security, support for security hosts, data encryption, RADIUS, remote access account lockout, remote access policies, and callback for secure network access for dial-up clients.

Remote Access Policy

Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. If a connection is authorized, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions.

For servers running the RRAS that are configured for the Windows authentication provider, remote access policies are administered from RRAS and apply only to the connections of the RRAS server. Centralized management of remote access policies is also used when you have remote access servers that are running RRAS. Remote access policies validate a number of connection settings before authorizing the connection, including the following:

• Remote access permission

• Group membership

• Type of connection

• Time of day

• Authentication methods

• Advanced conditions such as access server identity, access client phone number, or Media Access Control (MAC) address

• Whether user account dial-in properties are ignored

• Whether unauthenticated access is allowed

After the connection is authorized, remote access policies can also be used to specify connection restrictions, including the following:

• Idle timeout time

• Maximum session time

• Encryption strength

• IP packet filters

Advanced restrictions:

• IP address for PPP connections

• Static routes

Additionally, you can vary connection restrictions based on the following settings:

• Group membership

• Type of connection

• Time of day

• Authentication methods

• Identity of the access server

• Access client phone number or MAC address

• Whether unauthenticated access is allowed

For example, you can have policies that specify different maximum session times for different types of connections or groups. Additionally, you can also specify restricted access for business partners or unauthenticated connections. All of this can be configured using the RRAS panel on the client computer, as shown in Figure 11.5. This is accessible as follows:

Figure 4. Network Policy and Access Tab

This will allow you to set up configurations for your remote access policies.

Network Address Translation (NAT)

Windows Server 2008 provides network address translation (NAT) functionality as part of the RRAS. NAT provides a method for translating the IPv4 addresses of computers on one network into IPv4 addresses of computers on a different network. A NAT-enabled IP router works as a translation service when deployed at the boundary where a private network meets a public network. This allows computers on the private network to access computers on the public network.

The whole reasoning behind the development of NAT technology was as a place holder solution for a greater issue that administrators faced. This problem was IPv4 address-depletion that plagued the Internet community. Due to a huge and continuing rise in computer usage, the number of available globally unique (public) IPv4 addresses was far too small to accommodate the need to access to the Internet. A long-term solution for the problem was well under way in the development of Internet Protocol version 6 (IPv6) addresses, which are supported by Windows Server 2008. Unfortunately, IPv6 is not yet widely adopted and would require extensive reconfiguring to deploy large scale in most organizations. The technology has been in use for more than a decade, but the practical deployment still remains an issue. This is why NAT is still in use, because it allows computers on any network to use reusable private addresses to connect to computers with globally unique public addresses on the Internet.

Small- to medium-sized organizations with private networks to access resources on the Internet or other public networks, use NAT for this reasoning. They configure reusable private IPv4 addresses while the computers on the public servers are set up with globally unique IPv4 addresses. The most useful deployment of NAT is in a small office or home office (SOHO) or a medium-sized business that uses RRAS. NAT technology enables computers on the internal corporate network to connect to resources on the Internet without having to deploy a proxy server.

NAT is a good solution for situations where ICS is not an option, such as when using a VPN or when the clients are using static IP addresses. A real benefit of NAT becomes apparent when dealing with Administration duties. For example, NAT makes it fairly simple to move your Web server or File Transfer Protocol (FTP) server to another host computer without having to worry about broken links. If you merely change the inbound mapping at the router, you can set it to reflect the new host. The same holds true of changes to your internal network. This is because the only external IP addresses either belong to the router or come from a pool of global addresses.