70-240 in 15 minutes a week: Windows 2000 Remote Access Page 2

By ServerWatch Staff (Send Email)
Posted Oct 28, 2001


Note that the device is awaiting an incoming connection, and as such is in a 'Listening' state. If a connection has been made on this port, you could then view statistics, error information, as well as network address information for the connection. You can also use the disconnect button to manually disconnect a session if necessary.

Although the default server properties may work perfectly in allowing you to provide dial-in service, you should be familiar with the remaining property sheets, since the security and connectivity implications may be important. The four remaining property sheets include Security, IP, PPP, and Event Logging.

The Security property sheet allows you to configure which authentication and accounting providers will be used by the server. By default, both options are set to 'Windows' although RADIUS authentication and accounting is also available. RADIUS will be explored in my next article. Beyond simply choosing which authentication method to use, you can also choose the appropriate protocols to be used, as shown below:

Note that EAP, MS-CHAP v2, MS-CHAP, CHAP, SPAP, and PAP are all supported, as well as the ability to allow unauthenticated access (which I would not suggest for obvious reasons). By default, MS-CHAP v2 and MS-CHAP are chosen, the default protocols used by most Windows clients. The order in which the authentication methods are listed above also constitutes the order of preference in which they will be used. For example, if my remote access server supports only MS-CHAP v2 and MS-CHAP as listed above, and my client supports only MS-CHAP, then the client will connect using MS-CHAP, since this is the highest common denominator between the two. If, however, my client only supported CHAP, its connection would be denied, since my server does not support CHAP-based authentication. You should be careful with the authentication protocols allowed, specifically limiting your server to only those you require. Allowing PAP authentication could lead to security issues, since this type of authentication transmits the username and password in clear text.

The IP tab allows you to control settings relating to whether the system can act as an IP router, as well as how remote clients are assigned IP addresses. In particular, you can assign addresses from an existing DHCP server on your network, or from a static pool of addresses specifically for the purpose of remote access. Both options are shown below:

Note that IP is not the only protocol that can be used for the purpose of remote access connectivity - IPX, AppleTalk, and NetBEUI connections are also supported. If you decide to use DHCP in conjunction in order to allocate IP addressing information to clients, you should note that they would only receive the basic configuration information - IP address and subnet mask - unless you also configure the RRAS server as DHCP relay agent. If this is done, the client will receive all network parameters, including the address of the WINS and DNS servers, for example. The DHCP Relay agent configuration will be considered later in the article.

The PPP tab allows you to control basic PPP parameters, including whether you wish to allow Multilink connections (where a client can aggregate multiple physical connections into a single logical connection). If you do choose to allow Multilink, you can also control whether or not the Bandwidth Allocation Protocol (BAP) can also be used, which makes Multilink dynamic, allowing you to control under which circumstances links get dropped according to usage. Link Control Protocol (LCP) extensions control the configuration of the Data Link connection after the PPP parameters have been negotiated. This is necessary to enable if you wish to support callback on your RAS server. Finally, the software compression setting enables data sent over the PPP connection to be compressed.

The final tab, Event Logging (shown below), controls the level of PPP logging associated with the server. If you choose to enable PPP logging (which is beneficial when attempting to troubleshoot PPP connection problems), connection attempt information will be logged to the %systemroot%\Tracing folder, into a file called ppp.log. Note that logging can have a negative impact on system performance, and that enabling it will require that the RRAS service be stopped and restarted.

Page 2 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.