70-240 in 15 minutes a week: Windows 2000 Remote Access Page 3

Configuring VPN services

For the purpose of authentication protocols, IP address assignment, and so forth, the VPN ports use the exact same server properties as those used by dial-in clients, so I will not repeat them here. Because of this, I will only cover settings relating specifically to the configuration of VPN ports in this section. 

You probably noticed that by default there were 10 VPN ports automatically configured when RRAS was started, providing 5 PPTP and 5 L2TP ports by default. Since a VPN connection will be coming in over a network card, in theory the number of possible incoming connections is only limited by the processing capabilities of the system, and not by physical ports. However, the maximum number of ports supported is 30,000 for a given type (such a PPTP WAN Miniports for example).

Note that you cannot change the number of ports to 0, even though the system suggests this is possible. At a minimum, you must have one of each port type available. The reason I mention this is because you will need to configure how many of each type of port you wish to have available for connections, as well as which protocol they will use. If you had chosen to use PPTP for VPN connections for example, it would make sense not to allow incoming connections via L2TP. This would be controlled not by setting the number of L2TP ports to 0, but instead by configuring the L2TP WAN Miniport properties to not allow incoming connections, as shown below:

So why would you choose PPTP over L2TP or vice versa? The answer depends on the level of security you require, as well as the security mechanisms that your network supports. For example, PPTP supports only user-level authentication, meaning that any connection using PPTP that has the correct username/password combination will be allowed. In contrast, L2TP requires 2 levels of authentication - first the machine is authenticated (via a machine certificate that would need to be pre-installed either via group policy or using certificate services) and then the user is authenticated using PPP. This allows a higher degree of security, since both the user and machine must be validated. The downside is the extra effort involved with using L2TP, as well as the fact that only Windows 2000 has built-in L2TP and IPSec capabilities among Microsoft operating systems.

DHCP Relay Agent

A DHCP Relay Agent should be configured on you RRAS server if you wish for remote access clients to obtain complete IP settings via DHCP. If you choose to have clients obtain settings from DHCP without setting up a Relay Agent, then the client will only obtain an IP address and subnet mask from the server, regardless of which options may exist. The traditional use of a DHCP Relay Agent was to act similar to a BOOTP Forwarder, a system that allows DHCP broadcasts to be directed to a DHCP server that may exist on another subnet. If DHCP Relay Agents (or equivalent) are not used, then a DHCP server must exist on the same subnet as the client, which may not be practical. 

In RRAS, a DHCP Relay Agent is configured under the IP Routing section. By accessing the DHCP Relay Agent properties, you can configure to which servers DHCP requests will be forwarded by this agent, as shown below.

Note also that by double-clicking on any interfaces in the DHCP Relay Agent interfaces, you can configure both the Hop-count Threshold (which controls the maximum number of relay agents that will handles a request), as well as the Boot Threshold (the number of seconds that the relay agent will wait prior to relaying requests) for the agent. The default value in both cases is 4.

This article was originally published on Oct 29, 2001
Page 3 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date