This scenario shows how you can
connect remote access users to a corporate intranet using dial-up
phone lines.
Objectives
In this scenario, the objectives are
as follows: www.tartoos.com
§
To
provide a way for employees to connect to the corporate intranet over
a dial-up phone line.
§
To
provide automated address and name resolution configuration during the
connection process.
§
To
provide a way to automatically configure dial-up remote access
clients.
§
To
ensure a high level of security while maintaining compatibility with
non-Windows 2000-based clients.
§
To
provide centralized authentication, authorization, and accounting.
The following section, "Design
Logic," shows how the scenario infrastructure achieves these
objectives.www.tartoos.com
Design Logic
The infrastructure shown in Figure 1
achieves the objectives of this scenario.www.tartoos.com
Figure 1 Dial-up connection
infrastructure
Click the hardware icons for detailed
information.
In this scenario, a
computer running Microsoft® Windows® 2000 Server provides dial-up
remote access to the corporate network. Dial-up remote access allows
access to corporate network resources by field personnel from a remote
location or by telecommuters from a fixed location.
The Routing and
Remote Access service is installed on a computer running Windows 2000
Server in the Seattle site (remote access server). The remote access
server is configured to receive dial-up remote access requests using
the Microsoft Challenge-Handshake Authentication Protocol version 2
(MS-CHAP v2). The remote access server has dial-up equipment installed
and answers to the phone number 555-0222.
To automate the
configuration of large numbers of dial-up clients, the Connection
Manager service is used on the remote access server to create the
client connection software that is installed on the client. The
connection software provides the configuration for the dial-up
connection with single-click access to the intranet. This scenario
uses a portable computer running Microsoft® Windows® 2000
Professional. However, with a somewhat different setup, the client
might also be a computer running Microsoft Windows NT® version 4.0,
Microsoft Windows 95, or Microsoft Windows 98.
A high level of security is provided by the following:
§
MS-CHAP v2, which provides mutual authentication between the remote
access client and the remote access server. MS-CHAP v2 works with
Windows 95 (with the Dial-Up Networking 1.3 Upgrade) or Windows 98 as
well as Windows 2000.
§
Microsoft Point-to-Point
Encryption (MPPE),
which is used for data encryption.
In addition, all the Windows 2000 computers have the Windows 2000 High
Encryption Pack installed.
Because there are multiple virtual private network (VPN) and remote
access servers in the Seattle site, the remote access server is
configured as a Remote Authentication Dial-In User Service (RADIUS)
client to a RADIUS server. The RADIUS server is a computer running
Windows 2000 Server and configured with the Internet Authentication
Service (IAS). The IAS server provides centralized authentication and
authorization of Point-to-Point Protocol (PPP) connection requests and
centralized administration of remote access policies.
The IAS server uses a Seattle site domain controller to obtain user
account properties for authenticating and authorizing connection
attempts. Because the noam.reskit.com
domain is a native mode domain, the access-by-policy administrative
model for remote access policies is chosen.
How It Works
The following process describes how a dial-up connection is created to
connect the portable computer user to the reskit.com intranet:
1.
The Connection Manager client software on the portable computer dials
the reskit.com dial-up remote access number.
2.
A
PPP connection is negotiated by using MS-CHAP v2 as the authentication
protocol, as shown in Figure 2.
Figure 2 MS-CHAP v2 negotiation
Click the hardware icons for detailed information.
3.
During the PPP link negotiation process, the remote access server
passes the authentication credentials and connection parameters to the
IAS server in the corporate site using a RADIUS Access-Request packet,
as shown in Figure 3.
Figure 3 RADIUS Access-Request message sent by the remote access
serverwww.tartoos.com
Click the hardware icons for detailed information.
4.
The IAS server validates the authentication credentials of the
portable computer user by using the Active Directory™ directory
service on the domain controller, as shown in Figure 4.
Figure 4 Verification of the authentication credentials using a
domain controller
Click the hardware icons for detailed information.
5.
The IAS server uses the properties of the user account of the portable
computer and the Dial-up Remote Access Users remote access policy to
authorize the connection.
6.
After the connection attempt is authenticated and authorized, the IAS
server sends a RADIUS Access-Accept packet back to the remote access
server, as shown in Figure 5.
Figure 5 The RADIUS Access-Accept message sent by the IAS server
Click the hardware icons for detailed information.
7.
The remote access server completes the PPP connection process and the
portable computer is connected to the corporate intranet using an
encrypted PPP connection.
w
ww.tartoos.com
How We Did It
This section contains the setup instructions used to set up the
scenario in the lab and the prerequisites for hardware, software, and
administrative rights.
Caution The procedures that we used to configure the
computers and devices in our scenario are presented here as an
example; the actual steps required to configure similar computers and
devices in your own network will be different. Also, this scenario
shows only the procedures necessary for the scenario to work. It does
not cover other procedures that are required in a production network.
For each computer, to
complete the tasks described in the setup instructions, the
administrator must have the appropriate authority to perform the
necessary configuration. By default, the Administrator account for the
root domain (NOAM\Administrator) has the appropriate authority; it
becomes a member of the Enterprise Admins group after a domain
controller is promoted. However, in a production network, you might
want to restrict authority further. The setup instructions explain
which accounts we used.www.tartoos.com
Our setup
instructions assume the following configuration:
§
The hard drives on each computer have been reformatted and the
appropriate operating system has been installed.
§
Each computer has been named.
§
Routing has been set up as appropriate for the computers to
communicate, given that they will have the following IP addresses:
|
SEA-NA-RAS-01.noam.reskit.com
|
172.16.40.100/22
|
|
SEA-NA-IAS-01.noam.reskit.com
|
172.16.40.15/22
|
|
SEA-NA-DC-01.noam.reskit.com
|
172.16.8.11/22
|
§
§
Note These
IP addresses are addresses from an IP address range reserved for
private networks. You can use them in a test environment, behind a
firewall, but do not use them on the Internet. For more information,
see RFC 1918.
Table 1 is a list of the hardware and software that were used to
create this scenario in the Microsoft® Windows® 2000 Resource Kit
Deployment Lab.
Table 1 Components Used for Deploying Dial-Up Remote Access in
the Deployment Lab
|
Element
|
Hardware
|
Software
|
|
Seattle domain
controller
SEA-NA-DC-01.
noam.reskit.com
|
Compaq®
ProLiant computer
|
Windows 2000
Server
DNS service
|
|
Seattle remote
access server
SEA-NA-RAS-01.
noam.reskit.com
|
Compaq ProLiant
computer
|
Windows 2000
Server
Routing and
Remote Access service
|
|
Seattle IAS
server
SEA-NA-IAS-01.
noam.reskit.com
|
Compaq ProLiant
computer
|
Windows 2000
Server
Internet
Authentication service
|
|
Client
|
Compaq Armada
portable computer
|
Windows 2000
Professional
|
|
مدرسة
الكمبيوتر 