Friday, April 15, 2011

Remote Access Addressing



Remote Access Addressing.



When a client connects to a remote access server, both the client and the server connection must have an address (such as an IP address) to identify it on the network. As part of the remote access configuration, you need to decide how addresses are assigned to remote clients.
Addressing Method
Characteristics
DHCP-delivered
Configure the remote access server and client to obtain an address from a DHCP server. When the client requests a remote access connection for the first time:
  1. The server requests 10 addresses from the DHCP server.
  2. The server uses one address for its own remote access port.
  3. The server assigns other addresses in the range to incoming clients.
  4. If needed, the server requests additional IP addresses in blocks of 10.
Automatic assignment
Configure a range of addresses on the remote access server for its clients. One address is automatically assigned the remote access port on the server. Clients are assigned an IP address from the address pool configured on the server.
Static IP address
You can configure the client with a specific IP address that it uses when it connects to the remote access server. Doing so requires two steps:
  • Configure the IP address for the dial-up connection on the client.
  • Configure the remote access policy to allow IP address requests.
Remote Access Facts.

Keep in mind the following facts about configuring remote access.
  • The number of dial-up modem connections permitted depends on the number of modems that are installed on the remote access server. If you have only one modem installed on the server, you can only have one modem connection at a time.
  • Before shutting a remote access server down, terminate all client idle sessions.
  • To enable clients to receive their addresses from a DHCP server, configure the remote access server to use DHCP for addressing.
  • When you use PPP as the WAN protocol, you can use DHCP for addressing and encryption.
  • To allow remote clients to access resources on both the remote access server and the local network, enable both remote access and LAN routing. To restrict access to only the remote access server, enable only remote access.
  • When you establish a LAN protocol, the client must be configured with all protocols used by all devices on the private network with which it communicates.
  • To access resources on a remote network, users must be given the appropriate permissions.
Authentication Protocol Comparison.

Authentication protocols ensure that remote users have the necessary credentials for remote access. The following table compares the authentication protocols supported by a Windows 2003 remote access server. Protocols are listed in order, from least secure to most secure. As a rule, select the highest level of authentication supported by the clients.
Protocol
Characteristics
Client Support
Password Authentication Protocol (PAP)
Client sends a username and plain text password for authentication.
Password can be easily intercepted.
Use only when no other form of authentication is supported
2003/XP/2000
NT 3.5/4.0
95/98/ME
Shiva Password Authentication Protocol (SPAP)
Used to connect to a Shiva LAN Rover.
Uses an encrypted password for authentication.
Password encryption is easily reversible
2003/XP/2000
NT 3.5/4.0
95/98/ME
Challenge Handshake Authentication Protocol (CHAP)
Uses a three-way handshake (challenge/response).
Uses MD5 hashing of the shared secret for authentication.
2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1)
Similar to MS-CHAP v2, uses challenge/response for authentication.
Server authenticates the client (client cannot authenticate the server).
Encrypts the secret used for authentication
2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2)
Highest level of authentication possible without using EAP.
Uses a challenge/response mechanism for authentication.
Allows both the client and the server to authenticate each other.
Encrypts the secret used for authentication.
2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the latest updates for a VPN connection only)
Extensible Authentication Protocol (EAP)
Client and server negotiate the characteristics of authentication.
Used for smart cards or biometric authentication.
2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial authentication to the wireless access point. When using PEAP, select one of the following two options:
  • PEAP-EAP-TLS. This authentication method uses certificates (either on the local system or on a smart card) to complete the authentication process.
  • PEAP-MS-CHAP v2. This method uses certificates on the server, but simple passwords on the client. Use this method when the client does not have a certificate.
PEAP support is enabled as follows:
  • Windows XP SP1, included as a feature of the service pack.
  • Windows Server 2003.
  • Windows 2000, supported through a special download and install.
Remote Access Client Configuration.



You should know the following facts about remote access client configuration:
  • The client must be running all networking protocols (such as IP or IPX) that are used on destination computers.
  • Both the remote access client and the remote access server must use a common WAN protocol (such as PPP).
  • If your client and server have multiple modems, you can configure both to use multilink. With multilink, multiple physical connections are established to increase the bandwidth of a single connection. When using multilink, enable Bandwidth Allocation Protocol (BAP) to establish and drop links based on link activity.
  • Callback is a form of security in which the server disconnects the user after authentication then immediately calls the user back. The server can use a preset phone number for each user, or the user can enter a callback phone number after authentication. You cannot use multilink and callback together.
  • To configure remote clients for DNS, configure them with the IP address of the DNS server on the private network. DNS requests will be automatically routed to the DNS server.
Remote Access Policy Facts.

A remote access policy consists of the following components.
Component
Description
Conditions
Remote access conditions identify which policies apply to incoming connections. The remote access server checks the conditions included with a policy. If all conditions match, the server processes the policy and user account settings to determine what access to allow or deny.
Permissions
Permissions determine whether remote access is granted or denied. Permissions come from a combination of settings in the user account and the remote access policy. There are only three possible permission settings:
  • Grant remote access
  • Deny remote access
  • Control access through the remote access policy (only settable in the user account)
Profile
A profile is the list of settings that are applied to the connection once access is granted. Profile settings can reject or restrict remote access to connections that:
  • Use a specific media type
  • Are initiated during specific days and times
  • Use specific authentication protocols
  • Use specific encryption protocols

No comments:

Post a Comment