Remote Access Overview

Many people work away from their offices, so Windows Server 2008 provides the Routing and Remote Access Service, which lets users connect to their office machines.  The Routing and Remote Access Service (RRAS) allows a client to connect to the network from a remote location either using a standard dial-up connection or via the internet.  Once the client has connected to the network remotely, he/she will be able to access the network as if in the same room. There are two different types of remote access: Dial-up Networking (DUN) and Virtual Private Networks (VPNs).

Use the buttons below to navigate through the lesson


Dial-up Networking (DUN)

With Dial-up networking the client dials the phone number of the server and connects to the network through a standard phone line. The PPP (Point-to-Point) protocol enables TCP/IP packets to be sent over a serial-cable.  Dial-up connections can be costly to set up and implement. A dedicated phone-line is required for each connection which can be expensive especially if the connection is from another country.  Although standard phone cables are slow, lines can be grouped together to form faster connections. This is known as multilink.

The PPP Protocol

The Point-to-Point Protocol (PPP) enables any two computers to establish a TCP/IP connection over a serial link. This serial link can be a dial-up modem connection, serial cable connection, or infrared link.  The machine making the connection is known as the Remote Access (RAS) client and the machine receiving the connection is known as a Remote Access (RAS) Server. There are another six protocols that run on top of PPP. All of these protocols help in the PPP negotiation process:

  1. The Link Control Protocol (LCP) establishes one PPP connection to another. The LCP protocol allows two machines to agree to use PPP.
  2. The Challenge Handshake Authentication Protocol (CHAP) allows the client machine to authenticate with the server. There are other authentication protocols covered later.
  3. Callback Control Protocol (CBCP) allows the server to hang-up and call the client back. This reduces charges for the client as well as providing some security.
  4. Compression Control Protocol (CCP) allows the two sides to determine what kind of compression, if any, they want to use. Compression can be used to improve PPP throughput.
  5. IP Control Protocol (IPCP) allows the two sides to negotiate how they are going to structure the IP packets, e.g. The size of each datagram.
  6. Internet Protocol (IP) allows the clients to begin communication.

PPP can also be used  for other protocols such as NWLink. After the LCP negotiation process completes, the server will know which protocol the client wishes to use.  The server can either drop the connection or make a connection using the other protocol. The client and server machines wrap the protocol inside an IP datagram (encapsulation).  The client can quite happily communicate with the server without ever knowing that its non-TCP/IP packets are being encapsulated.

Remote Access Protocols

Serial Line Interface Protocol  (SLIP) is an old protocol used for relaying IP packets over dial-up lines. It defines an encapsulation mechanism, but lacks support for dynamic address assignment, link testing, or encapsulating different protocols over a single link. Windows 2000/XP/2003 clients can dial-out using SLIP, but a Windows 2008 RAS server cannot accept SLIP connections.

Apple Remote Access Protocol (ARAP) is used by Apple Macintosh machines to connect to a Remote Access Server. Windows Clients can’t use ARAP, however a Windows Server 2008 Remote Access Server can accept ARAP connections.

Virtual Private Networks

A more cost effective way to use remote access is via a VPN. here a tunnel is created through the internet to the remote location using a standard internet connection.  This method can be very cost effective since all both sides need is a standard internet connection. Even if the remote machine is located overseas you only pay for the cost of the internet connection.  Dedicated phone lines aren’t needed since the machine’s IP address is used rather than the phone number.  A tunnel is created using a tunnelling protocol. There are two protocols available in Windows Server 2008: PPTP and L2TP. The tunnel is basically a passage through other networks such as the internet. For this reason it is recommended that VPNs use encryption.  VPNs work by creating a virtual tunnel through the internet, all data inside this tunnel is encrypted to protect it from intruders.  All that is needed by the client is the IP address of the server. The routers on the internet will get the packet to the remote network.

Routing and Remote Access

A remote access server can also route traffic for other machines on the network. Both networks are connected as if in the same office but only two internet connections are needed.  A Remote Access Server can be configured as a demand-dial interface. The connection can automatically be established when a client on the network requests it.

Multilink

Using multilink two or more ports can be combined to provide a faster connection, e.g. two 56k phone lines can be combined into a single, faster 112k line.  Multilink can be expensive as multiple phone lines may be required for a single connection.

Bandwidth Allocation Protocol (BAP)

In order to use multilink it must be enabled on both the client and server and the client machine must support it.  Bandwidth allocation protocol can be used to control the number of ports clients can use. BAP will drop any unused ports. For example, a client may have two ports connected but only use one of the ports for a period of 5 minutes.

Remote Access Overview

Remote Authentication Dial-in User Service (RADIUS) provides a centralized authentication service for Remote Access Servers.  Authentication requests can be forwarded to a RADIUS server rather than creating user accounts on all RAS servers on the network.  RADIUS is used on mixed networks, e.g. Windows 2000 and Windows 2003 Remote Access Servers. Windows Server 2008 includes its own RADIUS implementation known as Internet Authentication Service (IAS).

Tunnelling Protocols

Virtual Private Networks (VPNs) use a protocol known as a tunnelling protocol to create the virtual tunnel through the internet.  Microsoft Windows Server 2008 ships with two tunnelling protocols: PPTP and L2TP.

Point to Point Tunnelling Protocol (PPTP)

PPTP encapsulates PPP packets into an IP datagram for transmission over the internet. Most clients support PPTP which makes it useful in mixed networks.  PPTP provides its own encryption via Microsoft Point-to-Point Encryption (MPPE).  PPTP is mostly self configuring and easy to setup.

Layer 2 Tunnelling Protocol (L2TP)

L2TP uses Cisco technology allied with PPTP and utilizes UDP to maintain the session and pass the datagram down the tunnel. L2TP cannot  be used with down-level clients. If NT4/9x clients need to establish a connection, PPTP is used. L2TP doesn’t include its own encryption but works with the more secure IPSec. Certificate services are needed for encryption when using L2TP. Ensure that both the client and server machines have valid certificates.