Creating a Remote Access Policy in Windows Server 2003

Once the server has been configured to accept incoming connections a remote access policy will need to be created. A remote access policy contains a set of conditions that a client must meet in order to gain access. There must be a remote access policy in place before any clients can connect.

Use the buttons below to navigate through the lesson

Policies are configured from the Routing and Remote Access management console. Expand the Remote Access Policies section to view its contents. To create a new profile, right-click on Remote Access Policies. Select New Remote Access Policy.

The New Remote Access Policy Wizard will appear. Click on Next.

To create your own policy, select Set up a custom policy. Click Next to continue. A set of conditions needs to be created which can be used to allow or deny a user access. Click on Add to add a new condition.

A list of conditions appears which can be used to control access, e.g. The Tunnel-Type or Client-IP-Address attribute can be used to grant/deny access based on the client’s Tunnelling protocol or IP address. Highlight Tunnel-Type to add a new attribute.

Click Add. A list of available Tunnel-Types is shown, select Point-to-Point Tunnelling Protocol from the list. Click Add. Click on OK to accept the Tunnel-Type (PPTP).

The new condition is displayed. This policy will apply to clients who are using the PPTP protocol. Additional conditions can be added if they are needed. Click on Next to continue. Select Grant Remote access permission to grant the user access based on the conditions previously specified. Click Next to continue. If the user matches the specified conditions then the profile will be assigned to the user. Select Edit Profile to change the profile’s properties.

From the Dial-in Constraints tab various options can be configured to restrict or control access. The disconnect if idle for box can be used to disconnect a user if they remain idle for a specified amount of time. The Minutes client can be connected (Session-Timeout) control specifies the maximum amount of time the user is allowed to stay connected.

Access can also be controlled based on the user’s phone number or dial-in media such as ISDN or ADSL. Select the Allow access only on these days and at these times box to configure access times. Currently clients can connect 24 hours a day, 7 days a week. Click on Edit to change the access times. Access is currently permitted for 24 hours a day, 7 days a week. Select Denied to deny access. Highlight the times required from the chart, e.g. Monday-Friday 9am to 5pm and select the Permitted Option. Access is now only permitted during office hours. Click OK to continue.

Click on the IP tab to configure options for the IP protocol. The IP Address Assignment Policy Specifies how a client obtains its IP address. The default setting is to use the server’s settings which were configured when enabling remote access. A client can also request his/her own IP address.

IP filters can be used to allow or disallow communication with specific IP addresses on the remote network.

Multilink can be configured by selecting the Multilink tab. The default setting is to use the server’s settings. The maximum number of ports allowed can be configured by selecting Allow Multilink connections checkbox and specifying the number of ports.

Bandwidth Allocation Protocol can be configured by specifying when BAP should drop a connection. The default setting to drop a port if only 50% of the bandwidth is being used after 2 minutes.

The Authentication Tab specifies which authentication protocols are allowed on this server. The connection will be dropped if the client isn’t using one of the selected protocols.

The Encryption tab is used to set the levels of encryption this server will accept. Currently the client is allowed to connect with any amount of encryption. No encryption should be disabled as sending unencrypted data over the internet is a security risk.

Clients who attempt to connect to this server using no encryption will be automatically dropped.

The Advanced tab is used when the RAS server is using RADIUS from other vendors. Additional attributes can be specified by selecting Add. The default Parameters tell the RAS server’s peers that it is using the PPP protocol. Click on OK to continue.

Once the profile has been created click on Next. Click on Finish to close the wizard.

The new policy is displayed. Any clients that match the conditions for the VPN policy will be granted access as long as they match the conditions specified in the profile.

Configuring User Access

Access can also be controlled through the user account properties page. Users can be denied or granted access based on the account they use to log in with. User properties are either configured through Local Users and Groups or Active Directory Users and Computers depending on the network setup.

The Remote Access Permission (Dial-in or VPN) controls specifies whether the user has or is denied access to the server. Selecting Allow access will give the user dial-in permission.

The Verify Called-ID Check box can be used to verify the user is dialling from a specified phone number. The connection will be dropped if the user is not connecting from the specified phone number.

The Callback Options control box can be used to dial the client back on a specified number. This can add a certain amount of security and also reduce phone charges for the client.

A Static IP Address can be assigned to this particular user by typing an address into the Assign a Static IP Address box.

Static Routes can also be added which will allow the client to route to the connection.