Remote Access
T
his chapter covers the remote access services provided
with Windows 2000 to enable dial-up access (client and
server) for remote connectivity, including dial-up connections
to the Internet.
Windows 2000 RAS and
Telephony Services
RAS stands for Remote Access Services. In Windows 2000,
RAS enables Windows 2000 clients to dial other systems
for access to remote networks, including the Internet, and
enables Windows 2000 computers to act as dial-up servers
for remote clients. The Routing and Remote Access Service
(RRAS) enables a Windows 2000 Server to function as a router.
RAS and RRAS are integrated into a single service in Windows
2000. This chapter examines the features in RRAS for dial-up
networking that enable a Windows 2000 computer to function
as both a dial-up server and dial-up client.
You’ll find a detailed explanation of the Routing and
Remote Access Service and how to use it for routing in
Chapter 12.
The following sections provide an overview of these RAS fea-
tures. Later sections explain protocol, security, and configura-
tion issues.
Overview of Windows 2000 RRAS
Remote access enables a client computer to connect to a
remote computer or network and access the resources of the
remote computer or network as if they were local. For exam-
ple, users who are frequently on the road can access the com-
pany file server(s), printers, mail system, and other resources
from remote locations. Clients also can use remote access

services to connect to public networks such as the Internet.
Figure 15-1 illustrates one implementation of remote access.
Cross-
Reference
15
15
CHAPTER
✦✦✦✦
In This Chapter
Windows 2000
Remote Access
Services (RAS)
RAS Connection
Types and Protocols
Configuring RAS
Configuring a
VPN Server
Using Multilink
and BAP
Using RADIUS
Remote Access Policy
Security Issues
Configuring Dial-Up
Networking
Connections
Using Internet
Connection Sharing
Troubleshooting RAS
Installations
Connecting to

the Internet
✦✦✦✦
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 553
554
Part IV ✦ Networking and Communications Services
Figure 15-1: RRAS enables remote users to connect to the local computer
or network, and also supports dial-out connections from Windows 2000 clients.
The Routing and Remote Access Service in Windows 2000 provides three primary
functions:
✦ Dial-up client: You can use the RRAS service to create and establish dial-up
connections to remote networks, including the Internet, through a variety of
media, including modem, ISDN, infrared, parallel ports, serial connection,
X.25, and ATM. Windows 2000 dial-up clients support a wide range of authenti-
cation protocols and other connectivity options, which are discussed in depth
in later sections of this chapter. Support for tunneling protocols enables
clients to establish secure connections to remote networks through public
networks such as the Internet.
✦ Dial-up server: A Windows 2000 server can function as a dial-up server, allow-
ing remote clients to connect to the local server and optionally to the local
network through the same types of media support for dial-out connections
(see previous). You can also use RAS to support terminal service client ses-
sions because RAS issues an IP address to the connecting clients and binds
the necessary protocols to the RAS connection.
RRAS Server
Remote user
accesses network
shares and printers
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 554
555
Chapter 15 ✦ Remote Access

Windows 2000 supports several authentication protocols and can authenti-
cate users against local or domain user accounts, or it can use RADIUS
(Remote Authentication Dial In User Service), an industry standard authenti-
cation mechanism. Once connected, a remote user can browse, print, map
drives, and perform essentially all other functions possible from either the
local server or local area network.
✦ Routing services: The routing components of RRAS enable a Windows 2000
server to function as a unicast and multicast router. Windows 2000 provides
for routing, packet filtering, connection sharing, demand-dial routing, and sev-
eral other features that make it an excellent choice for LAN and WAN routing.
RRAS in Windows 2000 integrates the remote access and routing services that for-
merly were separate services in Windows NT Server. RRAS in Windows 2000 is an
extension and improvement upon Windows NT’s Routing and Remote Access
Service, which was issued as an add-on for Windows NT Server. Although Windows
2000 RRAS integrates dial-up networking and routing into a single service, they are
treated as separate issues in this book because of the different focus for each.
One of the key benefits of Windows 2000 RRAS is its integration with the Windows
2000 operating system. On the client side, integration means that once a remote
connection is established, the client can access resources on the server transpar-
ently as if they were local resources. The client can map remote shares to local
drive letters, map and print to remote printers, and so on. Except in very rare cir-
cumstances, applications can use remote resources seamlessly without modifica-
tion to make them RAS- or network-aware.
On the server side, integration means that Windows 2000 can use a single authenti-
cation mechanism to authenticate users both locally and from remote locations.
RRAS can authenticate against the local computer’s user accounts or accounts in
the domain, or it can use an external authentication mechanism such as RADIUS.
Through its support for RADIUS, Windows 2000 RRAS enables a Windows 2000
server to function as a gateway of sorts to the network while offloading authentica-
tion to another server, which could be any RADIUS platform including a UNIX

server.
RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a
standard, cross-platform protocol for authentication commonly used for dial-in
authentication.
Windows 2000 RRAS also provides close integration with the Active Directory (AD).
This AD integration provides for replication of users’ remote access settings,
including access permissions, callback options, and security policies, among
others. AD integration also means simplified administration with other AD-related
services and properties.
Note
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 555
556
Part IV ✦ Networking and Communications Services
As you’ll learn later in the section “RAS Connection Types and Protocols,” Windows
2000 RRAS supports a wide range of connection protocols, including PPP, SLIP, and
Microsoft RAS Protocol. Windows 2000 RRAS supports authentication methods,
including MS-CHAP, EAP, CHAP, SPAP, and PAP. Network protocols supported
include TCP/IP, IPX/SPX, NetBEUI, and AppleTalk to support Microsoft, UNIX,
NetWare, and Macintosh resources and clients.
New Features of Windows 2000 RRAS
If you’re familiar with RAS or RRAS in Windows NT, you’ll find all of those same fea-
tures in Windows 2000 RRAS. You’ll also find several enhancements to existing
features along with many new features, including those discussed in the following
sections.
AD integration
As mentioned previously, Windows 2000 RRAS integrates with the Active Directory.
AD integration enables client settings to be replicated throughout the organization
to provide expanded access by clients and easier administration. Integration with
the AD also can simplify administration by enabling you to browse and manage
multiple RRAS servers through the AD-aware RRAS management console snap-in,

providing a single point of management for RRAS services in an organization.
Bandwidth Allocation Protocol and Bandwidth Allocation
Control Protocol
The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control
Protocol (BACP) enable Windows 2000 RAS to dynamically add or remove links in a
multilink PPP connection as bandwidth requirements for the connection change.
When bandwidth utilization becomes heavy, RAS can add links to accommodate the
increased load and enhance performance. When bandwidth utilization decreases,
RAS can remove links to make the connection more cost efficient. You configure
BAP policies through a remote access policy that you can apply to individual users,
groups, or an entire organization.
MS-CHAP version 2
Previous versions of RAS supported Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP) to authenticate remote clients. MS-CHAP v2 provides stronger
security and is designed specifically to support Virtual Private Network (VPN) con-
nections, which enable remote clients to establish secure connections to a private
network through a public network such as the Internet. MS-CHAP v2 provides sev-
eral security enhancements:
✦ LAN Manager coding of responses, formerly supported for backward compati-
bility with older remote access clients, is no longer supported for improved
security. MS-CHAP v2 no longer supports LAN Manager encoding of password
changes for the same reason.
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 556
557
Chapter 15 ✦ Remote Access
✦ MS-CHAP v2 supports mutual authentication, which provides bi-directional
authentication between the remote client and the RAS server. Previously, MS-
CHAP only provided one-way authentication and did not provide a mechanism
for the remote client to determine if the remote server actually had access to
its authentication password for verification. Version 2 not only enables the

server to authenticate the client’s request, but also allows the client to verify
the server’s ability to authenticate its account.
✦ MS-CHAP v2 also provides stronger encryption. The 40-bit encryption used in
previous versions operated on the user’s password and resulted in the same
cryptographic key being generated for each session. Version 2 uses the
remote client’s password, along with an arbitrary challenge string, to create
a unique cryptographic key for each session, even when the client password
remains the same.
✦ Version 2 provides better security for data transmission, using separate
cryptographic keys for data sent in each direction.
Extensible Authentication Protocol
The Extensible Authentication Protocol (EAP) enables authentication methods to
be added to RAS without redesigning the underlying RAS software base, much like
new features in NTFS 5.0 enable new functionality to be added to the file system
without redesigning the file system (see Chapter 21 for a complete discussion).
EAP enables the client and server to negotiate the mechanism to be used to
authenticate the client. Currently, EAP in Windows 2000 supports EAP-MD5 CHAP
(Challenge Handshake Authentication Protocol), EAP-TLS (Transport Level
Security), and redirection to a RADIUS server. Each of these topics is covered
in more detail later in this chapter.
RADIUS support
Windows 2000 RRAS can function as a RADIUS client, funneling logon requests to a
RADIUS server, which can include the Internet Authentication Service, also included
with Windows 2000, running on the same or a different server. The RADIUS server
doesn’t have to be a Windows 2000 system, however, which enables RRAS to also
use UNIX-based RADIUS servers or third-party RADIUS services you might already
have in place. One of the advantages to using RADIUS is its capability for account-
ing, and several third-party utilities have been developed to provide integration
with database back-ends such as SQL Server to track and control client access.
See the section “Using RADIUS” later in this chapter for detailed information on

configuring and using RADIUS.
Remote access policies
Windows 2000 improves considerably on the flexibility you have as an administra-
tor to control a user’s remote access and dial-up settings. Windows NT RAS gave
you control only over callback options, and settings were assigned on a user-by-
user basis. Although Windows 2000 still lets you assign remote access permissions
Cross-
Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 557
558
Part IV ✦ Networking and Communications Services
through a user’s account, you also can use a remote access policy to define the
remote access settings for one or several users. Remote access policies give you
a fine degree of control over users’ settings, controlling options such as allowed
access time, maximum session time, authentication, security, BAP policies, and
more.
See the section “Remote Access Policy” later in this chapter for additional infor-
mation on configuring and using RAS policies.
Support for Macintosh clients
Windows 2000 adds remote access support for Macintosh clients by supporting
AppleTalk over PPP for Macintosh clients. This enables Macintosh clients to
connect to a Windows 2000 RAS server using the standard PPP and AppleTalk
protocols.
Account lockout
Windows 2000 RAS enhances security by supporting account lockout, which locks
a RAS account after a specified number of bad logon attempts. This feature helps
guard against dictionary attacks in which a hacker attempts to gain remote access
by repeatedly attempting logon using a dictionary of passwords against a valid
account. You can configure two settings that control lockout — the number of bad
logon attempts before the account is locked out, and how long the account remains

locked before the lockout counter is reset.
The Routing and Remote Access
Management Console
Microsoft has integrated most administration and management functions into
Microsoft Management Console (MMC) snap-ins, and RRAS is no exception. The
Routing and Remote Access console snap-in enables you to configure and manage
an RRAS server. Figure 15-2 shows the Routing and Remote Access console.
Figure 15-2: The Routing and Remote Access console
Cross-
Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 558
559
Chapter 15 ✦ Remote Access
The RRAS console serves as a central control center for managing most RRAS prop-
erties. In addition to configuring ports and interfaces, you can configure protocols,
global options and properties, and RRAS policies through the RRAS console. Later
sections of this chapter explain how to use the RRAS console to perform specific
configuration and administration tasks. Open the console by choosing Start ➪
Programs➪ Administrative Tools ➪ Routing and Remote Access.
RAS Connection Types and Protocols
Windows 2000 supports several connection types and network protocols for
remote access. The following sections explore these connection types and network
protocols.
Serial Line Internet Protocol
The Serial Line Internet Protocol (SLIP) is a connection protocol that originated in
the UNIX realm. SLIP offers limited functionality in that it does not support error
detection or correction. Windows 2000 clients can use SLIP to connect to UNIX
servers (or other servers requiring SLIP), but Windows 2000 Server does not
support SLIP for dial-in connections.
Point-to-Point Protocol

The Point-to-Point Protocol (PPP) was developed as a standardized alternative to
SLIP that offered better performance and reliability. Unlike SLIP, PPP is designed
around industry-designed standards and enables essentially any PPP-compliant
client to connect to a PPP server. Windows 2000 supports PPP for both dial-in and
dial-out connections. On a Windows 2000 RAS server, PPP enables remote clients
to use IPX, TCP/IP, NetBEUI, AppleTalk, or a combination thereof. Windows-based
clients including Windows 2000, Windows NT, Windows 9x, and Windows 3.x can
use any combination of IPX, TCP/IP, or NetBEUI, but AppleTalk is not supported for
these clients. Macintosh clients can use either TCP/IP or AppleTalk. PPP supports
several authentication protocols, including MS-CHAP, EAP, CHAP, SPAP, and PAP.
Microsoft RAS Protocol
The Microsoft RAS Protocol is a proprietary protocol developed by Microsoft to
support NetBIOS and is used for Windows NT 3.1, Windows for Workgroups, MS-
DOS, and LAN Manager remote access. Clients must use the NetBEUI protocol, and
the remote access server acts as a NetBIOS gateway for the client, supporting
NetBEUI, NetBIOS over TCP/IP, and NetBIOS over IPX. The Microsoft RAS Protocol
is provided for backward compatibility with older Microsoft operating platforms.
Unless you are connecting to one of these older systems, choose PPP as your con-
nection protocol.
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 559
560
Part IV ✦ Networking and Communications Services
Point-to-Point Multilink Protocol and BAP
The Point-to-Point Multilink Protocol (PPMP, or simply Multilink) enables multiple
PPP lines to be combined to provide an aggregate bandwidth. For example, you
might use Multilink to combine two analog 56Kbps modems to give you an aggre-
gate bandwidth roughly equivalent to 112Kbps. Or, you might combine both B
channels of an ISDN Basic Rate Interface (BRI) connection to provide double the
bandwidth you would otherwise get from a single channel.
The Bandwidth Allocation Protocol (BAP) works in conjunction with Multilink to

provide adaptive bandwidth. As bandwidth utilization increases, BAP enables the
client to aggregate additional connections to increase bandwidth and improve per-
formance. As bandwidth utilization decreases, BAP enables the client to drop con-
nections from the aggregate link to reduce connection costs (in cases where
multiple connections incur their own charges).
See the section “Using Multilink and BAP” later in this chapter to configure and
use multilink connections.
Point-to-Point Tunneling Protocol
The TCP/IP protocol suite by itself does not provide for encryption or data security,
an obvious concern for users who need to transmit data securely across a public
network such as the Internet. The Point-to-Point Tunneling Protocol (PPTP) pro-
vides a means for encapsulating and encrypting IP and IPX for secure transmission.
PPTP is an extension of PPP that enables you to create a Virtual Private Network
(VPN) connection between a client and server.
PPP frames in a PPTP session are encrypted using Microsoft Point-to-Point
Encryption (MPPE) with encryption keys generated using the MS-CHAP or EAP-TLS
authentication process. PPTP by itself does not provide encryption, but rather
encapsulates the already encrypted PPP frames. In order to provide a secure con-
nection, the client must use either MS-CHAP or EAP-TLS authentication. Otherwise,
the PPP frames are encapsulated unencrypted (plain text). Figure 15-3 illustrates
how PPTP encapsulates data. PPTP is installed by default when you install
Windows 2000 RRAS.
PPTP is a good choice for creating secure connections to a private network
through a public network such as the Internet when the remote network isn’t con-
figured to support IPSec.
Layer Two Tunneling Protocol
Layer Two Tunneling Protocol (L2TP) is a draft protocol that combines the features
of PPTP with support for IP Security (IPSec) to provide enhanced security. Unlike
Tip
Cross-

Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 560
561
Chapter 15 ✦ Remote Access
PPTP, which relies on MPPE for encryption, L2TP relies on IPSec to provide encryp-
tion. Therefore, the source and destination routers must support both L2TP and
IPSec. Figure 15-3 illustrates how L2TP encapsulates data. L2TP is installed by
default when you install Windows 2000 RRAS.
Figure 15-3: PPTP and L2TP use different methods for encapsulation and encryption.
L2TP provides better security than PPTP by supporting IPSec and is a better choice
for creating VPN connections than PPTP when the remote network is configured
to support IPSec. See Chapter 3 for a discussion of Windows 2000 security and
IPSec.
Transport Protocols
As mentioned previously in this chapter, RRAS supports four network protocols:
TCP/IP, IPX, NetBEUI, and AppleTalk. A Windows 2000 RAS server supports all four
protocols for incoming connections. Windows 2000 RAS clients support all except
AppleTalk. When you install RRAS, Windows 2000 enables all currently installed
protocols for incoming and outgoing RAS connections. As you’ll learn later in the
section “Configuring RAS for Incoming Connections,” you can configure the sup-
ported protocols to enable clients to access only the RAS server or access the LAN.
You configure access on a protocol-by-protocol basis.
TCP/IP
As a dial-out protocol, TCP/IP enables you to connect a Windows 2000 client to
nearly any TCP/IP-based network including the Internet. You can statically assign
the IP address, subnet mask, default gateway, and other settings for the dial-out
connection or allow the remote server to assign the connection properties. As a
Tip
IP
Header

GRE
Header
PPP
Header
PPP Payload including IP datagram, IPX
datagram, NetBEUI frame
UDP
Header
L2TP
Header
IP
Header
Encrypted by IPSec
Encrypted by MPPE
L2TP
PPTP
IPSec
ESP
Header
IPSec
ESP
Trailer
IPSec
Auth.
Trailer
PPP
Header
PPP Payload including IP datagram, IPX
datagram, NetBEUI frame
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 561

562
Part IV ✦ Networking and Communications Services
protocol for incoming connections, TCP/IP enables essentially any client that sup-
ports TCP/IP and PPP to connect to a Windows 2000 RAS server. As you’ll learn
later in the section “Configuring RAS for Incoming Connections,” you can allocate
addresses from a static pool or use DHCP to allocate addresses and other connec-
tion properties to remote clients. In addition, clients can request a predefined IP
address (defined at the client side through the connection properties).
IPX
The IPX protocol is used primarily in environments where Novell NetWare clients or
servers are used. Support for IPX enables a Windows 2000 RAS server to coexist
with NetWare servers and enables clients to access NetWare resources through the
RAS connection. A Windows 2000 RAS server hosting IPX also serves as an IPX
router, handling RIP, SAP, and NetBIOS traffic between the local network and the
remote client. In addition to using the IPX protocol, the remote client must run a
NetWare redirector. The server must be running the IPX/SPX/NetBIOS-compatible
protocol.
The Windows 2000 Professional NetWare redirector is Client Service for NetWare.
In Windows 2000 Server, the redirector is Gateway Service for NetWare.
A Windows 2000 RAS server allocates IPX network numbers and node numbers to
connecting clients. The server can generate the IPX network number automatically
or, as it can for TCP/IP, allocate numbers from a static pool assigned by an adminis-
trator. If assigning a number dynamically, the server first verifies that the number
is not already in use on the network. The server then allocates that number to all
remote access clients. Assigning the same network number to all clients reduces
RIP announcements from the RAS server.
NetBEUI
NetBEUI is a good protocol choice for small, non-routed networks (NetBEUI is not a
routable protocol). Because it is non-routable, NetBEUI can offer some measure of
security for a private network that is connected to the Internet. Internal systems

that don’t require Internet access can use NetBEUI and be invisible to computers on
the Internet. Supporting NetBEUI for Windows 2000 RAS enables NetBEUI clients to
dial into the RAS server and gain access to resources shared on the server or on
the network by other NetBEUI clients. However, NetBEUI clients will need access
to a WINS server on the network where they connect to resolve IP-addressed
resources.
AppleTalk
The AppleTalk protocol is used by Macintosh network clients. Windows 2000 RAS
supports AppleTalk to enable remote Macintosh clients to connect to the server
and access resources shared by the server or other AppleTalk clients on the net-
work. In order to use AppleTalk for RAS dial-in, you must install the AppleTalk
protocol on the RAS server.
Note
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 562
563
Chapter 15 ✦ Remote Access
Configuring RAS for Inbound Connections
RRAS in Windows 2000 really takes three distinct directions: routing, inbound
connections (RAS server), and outbound connections (RAS client). This section
explains how to configure a Windows 2000 server as a RAS server. When you install
Windows 2000, Setup by default installs RRAS, so you don’t need to install it sepa-
rately. You do, however, need to configure it. The following sections explain how to
configure modems, ports, protocols, encryption, and other properties to set up and
manage a RAS server.
Enabling RRAS
Although Windows 2000 installs RRAS by default, you still need to enable the
service to begin configuring and using it. To do so, choose Start ➪ Programs➪
Administrative Tools ➪ Routing and Remote Access to open the RRAS console.
Right-click the server in the left pane and choose Configure and Enable Routing and
Remote Access to start the RRAS Setup Wizard. You can use the wizard to automati-

cally configure RRAS for specific applications, or you can configure the service
manually. The following sections explain the options offered by the wizard.
If you enable RRAS and choose to configure it manually, then later decide you’d
like to run the wizard, you can do so but will lose the current configuration set-
tings. To reconfigure the service through the wizard, open the RRAS console, right-
click the server, and choose Disable Routing and Remote Access. After the service
stops, right-click the server again and choose Configuring and Enable Routing and
Remote Access.
Internet connection server
Select this option to configure the RRAS server to enable local network clients to
connect to the Internet. As such, the RRAS server functions as an Internet gateway.
See the section on network address translation in Chapter 12 for detailed informa-
tion on configuring RRAS to function as an Internet connection gateway. Optionally,
you can configure the server to use Internet Connection Sharing (ICS) to allow
shared access by local clients to an existing Internet connection on the server. The
previously mentioned section of Chapter 12 also covers ICS.
Remote access server
Select this option to configure the RRAS server to enable remote access clients to
connect through the server to access resources on the server or on the local net-
work. The wizard prompts for the following:
✦ Protocols: Specify the protocols to be supported, which must already be
installed on the RRAS server. All installed protocols are enabled for RRAS by
default. You can, however, disable specific protocols after the wizard finishes.
Tip
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 563
564
Part IV ✦ Networking and Communications Services
✦ Network interface: The wizard prompts for the network interface to which
to assign remote clients, which determines where the addresses and other
access properties come from. In a multi-homed server, select the network

interface where the DHCP server is located, if allocating addresses through
DHCP.
✦ IP address assignment: You can choose to assign addresses through DHCP
(see previous option) or from a static address pool. If you choose to use a
static pool, the wizard prompts you for the range of addresses to use. See the
section “Configuring Protocols” later in this chapter for detailed information
regarding address assignment.
You can allow remote clients to request a pre-assigned IP address configured at
the client side. See the section “Configuring Protocols” later in this chapter for a
detailed explanation.
✦ RADIUS: You can configure the RRAS server to use RADIUS for authentication
and accounting. You specify the IP address or host name for the primary and
alternate RADIUS servers, along with the RADIUS shared secret, which essen-
tially is a password the RRAS server uses to authenticate its right to access
the RADIUS servers. Windows 2000 includes a RADIUS server called Internet
Authentication Service (IAS) that you can use for RRAS and other applications
requiring RADIUS authentication, or you can use any RADIUS server. See the
section “Using RADIUS” later in this chapter for more information.
Virtual private network server
Select this option to configure RRAS as a VPN server, enabling clients to use PPTP
or L2TP to dial in from a public network such as the Internet (or direct dial-up) and
establish a secure connection to the local network. By default, RRAS configures five
ports each for PPTP and L2TP, but you can add or remove ports as desired. The
wizard prompts for the same information described in the previous section and
also prompts for the network interface through which the RRAS server connects
to the Internet. The VPN server must have a second network interface for the
internal LAN.
Network router
Select this option to configure the RRAS server to function as a router. The wizard
prompts you to verify that the required protocols are installed (listing them for

you), then prompts you to choose whether or not you want to use demand-dial con-
nections to access remote networks. If you choose No, the wizard completes the
configuration and terminates. If you answer Yes, the wizard asks if you want to
assign IP addresses through DHCP or a static address pool (if IP is installed on the
server). Choosing Yes does not cause the wizard to configure any demand-dial con-
nections; you configure those through the RRAS console after the wizard finishes.
Cross-
Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 564
565
Chapter 15 ✦ Remote Access
Manually configured server
Select this option if you want to manually configure all RRAS server settings.
Windows 2000 configures the server as a RAS server and router with default set-
tings. You can run the wizard again if desired to automatically configure the server,
although you’ll lose the current configuration settings. See the previous section,
“Enabling RRAS,” to learn how to restart the wizard.
The following sections assume you are configuring the server manually rather than
using the wizard, or fine-tuning settings after running the wizard.
Configuring Modems and Ports
One of the first steps to take in setting up a Windows 2000 RAS server is to install
and configure the hardware and ports that will handle the incoming calls. You con-
figure a standard modem through the Control Panel. If the modem is not already
installed, open the Control Panel and double-click the Phone and Modem Options
object. Click the Modems tab, then click Add to start the Add/Remove Hardware
wizard. You have the option of selecting the modem manually or letting Windows
2000 search for it. Repeat the process for any additional modems you are installing
on the system.
For additional help installing hardware, refer to Chapter 6.
Other types of dial-up equipment require different installation and configuration

steps that vary from one item to the next. It isn’t practical to cover all types in this
chapter, so you might have to refer to the manufacturer’s documentation to learn
how to properly install the hardware. If you’re setting up a server connected to the
Internet to act as a VPN server for your local network, install the network hardware,
connect the system to the Internet, and verify that the server has connectivity to
both the LAN and Internet. You configure ports for incoming access through the
RRAS console. If you click on the Ports node, the console displays the installed RAS
ports. Windows 2000 by default installs both the PPTP and L2TP protocols for VPN
support and adds five ports for each protocol (to support up to five incoming con-
nections of each type.) You can view the status of a given port by double-clicking
the port in the list or right-clicking the port and choosing Status. Windows 2000 dis-
plays a Port Status dialog box for the port that shows line speed, errors, and proto-
col-specific data such as IP address, IPX address, and so on.
To configure ports, right-click Ports in the right pane of the RRAS console and
choose Properties. Windows 2000 displays a Ports Properties dialog box listing
each of the port types. For example, all PPTP ports appear under a single item in
the list, as do all L2TP ports and individual modems. Select the port type you want
to configure and click Configure. Windows 2000 displays the Configure Device dia-
log box shown in Figure 15-4.
Cross-
Reference
Note
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 565
566
Part IV ✦ Networking and Communications Services
Figure 15-4: The Configure Device
dialog box
The following list explains the options in the Configure Device dialog box:
✦ Remote access connections (inbound only): Select this option to allow the
selected port to handle incoming connections only and not function as a

demand-dial router for outgoing connections.
✦ Demand-dial routing connections (inbound and outbound): Select this
option to allow the port to handle incoming calls and function as a demand-
dial router to service local clients for outgoing calls.
✦ Phone number for this device: This option is used for Called-Station-ID and
BAP-enabled connections and to identify the IP address for PPTP and L2TP
ports. Some devices support automatic recognition of the device’s phone
number for Called-Station-ID, so you only need to add the number manually if
the device doesn’t support automatic recognition. The number must match
the number defined in the Called-Station-ID attribute of the remote access pol-
icy that is in effect, or the call is rejected. For BAP, this property is passed to
the client when it requests an additional connection so it knows what number
to dial for the new connection. For PPTP and L2TP ports, enter the IP address
in dotted decimal format to assign to the VPN interface of the server.
✦ Maximum ports: Use this control to specify the maximum number of ports
enabled on a multiport device or protocol (such as PPTP or L2TP).
Configuring Protocols
In addition to configuring the ports used by the RRAS server, you also need to con-
figure the protocols to be used by remote access clients. You should verify that you
have the necessary protocols installed prior to attempting to configure the proto-
cols for RRAS. The following sections explain the options you have for each of the
supported RRAS protocols.
TCP/IP
You can assign IP addresses to remote access clients using one of three methods:
DHCP, a static address pool, or by allowing the client to request a pre-assigned
IP address.
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 566
567
Chapter 15 ✦ Remote Access
Assigning addresses through DHCP

When the RRAS service starts, it checks for the availability of a DHCP server (if con-
figured to use DHCP for address assignment) and obtains ten leases from the DHCP
server. The RRAS server uses the first lease for itself and assigns the remaining
addresses to RAS clients as they connect, recovering and reusing addresses as
clients disconnect. When the pool of ten addresses is exhausted, the RRAS server
obtains ten more, and the process repeats as needed. When the RRAS service
stops, it releases all addresses, making them available for other DHCP clients on
the network.
The RRAS service will use Automatic Private IP Addressing (APIPA) if it is unable to
locate a DHCP server at startup. APIPA enables Windows 2000 to assign addresses
in the class B address range 169.254.0.1 through 169.254.0.254 (subnet mask of
255.255.0.0). APIPA is designed to allow automatic IP configuration when no DHCP
server is available. Because APIPA is intended for use in internal, single-segment
networks, it does not allocate settings for default gateway, DNS servers, or WINS
servers.
RRAS by default selects a network interface at random from which to obtain the
DHCP leases for RAS clients. You can, however, specify the interface to pull
addresses from a specific network segment/server when the RRAS server is multi-
homed (multiple network interfaces). You do so through the IP page of the server’s
properties. In the RRAS console, right-click the server and choose Properties, then
click the IP tab (Figure 15-5). Use the Adapter drop-down list at the bottom of the
property page to select the adapter, or choose “Allow RAS to select adapter” if you
want to allow RRAS to automatically select an adapter.
Figure 15-5: The IP tab
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 567
568
Part IV ✦ Networking and Communications Services
The Adapter drop-down list only appears on multi-homed systems.
Using a static address pool
You can assign addresses to RAS clients from a static pool if you have no DHCP

server on the network or simply prefer not to use DHCP for the RAS server. In previ-
ous versions of RRAS (Windows NT), you could configure included and excluded
address ranges. In Windows 2000, however, you only create included ranges. You
can achieve the same effect as an excluded range by simply creating multiple
included ranges that don’t include the address range you want to exclude.
You configure the static address pool through the IP property page for the server.
In the RRAS console, right-click the server, choose Properties, and then click the IP
tab. Select the option “Static address pool” and then click Add to display the New
Address Range dialog box. You specify a starting address for the range, then either
the ending address or the number of addresses to include in the pool. Windows
2000 determines the ending address for you if you specify the number of addresses,
and it also determines the required subnet mask based on the selected address
range. Click OK to add the range, then repeat the process if you need to add other
ranges.
When defining static address pools for RRAS, make sure you don’t use addresses
already allocated to other systems or to DHCP servers on the network. If the static
address pool is in a different subnet from the local network, you must either enable
IP routing on the RRAS server (configured through the IP page of the server’s global
properties) or add static routes for the subnet.
Allowing clients to use pre-assigned IP addresses
In some situations, it’s advantageous for clients to be able to use the same IP
address for each remote session. For example, users might work with applications
that expect remote users to be at specific IP addresses. Arbitrarily allowing clients
to request pre-assigned IP addresses could lead to address havoc and potential
routing problems, but Windows 2000 overcomes that problem by allocating the
remote client’s IP address through his or her account properties. Enabling a client
to request a pre-assigned IP address requires two steps. First, you must configure
the applicable remote access policy to allow the user to request a pre-assigned IP
address. Second, you must specify the address in the user’s account properties.
You configure the remote access policy through the RRAS console. See the sec-

tion “Remote Access Policy” later in this section for detailed information on con-
figuring and managing remote access policies.
Where you modify the user’s account properties depends on the network configura-
tion. On a standalone server (no domain), you modify the user’s properties through
the Local Users and Groups node of the Computer Management console. Open the
Cross-
Reference
Note
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 568
569
Chapter 15 ✦ Remote Access
account’s properties and click the Dial-In tab. Select the option “Assign a Static IP
Address” and specify the desired address in the associated text box. For informa-
tion on other properties on the Dial-Up page, see the section “Remote Access
Policy” later in this chapter. You’ll find the same properties for users in a domain in
the Active Directory Users and Computers console. Configure properties as you
would on a standalone server.
Enabling/disabling IP for RRAS
Windows 2000 RRAS by default enables for RRAS all protocols installed on the
server. You can selectively disable a protocol if you don’t want to allow that proto-
col to be used for remote connections. To enable or disable IP for RAS, open the
RRAS console, right-click the server, and choose Properties. On the IP property
page, select or deselect the option “Allow IP-based remote access and demand-dial
connections” to enable or disable IP for RAS, respectively.
IP routing and restricting access to the RAS server
By default, the RRAS server allows remote clients access not only to the local
server, but also to the network (subject to permissions and policies applied to the
remote client or local resources). As such, the RRAS server provides IP routing to
the remote clients, routing traffic between the remote client and the LAN. You can
prevent remote clients from accessing the LAN by disabling IP routing on the RRAS

server. To do so, open the RRAS console, right-click the server, and choose Proper-
ties. On the IP page, deselect the option “Enable IP routing” to prevent remote
clients from accessing the LAN and to restrict their access only to resources on
the RRAS server.
IP routing must be enabled if you’re using the RRAS server to provide LAN or
demand-dial routing. See the section “Network Address Translation” in Chapter
12 for a detailed discussion of Windows 2000 routing through RRAS.
NetBEUI
One of the advantages to NetBEUI is that as a simple, non-routable protocol, it is
easy to configure. For RRAS, you have three options that control how NetBEUI is
used for remote clients. You configure these properties through the server’s proper-
ties. Open the RRAS console, right-click the server, choose Properties, and click the
NetBEUI tab. Use the following options to configure NetBEUI:
✦ Allow NetBEUI based remote clients to access: Select this option to allow
remote clients to use NetBEUI; deselect to disable NetBEUI for RRAS on the
selected server.
✦ This computer only: Select this option to allow remote clients to access only
resources shared on the RRAS server, but not the network to which the server
is attached.
Cross-
Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 569
570
Part IV ✦ Networking and Communications Services
✦ The entire network: Select this option to allow remote clients to access
resources on the RRAS server as well as resources shared on the LAN to
which the server is connected. Access to resources is subject to object
permissions and policies just like local users.
IPX
The first step in configuring IPX is to decide how IPX network and node numbers

will be assigned to remote clients. You also can enable/disable IPX for RAS connec-
tions and control which resources the IPX clients can access. Open the RRAS con-
sole, right-click the server, choose Properties, and click the IPX tab to configure the
following properties:
✦ Allow IPX based remote access and demand-dial connections: Select this
option to enable IPX for RRAS; deselect to prevent remote clients from using
IPX for remote connections.
✦ Enable network access for remote clients and demand-dial connections:
Select this option to allow remote IPX clients to access IPX-based resources
(NetWare servers, for example) on the LAN to which the RRAS server is con-
nected; deselect to allow remote IPX clients only access to resources on the
RRAS server.
✦ Automatically: This option allows the RRAS server to automatically allocate
IPX network numbers to remote access clients and demand-dial routers that
request connections to the RRAS server.
✦ In the following range: Use this option to specify a range of IPX network num-
bers the RRAS server will use to allocate network numbers to remote clients
and demand-dial routers.
✦ Use the same network number for all IPX clients: Use this option to have the
RRAS server assign the same IPX network number to all clients, reducing RIP
announcements and corresponding network traffic.
✦ Allow remote clients to request IPX node number: Select this option to allow
remote access clients and demand-dial routers to request a specific IPX node
number when the connection is established.
AppleTalk
There is essentially no configuration necessary for AppleTalk on a RRAS server. Use
the AppleTalk page of the server’s properties to enable or disable AppleTalk for
remote connections.
Configuring Authentication
After you have configured protocols on the RRAS server, you need to turn your

attention to authentication and encryption, configuring the server to suit your
needs.
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 570
571
Chapter 15 ✦ Remote Access
Configuring PPP
Windows 2000 offers a few options you can configure that control PPP connections
to the server. In the RRAS console, right-click the server, choose Properties, and
click the PPP tab. The PPP page offers the following options:
✦ Multilink connections: Select this option to allow remote clients to request
and use multilink connections. This option enables multilink connections but
does not explicitly enable dynamic link management through BAP or BACP,
which is controlled by the following option. See the section “Using Multilink
and BAP” later in this chapter for additional information.
✦ Dynamic bandwidth control using BAP or BACP: This option enables the
server and client to use Bandwidth Allocation Protocol and Bandwidth Allo-
cation Control Protocol to dynamically multilink connections, adding links
when bandwidth utilization increases and removing links when bandwidth
utilization decreases.
✦ Link control protocol (LCP) extensions: LCP extensions enable LCP to send
Time-Remaining and Identification packets, and to request callback during
LCP negotiation. Deselect this option only if the remote clients don’t support
LCP extensions.
✦ Software compression: Select this option to have the RRAS server use
Microsoft Point-to-Point Compression protocol (MPPC) to compress data
transmitted to remote clients. Deselect this option if the remote clients
don’t support MPPC.
Configuring authentication
As mentioned earlier in this chapter, Windows 2000 RRAS supports several authen-
tication standards. You can configure RRAS to accept multiple authentication meth-

ods, and the server will attempt authentication using the selected protocols in
order of decreasing security. For example, RRAS attempts EAP first if EAP is
enabled, then MS-CHAP version 2, then MS-CHAP, and so on.
You configure the authentication methods for RRAS through the Security page of
the RRAS server’s properties (accessed from the RRAS console). Click Authentica-
tion Methods on the Security page to access the Authentication Methods dialog box
shown in Figure 15-6. Select the authentication methods you want to allow, then
click OK. The following sections provide an overview of each method and where
applicable, and how to configure and enable them.
You can require a specific authentication method for a client through a remote
access policy. The following sections don’t cover configuring authentication
through a remote policy for each authentication protocol, but you will find cover-
age of that topic in the section “Remote Access Policy” later in this chapter.
Cross-
Reference
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 571
572
Part IV ✦ Networking and Communications Services
Figure 15-6: You can configure multiple
authentication methods through the
Authentication Methods dialog box, and
RRAS attempts them in decreasing
order of security provided.
EAP
EAP stands for Extensible Authentication Protocol. EAP enables the client and
server (or IAS, if used for RAS authentication) to negotiate an authentication
method from a pool of methods supported by the server. Windows 2000 EAP pro-
vides support for two EAP types: EAP-MD5 CHAP and EAP-TLS. Both the client and
authentication server must support the same EAP type for authentication through
EAP, and you can install additional EAP types from third parties on a Windows 2000

server.
EAP-MD5 CHAP functions much the same as standard CHAP, but challenges and
responses are sent as EAP messages. EAP-MD5 CHAP authenticates with user
names and passwords. EAP-TLS, on the other hand, uses certificates to authenti-
cate remote clients, using a secured private key exchange between client and
server. EAP-TLS provides the most secure authentication of all the methods sup-
ported by Windows 2000.
Windows 2000 supports EAP-TLS only in domain environments (either mixed
mode or native). RRAS on a standalone server does not support EAP-TLS.
Enabling RRAS to support EAP requires three steps. First, enable EAP as an authen-
tication method in the Authentication Methods dialog box through the RRAS
server’s properties. Then, if necessary, configure the remote client’s remote access
policy to allow EAP, as explained later in the section “Remote Access Policy.”
Finally, configure the client to use the appropriate EAP type. See the section
“Configuring Outgoing Dial-Up Networking Connections” in this chapter for a
detailed explanation.
Note
4667-8 ch15.f.qc 5/15/00 2:06 PM Page 572