Welcome to article number 23 in my 70-240 in 15 minutes a week series. This week's article covers remote access in Windows 2000. This includes a look at configuring the remote access portion of Routing and Remote Access, including configuration of dial-in and VPN services, as well as remote access policies and profiles. This article again falls under the Networking Services portion of the series.
The material to be covered in this article includes:
- Routing and Remote Access Overview
- Configuring Dial-in services
- Configuring VPN services
- DHCP Relay Agent
- Remote Access Policies
Routing and Remote Access Overview
One of the most powerful new tools included with Windows 2000 Server is the Routing and Remote Access (RRAS) tool. The capabilities included with RRAS include the ability to configure Windows 2000 as a basic router (running routing protocols such as RIP and OSPF), a demand-dial router (via a standard dial-up or ISDN interface), a traditional remote access server (using dial-in PSTN or ISDN connections), a VPN server (allowing PPTP or L2TP connections), or a combination of the above. The remote access capabilities in RRAS are the focus of this article, with routing functionality to be covered in the next article in the series. This article will also cover some of the more advanced remote access capabilities, including the ability to configure remote access policies (which allow a much more granular way of granting access).
Prior to configuring Routing and Remote Access in Windows 2000, you will need to ensure that the service is both installed and enabled. Use the RRAS administrative tool to enable Routing and Remote Access, as shown below.
Choosing 'Configure and Enable Routing and Remote Access' will open the Routing and Remote Access Wizard, which allows you to easily configure your services for any of the services listed below, while still offering you the ability to configure the services manually (the last option), as shown below. Note that the downwards-pointing red arrow designates that the service is not running.
While the wizard provides a quick and easy way to get RRAS up and running, I suggest that you also attempt the manual configuration of the services to get a better idea of what is involved in setting each up.
Configuring Dial-in Services
Just as Windows NT Server 4.0 was often used for its RAS server capabilities, Windows 2000 continues the tradition, making it significantly easier in my opinion. Getting started will involve familiarizing yourself with the interface, which can be a little tricky at first look. Always start by accessing the properties of the RRAS server, which allow you to control whether the server will act as a router or as a remote access server, both of which will be chosen by default. The General tab of the server's properties is shown below:
To make this server a dial-in or VPN server only, the second option (Remote access server) must be chosen. The other options on this property sheet will be explored shortly.
For the purpose of configuring RRAS to support remote access, the second area that you'll need to look at is 'Ports', as shown below.
Note that both hardware ports (such as the 2 modem ports and the parallel port shown above) are listed, as well as 'virtual' ports, or those associated with allowing incoming VPN connections (also called WAN Miniports). In order to configure a port to allow (or disallow) an incoming connection, right click 'Ports' and choose Properties. After doing this, choose the appropriate device (a modem in this case, since we're exploring dial-in connections) and choose the 'Configure' option. This will access the port configuration, as shown below:
If the device is only meant to be used for inbound or outbound connections, be sure to check or uncheck the appropriate boxes shown above. Note that you can also provide the phone number for this connection (which can subsequently be used in remote access policies) as well as the maximum number of ports (since some devices, such as WAN Miniports can support multiple ports).
Right-clicking on a particular port, such as my modem port in the 'Ports' list, allows me to check the status of a given port.