Back Up Next

Chapter 11 *
Remote Connectivity *
Certification Objectives *
Remote Access Service *
Dial-Up Networking for Windows NT and Windows 95 Clients *
Support of LAN and WAN Protocols *
Support for Connections across PSTN, ISDN, X.25 and the Internet *
Using Multi-Modem Adapters with NT Server (Multilink) *
Q & A *
Remote Access Protocols *
Serial Line Internet Protocol (SLIP) *
Point-to-Point Protocol (PPP) *
Windows NT Protocols over PPP *
RAS and TCP/IP *
RAS and NetBEUI *
RAS and IPX *
RAS PPTP *
Q & A *
Installing and Configuring Remote Access Service *
Exercise 11-1: Installing a RAS device *
Exercise 11-2: Installing the RAS *
Exercise 11-3: Removing/Uninstalling RAS *
Configuring RAS Ports *
Exercise 11-4: Configuring port usage *
Exercise 11-5: Configuring an ISDN adapter *
Configuring RAS Network Settings *
Exercise 11-6: Configuring a RAS server with TCP/IP *
Exercise 11-7: Configuring a RAS server with IPX/SPX *
Configuring RAS Security *
Domain Account Database *
Granting RAS Permissions to User Accounts *
Exercise 11-8: Assigning RAS user permissions *
Callback Security *
Encrypted Data Authentication and Logons *
Full Audit Capabilities *
Support of Third-Party Intermediary Security Hosts *
PPTP Filtering *
Q & A *
Configuring Dial-Up Networking Clients *
TAPI Features of RAS *
Exercise 11-9: Configuring DUN *
Defining a Phonebook Entry *
Exercise 11-10: Creating a Phonebook entry *
Administering and Troubleshooting RAS *
Exercise 11-11: Disconnecting a RAS session *
From the Classroom *
Where are all the RAS Administration features I really want? *
Troubleshooting RAS *
Event Viewer *
DEVICE.LOG *
DUN Monitor *
Q & A *
Certification Summary *
Two-Minute Drill *
Self Test *
Answers to Chapter 11 Self Test *

Chapter 11

Remote Connectivity

Certification Objectives

Remote Access Service
Remote Access Protocols
Installing and Configuring Remote Access Service
Configuring RAS Security
Configuring Dial-Up Networking Clients
Administering and Troubleshooting RAS

You are already familiar with how Windows NT Servers provide network services such as file and print over a local area network (LAN). This chapter explores the ability to use a Windows NT Server as a dial-in client, a dial-up server and an Internet gateway server. In the new global office, almost any local area network (LAN) you implement will undoubtedly have users requesting access to their e-mail and other network resources while at home or on the road. Installing the remote access service (RAS) on a Windows NT server can effectively meet those needs and more by making use of the Internet, phone lines, or digital communications.

Remote Access Service

Windows NT Server and Windows NT Workstation include a powerful communications feature called the Remote Access Service. Usually referred to as RAS (pronounced raz), or as a RAS Server, the remote access service provides computers with wide area network (WAN) inbound and/or outbound connectivity to your server and/or network. RAS supports connections across Public Switched Telephone Networks (PSTN), Integrated Services Digital Networks (ISDN), and X.25 (a type of packet-switching network). New to version 4.0, Windows NT can also be deployed as an Internet gateway server via new Point-to-Point Tunneling Protocol (PPTP) technology.

Exam Watch: Although Windows NT Workstation and Server have identical implementations of the RAS, Windows NT Server allows a whopping 256 simultaneous inbound connections while Windows NT Workstation allows only one.

Dial-Up Networking for Windows NT and Windows 95 Clients

In Microsoft Windows NT version 4.0, the Remote Access Service (RAS) client has been renamed to Dial-Up Networking (often referred to as DUN) and has been given a new look to be consistent with Microsoft Windows 95. This enhancement enables users to connect via DUN in Windows 95 or Windows NT 4.0, without having to learn and understand different interfaces.

DUN allows you to connect to any dial-up server using the Point-to-Point protocol (PPP) as a transport mechanism allowing for TCP/IP, NetBEUI or IPX/SPX network access over your analog modem, ISDN, or X.25 Pad devices. Windows NT can also be configured as a SLIP client connecting to a third-party SLIP server. By default, DUN setup is initiated after you install a modem on your computer. During configuration you will be prompted to create a phonebook entry that you can then use to store your connection settings for future use.

Windows NT version 4.0 has also added a check box so that you can log on via DUN when you enter your Ctrl+Alt+Del key sequence. When you check this box, the program displays the DUN phonebook where you can select an entry to dial, in order to log on. DUN then establishes a connection to the RAS server, to reach a domain controller for the specified domain to validate your logon request.

Support of LAN and WAN Protocols

As an integrated service within Windows NT, RAS supports the TCP/IP, IPX/SPX and NetBEUI protocols. When you configure a RAS server in Windows NT to allow network traffic from your dial-up clients, you can enable use of one or all of these protocols.

Support for Connections across PSTN, ISDN, X.25 and the Internet

The Remote Access Service allows for connections across several media. The most common of these is the Public Switched Telephone Network (PSTN). PSTN is the technical name for the medium you use every day to make phone calls and send faxes. Hardware requirements for RAS over PSTN are any combination of analog modems supported on the Windows NT Hardware Compatibility List (HCL) placed at the originating and receiving ends of an asynchronous connection. Most RAS connectivity you will be supporting in your networks will be over PSTN. Almost every new laptop or desktop computer nowadays comes pre-configured with a modem—just as every home, office, and hotel is equipped with a phone line.

ISDN (Integrated Services Digital Networks) connections take place over digital lines and provide faster and more reliable connectivity. ISDN has been a very successful and popular choice in some areas, but it has not caught on at all in others. The primary benefit of ISDN is its speed and reliability. ISDN is commonly found in two speeds:64kbps and 128kbps. Connection speed is determined by how many ‘B’ channels your telephone company or Internet Service Provider (ISP) is willing to give you and/or how much you are willing to pay. A ‘B channel’ allocates 64kb of bandwidth and the lesser-known ‘D channel’ allocates a small amount of bandwidth for error-correction and transmission verification. Often you will hear someone refer to his or her ISDN implementation as 2B+D which would indicate a 128kbps ISDN connection. However, ISDN hasn’t caught on everywhere, primarily due to its cost and limited availability.

X.25 networks transmit data with a packet-switching protocol, bypassing noisy telephone lines. Clients can access an X.25 network directly by configuring DUN to use an X.25 PAD (packet assembler/disassembler). For more information on X.25, see your Windows NT documentation, the Windows NT Resource Kit, and Microsoft TechNet.

New to Windows NT 4.0 is the ability to utilize the new PPTP in your organization. Now, instead of having your organization absorb the costs of creating, managing, and maintaining a large RAS server or servers, including all of the necessary modems and other hardware, you can implement PPTP. PPTP provides a secure method to outsource the hardware and support portion of remote network access to Internet Service Providers (ISP). With the implementation of PPTP, a company needs only to set up a RAS server with Internet access and manage user accounts and permissions. The company can then use a dedicated service provider, such as a telephone company or local ISP, to manage the dial-in lines, modems, ISDN cards, and so on. For example, a user would dial a modem pool maintained by their local service provider. Once connected to the Internet, the user would then establish a second DUN session, requesting the TCP/IP address of your RAS server across the Internet This connection will provide them with the equivalent remote network access you would have had by directly calling the RAS server— all at greatly reduced hardware and support cost. PPTP is also an excellent solution for minimizing long distance charges and eliminating the need for an 1-800 number.

Using Multi-Modem Adapters with NT Server (Multilink)

RAS Multilink combines two or more physical links, most commonly analog modems, into a logical "bundle." This bundle acts as a single connection to increase the available bandwidth/speed of your link. Multilink requires that you have multiple WAN adapters installed on both the client and the serving computer and that both are configured to use Multilink. For example, if ISDN were not available in your area and you required more bandwidth than a typical 28.8 modem could provide, you could combine four 28.8kbps modems on your workstation and four modems on the receiving RAS server for a whopping combined bandwidth of 115.2kbps bundled aggregate. It's a reasonable solution indeed, considering the next option is an expensive and sometimes unavailable 128kbps 2B+D ISDN link. Now imagine being able to Multilink multiple ISDN lines. You can! Remote Access Service performs PPP Multilink dialing over multiple ISDN and modem lines.

If a client is using a Multilinked phonebook entry to dial to a server that is enforcing callback (discussed later under RAS Security), only one of the Multi-linked devices will be called back. Only one callback number can be stored in a user's RAS permissions, allowing only one device to connect. All other devices will fail to complete the connection, and the client loses Multilink functionality. Multilink is callback-compatible only if the Multi-linked phonebook entry uses both channels for ISDN and both channels are using the same phone number.

Q & A

ISDN is not available in our locality. What can we do to increase our bandwidth to those kinds of speeds without spending lots of money? Install additional modems on your clients and servers and take advantage of Multilink which will allow you to bundle together multiple modems into one connection.
I want to have users connect through an ISP and then establish a connection to my network through the Internet. Use PPTP. Configure a RAS PPTP server and enable PPTP on your DUN client computers.
I have a Windows NT Workstation that I want to install a RAS server on. I expect to have up to ten simultaneous users connecting to it. What are my options? Windows NT Workstation only supports one inbound RAS connection. You will need to install a RAS server on a Windows NT Server or reinstall Windows NT Server on your NT Workstation.

Remote Access Protocols

RAS connections to your network are established over the Serial Line Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP). PPP is an improvement over the original SLIP specification and is the primary choice for most Microsoft RAS implementations. PPP is fully supported by the Remote Access Service in both a server and client role. SLIP is only supported under Windows NT as a dial-up client to a third party or UNIX SLIP server.

Serial Line Internet Protocol (SLIP)

The Serial Line Internet Protocol (SLIP) was developed to provide TCP/IP connections over low-speed serial lines. Plagued by limitations such as lack of support for WINS and DHCP, Microsoft has chosen PPP for their Remote Access standard. However, Microsoft has also provided SLIP support for Windows NT dial-up networking, giving clients access to TCP/IP and Internet services through a SLIP server. Often, SLIP connections rely on text-based logon sessions and require additional scripting by a host or Internet Service Provider (ISP) to automate the logon process. This, combined with a lack of support for NetBEUI and IPX/SPX, has been the primary reason for the popularity of PPP and the decrease in SLIP connectivity in Microsoft networks.

Point-to-Point Protocol (PPP)

PPP enables DUN clients and RAS servers to interoperate in complex networks. PPP supports sending TCP/IP, NetBEUI, IPX/SPX, AppleTalk and DECnet data packets over a point-to-point link. The Microsoft RAS implementation of PPP supports the standard Windows NT protocols: TCP/IP, NetBEUI and IPX/SPX.

Windows NT Protocols over PPP

RAS and TCP/IP

With the booming popularity of the Internet, the Transmission Control Protocol/Internet Protocol (TCP/IP) is commonly found in most new and existing networks. On a TCP/IP network, unique TCP/IP addresses are given to every host. This also applies to all hosts connecting through RAS. Typically, any computer connecting to a RAS server via PPP on a Microsoft TCP/IP network is automatically provided an IP address from a static address pool provided by the RAS server or allocated dynamically from a DHCP server. A RAS administrator may also choose to permit users to request a specific address by entering a valid IP address in their DUN configurations.

As in any TCP/IP LAN, most users do not want to have to remember all sorts of complicated IP addresses. Name resolution for IP addresses helps ease network naming in a TCP/IP environment. All name resolution methods available on a Windows NT network are also available to clients connecting through RAS. A RAS server can take advantage of the Windows Internet Name Service (WINS), broadcast name resolution, the Domain Name System (DNS), HOSTS and LMHOSTS files. DUN clients are assigned the same WINS and DNS servers that are assigned to the RAS server unless you modify the registry to override them. DUN clients are also able to select their own WINS and DNS servers by specifying them in their DUN settings. If WINS or DNS is not available on your network, DUN clients can use HOSTS or LMHOSTS files configured locally for name resolution.

RAS and NetBEUI

NetBEUI is a small and fast network protocol commonly found in small, local area networks with 1 to 200 users. Like TCP/IP and IPX/SPX, NetBEUI is supported by RAS allowing NetBEUI packets access through your RAS server to your network. Once installed, the only additional configuration NetBEUI requires is making the decision to allow remote users to access your entire network or just the RAS server the user is connecting to. The RAS server NetBEUI Configuration screen is illustrated in Figure 11-1.

Figure 1: The RAS server NetBEUI Configuration screen

RAS and IPX

IPX is the protocol introduced by Novell and implemented in most Netware environments. Like TCP/IP, it is a routable protocol—making it very popular for large enterprise-wide networks. A Windows NT RAS server behaves as an IPX router and Service Advertising Protocol (SAP) agent for DUN clients. Once RAS is configured with IPX, file and print services, as well as the use of Windows Sockets applications, are available to DUN clients.

When a DUN client connects to an IPX network through a RAS server, an IPX network number is provided to the client by RAS and SAP services are provided by the RAS server. The IPX network number can be automatically generated by the RAS server using the Netware Router Information Protocol (RIP). Manual IPX network number assignments can also be configured within RAS. However, when assigning an IPX network number to a RAS server, be sure not to select any numbers already in use on your network. A single network number can be assigned to all DUN clients on your RAS server to minimize RIP announcements.

RAS PPTP

Windows NT 4.0 iintroduces direct remote access support to the Internet with the implementation of the Point-to-Point Tunneling Protocol (PPTP). Using PPTP, a user can establish a connection to the Internet through a local ISP (Internet Service Provider). Once connected to the Internet, the user initiates a connection to your network by requesting the IP address of the RAS server. This is referred to as Virtual Private Networking (VPN). PPTP offers the following advantages over other WAN solutions:

Lower Transmission Costs Connections made over the Internet will be cheaper for users outside your local area. A user simply connects to an ISP anywhere in the world and connectivity is then carried out over the Internet. Local ISP charges are far more reasonable than long-distance rates or a dedicated 800 number.
Lower Hardware Costs For the server side of a RAS PPTP implementation, a server needs only to have a connection to the Internet, eliminating the need for large modem pools.
Lower Administrative Overhead Because Internet Service Providers take over the costs of ownership of dial-up connections, your only considerations as network administrator are maintaining user accounts, security and RAS dial-in permissions.
Security PPTP filtering can process TCP/IP, IPX and NetBEUI packets. PPTP acts as a secure, encrypted tunnel allowing for safe transportation of your data over the Internet.

Installing the PPTP on your server is a three-step process. First, establish connectivity to the Internet with your RAS server. Next, install the PPTP as you would any other protocol in Windows NT and indicate the number of Virtual Private Networks you want to implement. Finally, apply any PPTP filtering you require to the TCP/IP protocol by choosing the Advanced button in the TCP/IP protocol settings. Enabling PPTP filtering will effectively remove all other protocol support on that adapter, securing your network from intruders.

Once PPTP is installed on the server, you will be able to establish a connection to it over the Internet with a PPTP enabled client, such as Windows NT Workstation. To initiate a VPN, a user will first need to use DUN to dial an ISP and establish an Internet connection. The user would then use DUN again to ‘Dial’ the RAS server using the IP address of your RAS server as the phone number and the Virtual Private Network number as the port.

Q & A

My users are currently using third-party SLIP client software to connect to an existing UNIX server at my site. I want to replace the UNIX dial-up server with a Windows NT RAS server. Are there any additional considerations I should make? If you implement a Windows NT Server as your dial-up server, you will need to install PPP client software on your users' workstations. RAS does not provide a SLIP server component. If your users are using Windows 95 or Windows NT Workstation, consider installing DUN on those machines.
Users on my network currently connect to my RAS server using the NetBEUI protocol. I want these users to be able to browse Internet web sites through my network's current Internet gateway. Install TCP/IP on the users' workstations. TCP/IP is the language we speak on the Internet and users will need it if they want to browse Internet resources.

Installing and Configuring Remote Access Service

A RAS server can be installed during the installation of Windows NT or at any other time by adding it as a network service. Prior to installing RAS, you should be aware of the following:

Verify that the modems you are using are supported on the Windows NT Hardware Compatibility List (HCL). Make sure you have the current driver software for those modems
Know the role of the RAS server and its port configurations. Will this server be used to dial in, dial out or both?
Know what protocols you require for network support and install them on your server prior to installing RAS.
Consider any security settings such as callback and RAS user permissions.

Before installing RAS you may also want to consider installing your modems first. If your modems are working prior to the installation of RAS, you can eliminate most hardware issues when troubleshooting RAS connectivity problems.

Exercise 11-1: Installing a RAS device

  1. To install a modem in Windows NT, double-click the Modems icon in the Control Panel.
  2. If a modem is already present on your system, the Modems Properties screen will open. If no modems are currently installed, the Install New Modem wizard, shown in Figure 11-2 will open.

Figure 2: The Install New Modem wizard screen

  1. Choose Next to have Windows NT attempt to detect your modem.
  2. If Windows NT finds your modem, you can choose Finish to complete the setup of your modem. If a modem was not detected, you can then choose to install a modem from the list of Windows NT supported modems. You can also choose to load drivers for your modem from disk (Illustrated in Figure 11-3).

Figure 3: The Install New Modem screen. You can select your modem make and model from this list or install supported drivers from a vendor-supplied disk

  1. Once you have selected a modem click Next. You then have the opportunity to choose what port you want to install the modem on.
  2. Click Finish to exit the modem installation screen. You will be returned to the Modem Properties screen (shown in Figure 11-4) where you can add another modem or modify your current selections.

Figure 4: Modem Properties/General Tab

If your modem is not listed in the supported modems list, you can modify the MODEM.INF file and create your own modem type. Simply add the name of your modem in brackets followed by any modem initialization strings that your particular modem requires. These commands are commonly found in your modem's documentation.

Exercise 11-2: Installing the RAS

  1. To install RAS, double-click the Network icon in the Control Panel. This will open the Network Settings screen.
  2. Select the Service tab and press the Add button.
  3. In the Select Network Service screen, choose Remote Access Service and click OK.
  4. The program will request the location of your Windows NT Server or Workstation setup files. Insert your Windows NT CD-ROM and supply the information needed to access it. Click OK.
  5. After the files required for RAS have been copied to your system, the RAS setup program will prompt you for the first device you want RAS to initialize. If you don’t already have a RAS-capable device (such as a modem) installed, you can select the Install Modem or Install X.25 Pad buttons to configure new devices. When you select the Install Modem button, the Install New Modem wizard will walk you through the modem hardware installation.
  6. Once RAS setup has a valid device configured for use with RAS, you may configure each RAS port as shown in Figure 11-5, adding support for the network protocols you require.

After you have successfully installed RAS, you will need to restart your system for the changes to take effect.

Figure 5: The Remote Access Service Setup screen. From here you can add and remove ports, configure port usage and alter network configuration properties

Exercise 11-3: Removing/Uninstalling RAS

  1. If you later decide to change the role of your server or workstation and want to remove RAS from the system, double-click the Network icon in Control Panel to open the network Configuration screen.
  2. Select the Services tab, select Remote Access Service from the list of installed services and click the Remove button. Choose Yes to accept the warning that RAS will be permanently removed from your system.
  3. Click Close. When prompted to restart your computer, click Yes.

Removing the Remote Access Service will not remove any modems you may have installed. You can remove modems by selecting the Modems icon in Control Panel, selecting a modem and pressing the Remove button. If you remove a modem from your system, you will be prompted to reconfigure DUN.

Configuring RAS Ports

After you have installed a modem, ISDN device or X.25 PAD, you can configure the RAS port for each device. To configure a port, open RAS setup, choose a port and press the Configure button. You can also install a new modem directly from this dialog box by selecting the Add button. Once the ports have been configured for RAS you can then identify which role each port will play. Ports can be configured for dialing out, receiving calls, or both, as shown in Figure 11-6. If you set the port to receive calls, you may specify whether to give callers access to the entire network or restrict access to the RAS server only.

Figure 6: The Port Usage Configuration screen. Each port can be configured here to be used as a dial-out client, as a server (receive calls), or both

Exercise 11-4: Configuring port usage

  1. In the Port Usage Configuration screen (Figure 11-6), specify how the port is to be used. Options are: dial out only, receive calls only, or both.
  2. Click OK when you are finished. Calls cannot be received on a port until RAS has been started.

Exercise 11-5: Configuring an ISDN adapter

  1. To configure or install a new ISDN adapter, choose the Network icon in Control Panel or right-click the Network Neighborhood icon on your desktop and choose Properties.
  2. Choose the Adapters tab and click Add to install a new adapter or click Properties to modify your current adapter.
  3. Configure your new ISDN port for dial out only, receive calls only or dial out and receive calls.

Configuring RAS Network Settings

When configuring RAS network settings such as protocol usage or encryption settings, keep in mind that any configuration settings you make will apply to all RAS operations for all RAS-enabled ports (see Figure 11-7). For example, if you were to enable NetBEUI support for Dial-Out settings on your server, all RAS capable devices on that server will support NetBEUI. The Remote Access Service, when installed on a RAS computer, can access a LAN as a server and as a client. For each role, you must configure how you want each port to be utilized. When configuring Dial-Out protocols, keep in mind that any protocols you do not enable in RAS Network Configuration will be unavailable to you when you later configure a phone book entry for dialing out. When setting up RAS to service remote clients, you must configure each protocol carefully so that RAS protocol settings don’t conflict with communications on the rest of your network. When choosing an encryption method, always apply the highest level of encryption possible, keeping in mind the encryption capabilities of your clients.

Figure 7: The RAS Network Configuration Screen

Exercise 11-6: Configuring a RAS server with TCP/IP

  1. When configuring a RAS server to use TCP/IP for network connections, open the Control Panel and double-click the Network icon to start the network setup program.
  2. On the Services tab, select the Remote Access Service and click the Properties button.
  3. In the Remote Access Setup dialog box, click the Network button.
  4. In the Server Settings box, make sure the TCP/IP check box is selected (if TCP/IP is installed) and then click Configure. See Figure 11-8 for an illustration of the RAS Server TCP/IP Configuration screen.

    5. Figure 8: The RAS server TCP/IP Configuration screen
  5. In the RAS Server TCP/IP Configuration dialog box, select whether to allow TCP/IP clients to access the entire network or the RAS server only.
  6. If a DHCP server is available on your network, select ‘Use DHCP to assign remote TCP/IP addresses.’ This service dynamically assigns valid TCP/IP addresses to your dial-up clients.
  7. If a DHCP server is not available, select Use static address pool. To configure a pool of valid and available addresses for your network, enter the beginning and ending range of TCP/IP addresses that you wish to allocate to your dial-up clients. You must assign at least two addresses. If you assign a large range of addresses, you can reserve some addresses from this list by adding them to the excluded ranges list.
  8. If you prefer to have users specify a TCP/IP address in their DUN configuration, select the Allow remote workstations to request a predetermined IP address check box.
  9. Click OK.
  10. In the Network Configuration dialog box, click OK.
  11. In the Remote Access Setup dialog box, complete any additional port configurations and then click Continue. You must restart your server for these changes to take effect.

Exercise 11-7: Configuring a RAS server with IPX/SPX

  1. To configure a RAS server to use IPX for network connections, open Control Panel and double-click the Network icon.
  2. The network setup screen will appear. On the Services tab, select the Remote Access Service and then click the Properties button.
  3. In the Remote Access Setup dialog box, click the Network button.
  4. In the Server Settings box, make sure the IPX check box is selected (if IPX is installed) and then click Configure. (See Figure 11-9 for an illustration of the RAS Server IPX Configuration screen).

    5. Figure 9: The RAS Server IPX Configuration screen
  5. In the RAS Server IPX Configuration screen, select whether to allow IPX clients to access the entire network or the RAS server only.
  6. Choose ‘Allocate network numbers automatically’ if you want to allow RAS to use the Router Information Protocol (RIP) to determine an IPX network number that is not in use on your IPX network. If you want more control over IPX network number assignments, choose ‘Allocate network numbers’ and type your first network number in the From box. RAS will automatically determine the number of available ports and insert the ending network number for you.
  7. Select ‘Assign same network number to all IPX clients’ if you want to assign the same network number to all connected IPX clients.
  8. Select the ‘Allow remote clients to request IPX node number’ check box to allow the remote client to request its own IPX node number in their DUN configuration rather than use the RAS server-supplied node number.
  9. Click OK.
  10. In the Network Configuration dialog box, click OK. You must restart your server for these changes to take effect.

Exam Watch: Gateway Services For Netware (GSNW) is a Windows NT Server network service that attaches to NetWare servers. Files, print queues, and some NetWare utilities on NetWare servers are then available to all clients, even though they may not be running a NetWare-compatible protocol or client. This applies as well to DUN clients dialing in to a RAS server.

Configuring RAS Security

To connect to a RAS server, clients will always need a valid Windows NT user account and RAS dial-in permission enabled. The integrated Domain security designed into Windows NT, as well as individual RAS user permissions, callback security, data encryption, auditing, support for third-party intermediary security hosts, and PPTP filtering combine to provide additional RAS security and functionality.

Domain Account Database

The single point of logon implementation of Windows NT extends to RAS users. Access to RAS can be granted to all Windows NT user accounts. The ability to use resources throughout the domain and any trusted domains is business as usual after Windows NT authentication occurs. Let's look at a brief scenario. By day, Wendy is connected locally to the network with her laptop via an installed network card and patch cable. By night, she connects with her laptop, by modem, through RAS to the network. In either situation, once she gives her Windows NT username and password, she is granted access to all network services.

Granting RAS Permissions to User Accounts

After installing RAS on your server, you will need to grant RAS permission to your users. To grant RAS permission, you can use either User Manager for Domains or the Remote Access Admin utility. When using the Remote Access Admin utility, permissions are set by choosing the Permissions option from the Users drop-down list. This opens the Remote Access Permissions screen shown in Figure 11-10. When using User Manager for Domains, permissions for RAS are granted or denied by selecting the properties of a user and pressing the Dialin button. This will open the Dialin Information screen for that user, as shown in Figure 11-11). The callback feature can also be configured here.

Figure 10: The Remote Access Permissions screen is opened from within the Remote Access Admin program. This screen allows you to assign users the permission to use RAS and configure individual callback settings

Figure 11: The Dialin Information screen is presented when you select a user in User Manager for Domains and select the Dialin button. You can allow or revoke the ability for a user to use RAS and assign individual callback settings here

Exercise 11-8: Assigning RAS user permissions

  1. Start the Remote Access Admin from the Administrative Tools group.
  2. Select the Remote Access Server you want to administer.
  3. Select Permissions from the Users drop-down list.
  4. Enable the checkbox ‘Grant Dialin Permision to User’ to grant dialin permission for individual users or select the ‘Grant All’ or ‘Revoke All’ buttons to grant or remove permissions for all users on the RAS server.
  5. Apply any callback security options.
  6. Click OK.
  7. Exit the Remote Access Admin program.

Callback Security

Another security feature implemented within RAS is callback. When a user is configured to use callback and dials in to a RAS server, the server disconnects the session, and then calls the client back at a preset telephone number or at a number provided during the initial call. Callback gives you as the administrator the comfort of knowing that successful connections to your RAS server are only coming from trusted sites, such as a users home. There are three options for callback:

No call back - No callback is required for the user.
Set by Caller - The server prompts the user to type in a number at which to be called back.
Preset To - The administrator determines the number where the user will be reached. This type of callback provides an additional level of security by ensuring that the user is calling from a known location.

Exam Watch: If a client is Multilink-enabled and they are configured for callback on the RAS server, the call will go to only one of the Multilink devices. The RAS Admin utility allows the administrator to store only one number for callback, so Multilink functionality is lost.

Encrypted Data Authentication and Logons

The Remote Access Service supports a number of methods to encrypt logons and the subsequent connections to your network. Encrypted authentication methods include the simple Password Authentication Protocol (PAP) which permits clear-text passwords and the Shiva Password Authentication Protocol (SPAP) used by Windows NT workstations when connecting to a Shiva LAN Rover. SPAP can also be used by Shiva clients when connecting to a Windows NT RAS server. MS-CHAP is the Microsoft implementation of the Challenge Handshake Authentication Protocol (CHAP) which provides encrypted authentication and can also be configured to provide data encryption. MS-CHAP is used by Microsoft RAS servers and clients to provide the most secure form of encrypted authentication.

The following RAS encryption selections are shown in Figure 11-12:

Allow any authentication including clear text This option permits users to connect using any authentication method requested by the client including MS-CHAP, SPAP and PAP. It is most commonly used when you have dial-up clients using non-Microsoft client software.
Require encrypted authentication This option permits connections using any authentication method requested by the client except PAP and requires encrypted passwords from all clients.
Require Microsoft encrypted authentication This option permits connections using the MS-CHAP authentication method only. Selecting the Require data encryption check box will also ensure that all data sent over the wire is encrypted.

Figure 12: The Network Configuration screen allows you to select the dial-in and dial-out protocols you want to implement and their specific settings. Also configured here are encryption methods and Multilink capability

Full Audit Capabilities

You will find system, application and security events recorded in the Windows NT Event Viewer. As an integrated component of Windows NT, RAS also makes use of this utility. The Remote Access Service uses Event Viewer to log hardware malfunctions, service starts and stops, port problems, and failed or successful login attempts by users. All events can be viewed in Event Viewer from anywhere on the network, assuming proper privileges have been granted.

Support of Third-Party Intermediary Security Hosts

RAS can also support the use of a third-party security host machine that intercepts connection attempts between a DUN client or clients and the RAS server—providing yet another layer of security. Microsoft RAS supports a number of third-party intermediary devices (security hosts and switches) including modem-pool switches and security hosts. The US standard for protecting against password discovery is implementation of DES encryption. Another popular standard is MD5. Note, however, that MD5 can only be negotiated by Microsoft DUN clients and not by Microsoft RAS servers.

PPTP Filtering

When using RAS as an Internet gateway for PPTP connectivity, you should enable PPTP Filtering on the network adapter. This will ensure all other protocols on the adapter are disabled. PPTP filtering adds another layer of security for your corporate network, preventing unwanted threats while your RAS server is connected to the Internet. You can use the Network program in Control Panel to enable PPTP filtering.

Q & A

What methods can I implement to make my RAS server more secure? A secure physical facility with a locked door is a basic necessity. You can also implement callback so you can confirm where calls are being made from, monitor Windows NT auditing, apply PPTP filtering if required and implement a third-party intermediary device if you want more security than RAS itself provides.
If MS-CHAP is the best encryption method available to me in RAS, why wouldn’t I always use it? MS-CHAP is supported by Microsoft Windows clients but is not widely adopted by many other types of clients. Therefore, if you have UNIX hosts on your network or third-party dial-up clients, you will need to select another encryption method for those clients.

Configuring Dial-Up Networking Clients

As noted earlier, DUN is the new terminology for describing RAS client connectivity within Windows NT. The interface for the client side of RAS has changed dramatically to reflect the improvements made in the original Windows 95 DUN program. DUN is comprised of RAS client support, Phonebook entries and TAPI features such as storing location and Calling Card Information.

TAPI Features of RAS

Communications applications can control functions for data, fax, and voice through the Windows NT Telephony API (TAPI). TAPI allows you to configure your computer with common dialing parameters such as your local area code. TAPI also manages all communication between the computer and the connected telephone network, providing the basic functions of answering and terminating telephone calls. Included in the TAPI specification is the ability to provide features such as hold, conference, and transfer found in most common PBXs (Private Branch Exchanges), ISDN and other telephone systems. TAPI can also store location information, outside line access codes and Calling Card information. See Figure 11-13 for a preview of the TAPI Dialing Properties screen.

Figure 13: The Dialing Properties screen allows you to specify the local area code, Calling Card information and any additional dialing settings required

Exercise 11-9: Configuring DUN

  1. Installing DUN in Windows NT is very similar to the setup in Windows 95. Start by double-clicking the My Computer icon on your desktop.
  2. Double-click the DUN icon and press the Install button.
  3. If a dialog box returns asking you for Files Needed, insert the Windows NT CD-ROM and click OK.

Once DUN has been installed on your system, you will be prompted to configure a new modem (if you haven’t already). You will then be prompted to enter your dialing location (for example, The Office) and other TAPI information. After DUN has been installed, you will need to restart your computer for these changes to take effect.

Defining a Phonebook Entry

Phonebook entries store the information required to connect to a remote network. Entries are stored as individual dial-up connections in a phonebook file. To edit existing phonebook entries or to create a new entry, you modify DUN through My Computer or by selecting the DUN icon in the Accessories menu located within the Programs group on the Start menu. The first entry you make in the phonebook initiates the New Phonebook Entry wizard shown in Figure 11-14. Subsequent entries in the phonebook can be made by cloning an existing entry and modifying it—or by pressing the New button to start the Phonebook Entry wizard again.

Figure 14: The New Phonebook Entry wizard walks you through a simple DUN configuration session

Exercise 11-10: Creating a Phonebook entry

  1. To create a Phonebook entry in Windows NT, double-click the DUN icon in My Computer. DUN returns a message stating that the Phonebook is empty.
  2. Click OK. The New Phonebook Entry wizard appears.
  3. In the ‘Name the new Phonebook entry’ box, type a descriptive name that will identify which dial-up host you are going to be connecting to. Click Next.
  4. The Server settings dialog box appears. These check boxes will pre-configure default server and encryption information if required. Make sure all check boxes are cleared and press Next.
  5. Enter the phone number of your dial-up server. You can also enter alternate phone numbers, if there are any. Alternate numbers will be tried if you get a busy signal or if communication can’t be established at the first number.
  6. Select the Use Telephony Dialing Properties if you need to enter an area or country code for this phonebook entry. Select Next.
  7. Click Finish to exit the New Phonebook Entry wizard.
  8. You will be presented with the DUN screen, pictured in Figure 11-15. With this utility, you can configure additional server information, user preferences, logon preferences and clone new entries from your current entry. This is the same screen you will see when you want to initiate a connection with DUN to a dial-up server. Click Close to exit the DUN screen.

Figure 15: The Dial-Up Networking program can be used to create new Phonebook entries, edit and delete existing entries and initiate a DUN session

Administering and Troubleshooting RAS

As the administrator of a RAS server, your role will include maintaining strict security of your LAN from potential intruders, maintaining ports and connections, and troubleshooting RAS problems. The Remote Access Admin program can be found in the Administrative Tools Common Group on the Start Menu. The Remote Access Admin program can be used to disconnect attached users; start, stop, and pause the RAS service; monitor port usage; and assign RAS user permissions. Figure 11-16 shows the Remote Access Admin program options.

Figure 16: The Remote Access Admin program can be used to monitor port usage, start and stop the RAS service, disconnect users and assign user permissions

Exam Watch: For specific information on the Remote Access Admin program, open the Help menu item. Specific information for every feature of this program is provided here and is often where Microsoft Exam questions come from. Iinformation is specific and to-the-point. Reading the help of all dialogs within Windows NT Server is not a lengthy task and is well worth the time.

Exercise 11-11: Disconnecting a RAS session

  1. Start the Remote Access Admin program.
  2. On the Users menu, click Active Users.
  3. On the Remote Access Users dialog box, select the account name of the user you want to disconnect.
  4. Click Disconnect User.
  5. The Disconnect User dialog box displays the account name of the user that will be disconnected when you click OK.
  6. You can revoke the user's remote access permission as you disconnect them by selecting the Revoke Remote Access Permission check box.

From the Classroom

Where are all the RAS Administration features I really want?

Many of the features not provided in RAS are available for free for use in your RAS implementations. Get yourself a copy of the Windows NT Server 4.0 Resource Kit CD-ROM. On the CD you will find an installation option that allows you to install Remote Access Manager, by Virtual Motion. Remote Access Manager allows you to perform typical RAS administrative tasks such as displaying RAS server port status, disconnecting RAS sessions for any port and enabling and disabling RAS privileges for any user. Some of the added features it provides are enhanced security control, enabling you to restrict RAS access based on group memberships and added control of RAS access based on the time of day. Also, an administrator can limit the number of connections per day, define the maximum amount of time a user can remain connected, and monitor RAS with features such as server and port resource utilization bar graphs, billing reports, and user accounting.

The files required to install Remote Access Manager can be found in the \APPS\RASMGR folder on the Windows NT Server 4.0 Resource Kit CD.

Troubleshooting RAS

Event Viewer

Windows NT Event Viewer can be useful in diagnosing RAS problems. Many RAS events, including service failures and driver problems, are logged in the Event Viewer System Log.

DEVICE.LOG

The DEVICE.LOG file is often used to help determine common RAS problems by maintaining a record of the conversations between RAS and your modems. Setting the value of Logging to 1 in the system registry in the following subtree enables the DEVICE.LOG file:

HKEY_LOCAL_MACHINE\System

\CurrentControlSet

\Services

\RasMan

\Parameters

Once enabled, the DEVICE.LOG file is created and can be found in the \<winnt_root>\SYSTEM32\RAS directory. The file is flushed anytime a RAS component is restarted and all other RAS components have been stopped.

DUN Monitor

The DUN Monitor program is started by double-clicking the Dial-Up Monitor icon in Control Panel (see Figure 11-17). Duration of calls, the amount of data transmitted and received, and the number of errors that have occurred are all shown in this program. Multilink line utilization can also be observed in Dial-Up Monitor.

Figure 17: Dial-Up Monitor shows the status of your current DUN session

Exam Watch: You will find that most questions concerning registry entries and where they should be placed will most likely find their way into the HKEY_LOCAL_MACHINE subtree. HKEY_LOCAL_MACHINE contains configuration information about the local computer system, including hardware and operating system data.

Q & A

Is there a way to start or stop RAS from a command prompt? Yes. RAS is a service and can be started with the NET START function. To start the Remote Access Service, type:

NET START "REMOTE ACCESS SERVER"

To stop the RAS service, type:

NET STOP "REMOTE ACCESS SERVER"
What other methods can I use to start and stop the RAS service? The RAS service can be started and stopped with the Services icon within Control Panel or with the Remote Access Admin program

Certification Summary

DUN and the Remote Access Service comprise the basic components of client to LAN communications in the Microsoft networking environment. The RAS client portion of Windows NT is now similar in style to Windows 95 and shares the same DUN name. DUN includes many powerful features, including support for dialing up to SLIP and PPP servers, phonebook entries, support for Windows NT protocols, simplified modem installation and other communications wizards. Dial-Up Monitor has also been included for easy viewing of communications statistics.

The server side of the Remote Access Service, usually referred to as a RAS server, includes powerful PPP support for dial-up clients. It offers the ability to combine multiple communications devices with Multilink, secure encryption methods including MS-CHAP data encryption, callback security and remote access administration tools. Also new to Windows NT 4.0 is the implementation of PPTP, which allows for secure communications within an encrypted tunnel allowing for Internet connectivity by clients that use an ISP. PPTP offers an excellent alternative for dial-up clients and administrators, almost eliminating hardware support and long-distance costs by placing connectivity issues in the hands of third-party ISP's.

Two-Minute Drill

Remote Access Services provides computers with wide area network (WAN) inbound and/or outbound connectivity to your server and/or network.
DUN allows you to connect to any dial-up server using the Point-to-Point protocol (PPP) as a transport mechanism allowing for TCP/IP, NetBEUI or IPX/SPX network access.
The primary benefit of ISDN is its speed and reliability. ISDN is commonly found in two speeds:64kbps and 128kbps.
If WINS or DNS is not available on a network, DUN clients can use HOSTS or LMHOSTS files configured locally for name resolution.
A RAS server can be installed during the installation of Windows NT or at any other time by adding it as a network service.
When choosing an encryption method, always apply the highest level of encryption possible, keeping in mind the encryption capabilities of your clients.
To grant RAS permission, you can use either User Manager for Domains or the Remote Access Admin utility.
Encrypted authentication methods include the simple Password Authentication Protocol (PAP) which permits clear-text passwords and the Shiva Password Authentication Protocol (SPAP) used by Windows NT workstations when connecting to a Shiva LAN Rover.
Communications applications can control functions for data, fax, and voice through the Windows NT Telephony API (TAPI).
TAPI allows you to configure your computer with common dialing parameters such as your local area code.

Review Questions: Just read, or Click HERE to launch interactive Self Test

1. Which of the following configurations are valid using Windows NT RAS?

    1. A Windows 95 SLIP client accessing a Windows NT SLIP server
    2. A Windows NT SLIP client accessing a Windows NT SLIP server
    3. A Windows NT PPP client accessing a Windows NT PPP server
    4. A Windows NT SLIP client accessing a UNIX SLIP server

2. When you select ‘Require Microsoft encrypted authentication’ what authentication methods are used to achieve connectivity?

    1. SPAP, PAP and MS-CHAP
    2. MS-CHAP only
    3. MS-CHAP and PAP
    4. SPAP only

3. Users are complaining about the difficulty of connecting to your RAS server. From the information you receive, you determine that the problem may be hardware-related. What actions should you take? (Choose 2)

    1. Enable the DEVICE.LOG file by selecting the ‘Enable modem log file’ checkbox in the Remote Access Admin utility
    2. Enable the DEVICE.LOG file by making the appropriate entry in the HKEY_CURRENT_CONFIG system registry.
    3. Enable the DEVICE.LOG file by making the appropriate entry in the HKEY_LOCAL_MACHINE system registry.
    4. Analyze the DEVICE.LOG file in the root directory of the system partition.
    5. Analyze the DEVICE.LOG file found in \<winnt_root>\SYSTEM32\RAS.

4. Which of the following files can be modified to add RAS support for a non-supported modem?

    1. RAS.INF
    2. DEVICE.LOG
    3. DEVICE.INF
    4. MODEM.INF

5. When configuring a port for RAS usage, which of the following are true?

    1. A RAS port can be configured so that only dialing in is possible.
    2. A RAS port can be configured so that only dialing out is possible.
    3. A RAS port can be configured so that both dialing in and out are possible
    4. RAS ports cannot be configured. By design all ports are always configured to provide dialing in and dialing out.
    5. RAS ports cannot be configured. Only dialing in is possible.

6. Which protocols are supported by RAS?

    1. DLC
    2. NetBEUI
    3. TCP/IP
    4. IPX/SPX
    5. AppleTalk

7. Which of the following security features are available when using RAS?

    1. DES encryption
    2. MD5 on the RAS server
    3. Callback security

8. You have three Windows NT Servers with the Remote Access Service installed on three different TCP/IP network segments. Windows NT workstations dial into these servers. What method would you use to minimize time required to resolve NetBIOS names?

    1. Configure an LMHOSTS file on the RAS server.
    2. Configure an LMHOSTS file on each workstation.
    3. Disable the NetBIOS interface.
    4. Install WINS servers on all workstations.

9. What new option has been added to the Windows NT 4.0 logon dialog box?

    1. Start Dial-up Networking
    2. Shutdown
    3. The option to log on via Dial-Up Networking
    4. The option to use Dial-Up Networking without logging on to Windows NT

10. What is true of using PPTP?

    1. Short connect time
    2. Lower transmission cost
    3. Lower speed connections
    4. Higher transmission cost

11. With PPTP filtering enabled, which of the following does a Windows NT Server 4.0 RAS accept?

    1. Accepts only IPX
    2. Accepts PPTP only
    3. Accepts SLIP only
    4. Does not accept anything

12. Your RAS server has two internal modems. Remote users report that when they try to dial in to the RAS server, they are being disconnected immediately. How can you diagnose this problem?

    1. Use the Registry Editor to enable device logging.
    2. Use Performance Monitor to view RAS connection details.
    3. Use the RAS Admin utility to view the port status.
    4. Use Network Monitor.

13. What utilities can you use to grant users permission to log in to your RAS server?

    1. User Manager for Domains
    2. Remote Access Admin
    3. ruser.exe
    4. DIAL-UP NETWORKING

14. You have a RAS server to which Windows 95 clients dial in. They have Client for Microsoft Networks and IPX/SPX installed. You also have a Netware server from which you want to allow these users to access resources. What should you install on the Windows NT RAS server?

    1. CNSW
    2. GSNW
    3. RIP
    4. OSPF

15. You have been providing Multilink remote access ability to your users for the last six months without problems. When your manager insisted that you implement tighter security, you chose to implement callback security. Now users complain about dramatic drop in speed when they connect to RAS? Why is this happening?

    1. Callback performs extensive error checking which absorbs lots of bandwidth
    2. Your modems are not supported by callback
    3. The RAS server is only able to call back one of the Multilink devices
    4. RAS does not support callback security

16. Identify three ways you can manually start and stop RAS.

    1. From a command prompt using the Net Start and Net Stop commands
    2. In the Network Configuration screen
    3. With the Service utility in Control Panel
    4. With the Remote Access Admin program
    5. With the Network Client Administrator program

17. You want to provide Internet connectivity to your corporate LAN. What should be implemented to help secure your server from Internet-related threats?

    1. PPTP filtering
    2. SLIP
    3. IPX/SPX
    4. Callback security
    5. Multilink

Answers to Chapter 11 Self Test

  1. C, D. Windows NT RAS is not supported as a SLIP server. However, RAS supports both SLIP and PPP in Dial-Up Networking.
  2. B. By specifying ‘Require encrypted authentication’ as your encryption setting, you are only permitting MS-CHAP authentication to occur.
  3. C, E. Enabling the DEVICE.LOG file is accomplished by turning it on in the HKEY_LOCAL_MACHINE registry path. The file is stored in \<winnt_root>\SYSTEM32\RAS.
  4. D. You can add an entry in the MODEM.INF file to provide support for an unsupported modem. Remember, the DEVICE.LOG file provides information to help troubleshoot your modem and RAS.
  5. A, B, C. RAS allows the following scenarios when configuring ports: Dial out only, receive calls only or dial out and receive calls allowed.
  6. B, C, D. RAS supports the NetBEUI, IPX/SPX and TCP/IP protocols.
  7. A, C. RAS supports callback and DES encryption. MD5 can only be negotiated by Microsoft Dial-Up Networking clients.
  8. B. Local LMHOSTS files on users workstations are the simplest way to resolve TCP/IP addresses to NetBIOS names. Installing an LMHOSTS file on the server will only assist the server in resolving NetBIOS names. Windows NT workstations cannot be configured as WINS servers.
  9. C. The option to logon via Dial-Up Networking is new to Windows NT 4.0.
  10. B. Lower transmission costs are one benefit of implementing PPTP as most network integration issues can be absorbed into local ISP’s.
  11. B. When PPTP is enabled, only PPTP traffic is allowed. TCP/IP, IPX/SPX and NetBEUI packets tunnel within PPTP.
  12. A. DEVICE.LOG is created by enabling it in the registry.
  13. A, B. You can grant Remote Access Service permission to users using the Remote Access Admin utility or User Manager for Domains.
  14. B. Gateway Service for Netware (GSNW) running on Windows NT Server allows access to Netware resources on a Netware server to Microsoft client computer.
  15. C. If a client uses a Multilink-enabled phonebook entry to call a callback-enabled RAS server, when the callback is made only one of the Multilink devices will receive the call.
  16. A, C, D. The Remote Access Server service can be started and stopped from a command prompt, the Remote Access Admin program and the Services program in the Control Panel.
  17. A. When you implement a RAS gateway to the Internet, PPTP is implemented to provide a secure tunnel. By enabling PPTP filtering, you effectively disable all other protocols on the adapter making the connection to the Internet reducing the security threat.