The Power of Policies
A significant improvement in Routing and Remote Access is the introduction of remote access policies. Under NT 4.0, the only policies that you can enable for RAS connections are users' dial-in privileges and callback capabilities. Routing and Remote Access's policies greatly expand the amount of flexibility and control that you have over how and when users connect to a Routing and Remote Access server. A remote access policy defines a set of necessary conditions and connection settings for the server to use to authorize particular connection attempts.
Policies, which you manage in the Routing and Remote Access management console's Remote Access Policies section, let you grant or deny authorization on a Routing and Remote Access server according to several criteria:
- the type of device the user is attempting to connect to (e.g., modem, VPN port)
- caller identification, including the number of the caller or the called system
- the time of day and day of the week
- Win2K group membership
Environments that use Internet Authentication Service (IAS) in conjunction with Routing and Remote Access also support several other criteria.
Remote access policies let you configure a wide array of options for a dial-up session. For example, you can limit the maximum permitted connection time, the strength of authentication and encryption, and the dynamic allocation of bandwidth on multilink connections. With remote access policies, a connection is authorized only when the connection attempt's settings match at least one of the policies that you've defined. If the settings match none of the policies, the server drops the connection even if you've enabled dial-in access for the user's account. Remote access policies reside locally on individual Routing and Remote Access servers or on an IAS server for servers that you've configured to use IAS for RADIUS-based authentication. Because you can use IAS as a centralized location for all your enterprise's remote access policies, using IAS in networks that contain many Routing and Remote Access servers is extremely advantageous.
By default, the Routing and Remote Access Server Setup Wizard defines one basic policy, which lets a user call in if dial-in access is enabled for the user. This policy is the equivalent of NT 4.0 User Manager's Enable dial-in privileges option. To create additional policies, go to the Routing and Remote Access management console's Remote Access Policies section. Launch the Add Remote Access Policy Wizard by choosing New Remote Access Policy from the Action menu (or by right-clicking Remote Access Policies and choosing the same option from the context menu that appears). For additional information about remote access policies, see "Related Articles in Previous Issues."
RRAS: Under New Management
Routing and Remote Access's administrative improvements don't end with the enhanced management console and the configuration wizard. Routing and Remote Access offers several other additions that can make your life easier. One such addition is support for RADIUS, a service that lets you centralize authentication, administration, and accounting in heterogeneous networks that contain different types of dial-up access equipment. Win2K supports RADIUS on both the client side and the server side. The client-side support takes the form of a Routing and Remote Access server connecting to a RADIUS server on the network to authenticate or provide accounting services for dial-up clients.
One useful feature of Routing and Remote Access's RADIUS support is that you configure authentication and accounting separately. In other words, you can opt to configure a server to use either Windows or RADIUS for both authentication and accounting—you don't need to use the same provider for both. Although Microsoft designed Routing and Remote Access's RADIUS client support to work with any vendor's RADIUS server, Win2K includes a proprietary RADIUS server implementation—IAS. One major benefit of using IAS as your RADIUS server is that you can centrally store and manage remote access policies for all your Routing and Remote Access servers. IAS is worth your consideration if you administer a heterogeneous corporate LAN or ISP environment and need to support several network-access service devices that support RADIUS, if you want to centrally manage your remote access policies, or if you need dial-up connection accounting features. RADIUS also has the advantage of providing a single-logon environment for clients accessing RADIUS-aware hosts.
Win2K also simplifies the command-line administration of Routing and Remote Access servers. You can use Win2K's new Net Shell (Netsh) command to configure and administer many network-related components. Using the Netsh and Netsh Ras routing commands and their related options, you can configure virtually every aspect of a Routing and Remote Access server, including authorizing the server in Active Directory (AD); configuring, adding, and managing ports, protocols, and features; and saving and restoring server configuration information. You can even use Netsh commands in scripts or batch files to fully automate the installation and configuration of your Routing and Remote Access servers.
You can enter Netsh commands in several ways. First, you can enter commands interactively within the Netsh shell. For example, to display the current RAS IP configuration on a server, type
netsh
at the command prompt. Then, at the netsh prompt, type
ras
At the ras prompt, type
ip
and at the ras ip prompt, type
show config
Second, you can simply enter the commands at the command line, as follows:
netsh ras ip show config
With either of these methods, you can enter Netsh commands in online or offline mode. In the default online mode, the system executes commands immediately as you type them into the Netsh console. In offline mode, the system queues the commands and doesn't execute them on the Routing and Remote Access server until you enter the Commit command. (To clear offline-mode commands before committing them, you can enter the Abort command. Microsoft incorrectly identifies Abort as Flush in the Routing and Remote Access online Help file.) To change between online and offline mode, simply use the Online and Offline commands at any time in the Netsh command-line console.
Prev. page
1
2
3
[4]
5
6
next page 
