- Enable Routing and Remote Access.
- Configure the demand-dial interface for the remote site connection.
- Configure an additional demand-dial interface for a temporary ISP link.
Enable Routing and Remote Access
When you run the Routing and Remote Access Wizard to enable the Routing and Remote Access service, the choices you make are the same for dial-up routing and for VPN routing.
To enable the Routing and Remote Access service
Note
- You can skip step 1 if either of the following is true:
- If this server uses local authentication or authenticates against a RADIUS server.
- If you have administrative rights to add the computer account of the Routing and Remote Access server to the RAS and IAS Servers security group. The wizard automatically adds the computer to RAS and IAS Servers.
- Enable the router as follows:
Ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group for this domain by using the Active Directory Users and Computers snap-in or the netsh ras add registeredserver command.
If this router must access other domains, ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group of the other domains.
Restart the router for the change to take effect immediately.
- Open Routing and Remote Access, select the computer on which you want to enable the Routing and Remote Access service (probably the computer you are currently working on), and then, on the Action menu, select Configure and Enable Routing and Remote Access to start the Routing and Remote Access Wizard. Complete the wizard pages as shown in Table 10.13.
Configuration:
Select Secure connection between two private networks.
Demand-Dial Connections:
Select Yes (to use demand-dial routing to access remote networks).
IP Address Assignment:
Choose one of the following alternative options: Select Automatically to use DHCP if you want to assign addresses automatically without using a specified range of addresses. -or- Select From a specified range of addresses if you want to specify an address range (recommended):
- On the Address Range Assignment screen, select New, and then type values for the following:
- Starting address
- Ending address
- If the static IP address pool address range is an off-subnet address range, ensure that the routes to the address range exist in the routers of your intranet.
When the Routing and Remote Access Wizard completes, you might see the message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." If you see this message, click OK. Later, after you complete the Demand-Dial Interface Wizard (described next), you will add the computer account to the RAS and IAS Servers security group.
Configure the demand-dial interface for a remote site connection
Interface Name:
Type a name for the remote router that matches the user account name that you created earlier for the remote router.
Connection Type:
Choose one of the following alternative options:
Connect using a modem, ISDN adapter, or other physical device. Select this option to establish a device-to-device dial-up connection.
- On the Select a device screen, select the modem or adapter this interface will use from the prepopulated list.
- On the Phone Number screen, if this is a calling router, type the phone number of the router this interface will call. (If this is an answering router that is not also a calling router, you can leave this blank.)
-or-
Connect using virtual private networking (VPN). Select this option to establish a VPN connection over the Internet.
- On the VPN Type screen, select one of the following:
- Automatic (accepts either PPTP or L2TP connections)
- Point to Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
- On the Destination Address screen, if this is a calling router, type the IP address of the remote router this interface will connect to. (If this is an answering router, you can leave this field blank.)
Do not select the third option, Connect using PPP over Ethernet (PPPoE), because PPPoE is used to link to the local ISP, not to create a device-to-device dial-up link or a VPN tunnel.
Protocols and Security:
- Select Route IP packets on this interface (the default).
- If this is an answering router that is not joined to an Active Directory domain, add a local account by selecting Add a user account so a remote router can dial in. This creates a local user account on the demand-dial router. (Do not select this option if you earlier created an Active Directory user account for the answering router to use to authenticate the calling router.)
Static Routes for Remote Networks:
To add one or more static routes to define the permanent route between this network and the remote network, click Add, and then, in the Static Routedialog box, do the following:
- Destination — Type the network ID of the remote site.
- Network Mask — Type the subnet mask for the network ID of the remote site.
- Metric — Select an appropriate number for the metric.
Dial In Credentials (for an answering router):
Type and confirm a password for the local user account. Note. This page appears only if this is an answering router and if you chose Add a user account so a remote router can dial in on the Protocols and Security page earlier in the wizard (to use a local account rather than an Active Directory account for router authentication). Notice that the prepopulated User name provided is the same name as that used for the demand-dial interface.
Dial Out Credentials (for a calling router):
Specify the dial-out credentials that this interface will use to connect to the remote router:
- User name — Type the name of the user account for the calling router that matches the name of the corresponding demand-dial interface on the answering router.
- Domain — Type the domain name; typically, both sites belong to the same domain.
- Password and Confirm Password — Type the password.
Note. If this is an answering router that is not also a calling router, you do not need to provide this information; however, the wizard requires that you fill in this page, so type any name, domain, and password.
If the Routing and Remote Access Wizard (which ran before the Demand-Dial Interface Wizard) was unable to add the computer to the list of valid remote access servers in Active Directory, you saw the error message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." To enable the computer to function as a remote access server, add the computer account for the router to the RAS and IAS Servers security group. For information about how to add a computer account to a group, see Add a computer account to a group in Help and Support Center for Windows Server 2003. If you did not see the error message indicating that the computer had not been added to the valid remote access servers in Active Directory, you do not need to perform this step.
After at least one demand-dial interface exists, you can run the Demand-Dial Interface Wizard at any time to add additional demand-dial interfaces by right-clicking Network Interfaces in console tree, and then clicking New Demand-dial Interface. You run the wizard again for the following reasons:
- To add other branch office sites, repeat the steps in this procedure for each additional demand-dial interface you want to create.
- To establish a temporary link to the local ISP at the branch office in order to create a demand-dial interface for that link, perform the steps as described in the next section.
Configure a demand-dial interface for a temporary link to the ISP
Open Routing and Remote Access, right-click Network Interfaces, click New Demand-dial Interface, and then complete the wizard pages for the Demand-Dial Interface Wizard as shown in Table 10.15.
Interface Name:
Type an appropriate name, such as Dial_ISP.
Connection Type:
Choose one of the following alternative options:
Select Connect using a modem, ISDN adapter, or other physical device. Select this option to create a dial-up link to your local ISP.
- On the Select a device screen, select the modem or adapter that this interface will use from the prepopulated list.
- On the Phone Number screen, type the phone number of your local ISP.
-or-
Select Connect using PPP over Ethernet (PPPoE). Select this option to create a PPPoE link to your local ISP.
- On the Service Name screen, type the name of the service in the text box provided. (If you leave this text box blank, Windows will automatically detect and configure your service when you connect.)
Do not select the third option, Connect using virtual private networking (VPN), because this demand-dial interface is for the link to the ISP, not for a VPN tunnel.
Protocols and Security:
Select Route IP packets on this interface (do not select Add a user account so a remote router can dial in).
Static Routes for Remote Networks:
To add a static host route for the IP address allocated to the answering router by the answering router’s ISP (or by InterNIC):
- Destination — Type the IP address of the answering router’s Internet-connected interface.
- Network Mask — Type 255.255.255.255
- Metric — Select an appropriate number for the metric.
Dial-In Credentials:
This page does not appear.
Dial-Out Credentials:
Specify the dial-out credentials that this interface will use to connect to the local ISP:
- User name — Type the name of the user account that has permission to access the local ISP (this is not the router user account).
- Domain — leave this field blank.
- Password and Confirm password — Type the password.
Note. Open Active Directory Users and Computers, and then, on the Dial-in tab of the user object’s Properties page for the user account that has permission to access the local ISP, select Allow access.
No comments:
Post a Comment