Dial-up remote access design considerations
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Dial-up remote access design considerations
To prevent problems, you should consider the following design issues before you implement dial-up remote access connections.
IP address allocation
Determine whether the remote access server will use DHCP or a static IP address pool to obtain addresses for dial-up clients. If you use a static IP address pool, determine whether the pool will be ranges of addresses that are a subset of addresses from the IP network to which the server is attached or a separate subnet. If the static IP address pool address ranges represent a different subnet, ensure that routes to the address ranges exist in the routers of your intranet so that traffic to connected remote access clients is forwarded to the remote access server.
Number of incoming ports needed
Determine the maximum number of dial-up remote access clients that dial in at one time. Based on the number, you need to obtain modem bank equipment and phone lines that meet that need. Once the driver for the modem bank adapter is installed, verify that all of the ports of the modem bank device are configured to allow remote access. For more information, see Configure ports for remote access.
Deciding on a remote access policy administrative model
Before setting the dial-in permission on user accounts and creating remote access policies, you need to decide on a remote access policy administrative model. In the Windows Server 2003 family, there are two primary models for administering remote access permissions and connection settings:
Access by user.
Access by policy in an Active Directory domain.
Controlling access by policy centralizes many basic administrative tasks. For more information, see Introduction to remote access policies and Remote Access Policies Examples.
Creating a remote access policy for dial-up remote access connections
By using remote access policies, you can create a policy that requires dial-up connections to use a specific authentication method and encryption strength.
For example, you can create a group called Dial-up Users whose members are the user accounts of the users who are creating dial-up remote access connections. Then, you create a policy with two conditions on the policy: the NAS-Port-Type is set to all types except Virtual (VPN) and the Windows-Groups is set to Dial-up Users (the name of the group you created). Finally, you configure the profile for the policy to select a specific authentication method and encryption strength.
For more information, see Introduction to remote access policies.
Using an IAS server for centralized authentication, authorization, and accounting
If you have multiple remote access servers, you need to configure remote access policies and logging for each remote access server. If you want to take advantage of centralized remote access policies, accounting, and logging, configure the remote access servers as Remote Authentication Dial-In User Service (RADIUS) clients to a single server running the Internet Authentication Service (IAS) as a RADIUS server.
You should also use an IAS server if you have servers running Windows NT 4.0 and the Routing and Remote Access Service (RRAS) and you want to take advantage of remote access policies. You cannot configure remote access servers running Windows NT 4.0 as RADIUS clients. You must upgrade a remote access server running Windows NT 4.0 to a server running Windows NT 4.0 and RRAS.
For more information, see Using RADIUS for multiple remote access servers.
Using Connection Manager
For a large remote access deployment, you can use Connection Manager and the Connection Manager Administration Kit to provide a custom dialer with preconfigured connections to all remote access clients across your organization.
For more information about Connection Manager, see Connection Manager Administration Kit.