What Is Demand-Dial Routing?
Applies To: Windows Server 2008
Demand-dial routing is the forwarding of packets between networks and over Point-to-Point Protocol (PPP) links, such as analog phone lines and Integrated Services Digital Network (ISDN).
Demand-dial routing vs. remote access
Demand-dial routing is not the same as remote access. Remote access connects a single user to a network. Demand-dial routing connects networks together. However, both remote access and demand-dial routing use PPP to negotiate and authenticate the connection and encapsulate data sent on the connection. As implemented in Routing and Remote Access for Windows Server® 2008, both remote access and demand-dial connections can be enabled separately but share the same:
Behavior of the dial-in properties of user accounts.
Security, including authentication protocols and encryption.
Use of network policies.
Use of Windows or Remote Authentication Dial-In User Service (RADIUS) as authentication providers.
IP address allocation configuration.
Use of PPP features, such as Microsoft Point-to-Point Compression (MPPC), Multilink Protocol (MP), and Bandwidth Allocation Protocol (BAP).
Troubleshooting facilities, including event logging, Windows or RADIUS authentication and accounting, logging, and tracing.
Remote access clients and routers
Because the routing service and remote access coexist on a server running Routing and Remote Access, both routers and remote access clients can call the same phone number. The server running Routing and Remote Access that answers the call must be able to distinguish a remote access client from a router that is calling to create a demand-dial connection. To differentiate a remote access client from a demand-dial router, the user name in the authentication credentials sent by the calling router must exactly match the name of a demand-dial interface on the answering router. Otherwise, the incoming connection is assumed to be a remote access connection.
Components of a demand-dial connection
A demand-dial connection contains the following components:
Calling router, which initiates the demand-dial connection.
Answering router, which accepts the demand-dial connection initiated by the calling router.
Connection medium, which is either a physical medium or a tunnel medium. For more information about connection media, see “Connection Medium” later in this topic.
Components of a Demand-Dial Connection
Common components for routers
The following components are common to both the calling router and the answering router:
Routing and Remote Access
Routing and Remote Access
Routing and Remote Access on the calling router must be configured as a local area network (LAN) and wide area network (WAN) router and configured for IP address allocation and authentication methods. IP addresses can be allocated either by using Dynamic Host Configuration Protocol (DHCP) or a static address pool.
A port is a logical or physical communications channel that can support a single PPP connection. Physical ports are based on equipment installed in the calling router. VPN ports are logical ports.
Calling router components
In addition to Routing and Remote Access and a port, the calling router contains the following components:
A demand-dial interface configured on the calling router represents the PPP connection and contains configuration information, such as the port to use, the addressing used to create the connection (such as a phone number), authentication and encryption methods, and authentication credentials.
An IP route in the routing tables of the calling router is configured to use a demand-dial interface to forward traffic.
Answering router components
In addition to Routing and Remote Access and a port, the answering router contains the following components:
Two-way initiated and one-way initiated connections require different configurations for the answering router. For more information about two-way initiated and one-way initiated connections, see “Types of Demand-Dial Connections” later in this topic.
To authenticate the calling router, the credentials of the calling router must be verified by the properties of a corresponding user account. A user account for the calling router must be either locally present or available through Windows Server 2008 security. If the answering router is configured for RADIUS authentication, then the RADIUS server must have access to the user account of the calling router.
The user account must have the following settings:
On the Dial-in tab, network access permission is set to either Allow access or Control access through NPS Network Policy.
On the General or Account tab, User must change password at next logon is disabled and Password never expires is enabled.
For a one-way initiated connection, configure static IP routes that are added to the routing table of the answering router when the demand-dial connection is made.
For two-way initiated connections, a demand-dial interface configured on the answering router represents the PPP connection to the calling router. For a one-way initiated connection using static routes on the user account of the calling router, a demand-dial interface on the answering router does not need to be configured.
For two-way initiated connections, an IP route in the routing tables of the calling router is configured to use a demand-dial interface to forward traffic.
For one-way initiated connections, you can configure the user account of the calling router with static IP routes.
The PPP link is established over either a physical medium or a tunnel medium. Physical media includes PSTN and ISDN. Tunnel media includes Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP).
PPPoE is a method of encapsulating PPP frames so that they can be sent over an Ethernet network. Using PPPoE and a broadband modem, LAN clients can gain individual authenticated access to high-speed data networks.
Types of demand-dial connections
Demand-dial connections are characterized as either on-demand or persistent and as either two-way initiated or one-way initiated.
These characteristics determine the configuration of the demand-dial interface.
On-demand and persistent connections
Demand-dial connections are either on-demand or persistent.
On-demand connections are used when the cost of using the communications link is time-sensitive. For example, the charges for long distance analog phone calls are on a per-minute basis. On-demand connections make the connection when traffic is forwarded and terminate the connection after a configured amount of idle time.
Idle disconnect behavior is configured on the calling router and the answering router.
On the calling router, the idle disconnect time is set on the General tab of the properties of the demand-dial interface.
On the answering router, the idle disconnect time is set in the network policy being used by the demand-dial connection on the server running Network Policy Server (NPS).
Persistent connections use a dial-up WAN technology when the cost of the link is fixed and the connection can be active 24 hours a day. Examples of WAN technologies for persistent demand-dial connections include local calls that use analog phone lines, leased analog lines, and flat-rate ISDN. If a persistent connection is lost, the calling router immediately attempts to reestablish the connection.
Persistent connection behavior must be configured on the calling router and the answering router.
Two-way and one-way initiated connections
Demand-dial connections are either two-way initiated or one-way initiated.
Two-way initiated connections
With two-way initiated connections, either router can be the answering router or the calling router, depending on which router initiates the connection. Both routers must be configured to initiate and accept a demand-dial connection. You use two-way initiated connections when traffic from either router can create the demand-dial connection. Two-way initiated demand-dial connections require that:
Both routers are configured as LAN and WAN routers.
User accounts are added for both routers so that the authentication credentials of the calling router are accessed and validated by the answering router.
Demand-dial interfaces are fully configured on both routers and include the phone number of the answering router and user account credentials to authenticate the calling router.
Static routes are configured on both routers.
For two-way initiated demand-dial routing to work properly, the user account names of the calling routers on both sides of the connection must match the name of a demand-dial interface. The following table shows an example of this configuration.
Example of Two-Way Initiated Connection Configuration
|Router||User Account Name||Demand-Dial Interface Name|
Corporate office router
Branch office router
For a description of the two-way connection process, see Demand-Dial Connection Process.
One-way initiated connections
With one-way initiated connections, one router is always the answering router and the other router is always the calling router. In one-way initiated connections, the routing configuration is simplified because user accounts, demand-dial interfaces, and static IP routes do not need to be fully configured on both sides of the connection. Instead of configuring a demand-dial interface and static routes on the answering router, static routes are added to the dial-in properties of the user account of the calling router.
If your answering router is in a Windows Server 2008 or Windows Server 2003 mixed-mode domain, static routes on the user account are not available. In this case, one-way initiated connections require that:
Both routers are configured as LAN and WAN routers.
A user account is added for the authentication credentials of the calling router.
A demand-dial interface is configured at the calling router with the user credentials of the user account. A demand-dial interface is configured at the answering router with the same name as the user account that is used by the calling router. Because the demand-dial interface of the answering router is not used to dial out, it is not configured with the phone number of the calling router or with valid user credentials.