Dial-up Remote Access Design
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Consider the following design issues before you implement dial-up remote access connections.
IP address allocation
Determine whether you want the remote access server to use DHCP or a static IP address pool to obtain addresses for dial-up clients. If you use a static IP address pool, determine whether the pool will be ranges of addresses that are a subset of addresses from the subnet to which the server is attached, or a separate subnet. If the static IP address pool address ranges represent a different subnet, then you must create routes to the address ranges on the routers of your intranet so that traffic to connected remote access clients is forwarded to the remote access server.
Number of incoming ports needed
Determine the maximum number of dial-up remote access clients that dial in at one time. Based on the number, you need to obtain modem bank equipment and phone lines that meet that need. After the driver for the modem bank adapter is installed, verify that all of the ports of the modem bank device are configured to allow remote access. For more information, see Configure a Dial-up Connection to the Intranet in the RRAS Deployment Guide.
Deciding on a network policy administrative model
Before setting the dial-in permission on user accounts or creating Network Policy Server (NPS) network policies, you need to decide on a network policy administrative model. There are two primary models for administering remote access permissions and connection settings:
Access by user.
Access by policy in an Active Directory domain.
Controlling access by policy centralizes many basic administrative tasks. For more information, see Understanding Remote Access Network Policies in the RRAS Deployment Guide.
Using an NPS server for centralized authentication, authorization, and accounting
If you want to take advantage of centralized remote access network policies, accounting, and logging, configure the remote access servers as Remote Authentication Dial-In User Service (RADIUS) clients to a single server running Network Policy Server (NPS) as a RADIUS server.
For more information, see Network Policy Server in the Windows Server Technical Library.
Creating a network policy for dial-up remote access connections
By using network policies on an NPS server, you can create a policy that requires dial-up connections to use a specific authentication method and encryption strength.
For example, you can create a group called Dial-up Users whose members are the user accounts of users who are creating dial-up remote access connections. Then, you create a policy with two conditions on the policy: NAS-Port-Type is set to all types except Virtual (VPN), and Windows-Groups is set to Dial-up Users (the name of the group you created). Finally, you configure the policy to select a specific authentication method and encryption strength.
For more information, see Understanding Remote Access Network Policies in the RRAS Deployment Guide.
Using Connection Manager Administration Kit
For a large remote access deployment, you can use the Connection Manager Administration Kit to provide a custom dialer with preconfigured connections to all remote access clients across your organization.
For more information about Connection Manager, see Connection Manager Administration Kit in the Windows Server Technical Library.