Understanding Remote Access Network Policies

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Routing and Remote Access service (RRAS) uses policies created and stored in Network Policy Server to finely control remote access. Remote access network policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more of each of the following:

  • Conditions: These properties enable you to specify conditions that the connection request must have to match the network policy. If the conditions configured in the policy match the connection request then NPS applies the settings designated in the network policy to the connection. Conditions are used to determine which network policy to enforce on the connection request. Connection requests that do not match the conditions in at least one policy are rejected.

  • Constraints: Constraints are additional parameters of a policy that are requirements for a connection. Once a network policy is selected, the constraints in that policy are enforced on the connection request. If any constraint cannot be supported by the connection request, NPS rejects the connection request. Unlike the NPS response to unmatched conditions, if a constraint is not matched, NPS denies the connection request without evaluating additional network policies.

  • Settings: These properties are configuration settings that NPS applies to a connection request if all of the network policy conditions for the policy are matched.

A policy which contains a set of rules also has properties that specify whether the policy is enabled or disabled and whether it grants or denies access to the RRAS server.

If a connection is authorized, the network policy constraints represent a set of restrictions on the connection. The dial-in properties of the user account can also provide a set of restrictions. Where applicable, connection restrictions defined in a user account override the restrictions defined in a network policy.

In Windows Server 2008 R2 and Windows Server 2008, remote access network policies are configured and maintained by using Network Policy Server (NPS). For information about configuring a remote access network policy, see RADIUS Server for Dial-Up or VPN Connections in the Windows Server Technical Library. For information about connection restrictions that can be configured on a user account, see Understanding Remote Access Properties of a User Account in this guide.

Remote access network policies validate a number of connection settings before authorizing the connection, including the following items. These are the network policy conditions:

  • Access permission

  • Group membership

  • Type of connection

  • Time of day

  • Authentication methods

  • Advanced conditions:

    • Access server identity

    • Access client phone number or MAC address

    • Whether user account dial-in properties are ignored

    • Whether unauthenticated access is allowed

After a connection is authorized by matching all of the conditions specified in a network policy, the network policy can specify connection constraints, including the following:

  • Idle timeout time

  • Maximum session time

  • Encryption strength

  • IP packet filters

  • Advanced restrictions:

    • IP address for PPP connections

    • Static routes

Additionally, you can vary connection restrictions based on the following settings:

  • Group membership

  • Type of connection

  • Time of day

  • Authentication methods

  • Identity of the access server

  • Access client phone number or MAC address

  • Whether unauthenticated access is allowed

For example, you can have policies that specify different maximum session times for different types of connections or groups. Additionally, you can specify restricted access for business partners or unauthenticated connections.

Authorizing access

There are two ways to use remote access network policies to grant authorization:

  1. By user account

  2. By group membership

Authorization by user

If you are managing authorization by individual user account, set the network access permission on the user account to either Allow access or Deny access. In these cases, network polices in NPS are not used.

To configure network access permission on a user account

  1. Perform one of the following:

    • If the RRAS server is joined to a domain: On either a domain controller or on a computer with the Remote Server Administration Tools installed, start the Active Directory Users and Computers MMC snap-in. Expand the navigation tree to the container or organizational unit that contains the user account.

    • If the RRAS server is not joined to a domain: Click Start, click Administrative tools, and then click Computer Management. In the navigation tree, click Local Users and Groups. Click Users.

  2. Double-click the user account that you want to configure.

  3. On the Dial-in tab, select either Allow access or Deny access. This setting overrides any NPS remote access network policy.

  4. Click OK to save your changes.

Authorization by group

If you want to manage authorization by using group accounts, then you must set the network access permission on your user accounts to Control access through NPS Network Policy. You can configure this setting for your user accounts by using Group Policy. Place the user accounts that are to be granted remote access permissions into a group account that you create in Active Directory. Finally, create NPS network policies that specify membership in that group as a condition. You can create different groups that are used to grant different levels of remote access. For example, you might want to have one network policy for remote access connections for employees (members of the Employees group) and a different network policy for remote access connections for partners (members of the Partners group).

If you are managing authorization by group, RRAS uses the following basic process to authorizing a connection attempt:

  • If the connection attempt matches all policy conditions (including any that require membership in a specified group), check the access permission of the remote access network policy.

    • If the access permission is set to Grant access, apply the connection settings of the user account.

    • If the access permission is set to Deny access, reject the connection attempt.

  • If the connection attempt does not match all of the conditions in the policy, then evaluate the next network policy.

  • If the connection attempt does not match all of the conditions of any network policy, then reject the connection attempt.

Note

Setting the network access permission on user accounts to Control access through NPS Network Policy and then not using groups to manage network access is not recommended.