Windows NT RAS Server Remote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection.
Required Client Components Required components to use RAS on a client: • •
•
Networking Transport Prococol (NetBEUI, NWLink, TCP/IP) - The best protocol depends on line conditions. TCP/IP is best when line conditions are poor, but it is slower. If line conditions are good, and speed is desired, use NetBEUI. Workstation service for NTWS or Client for Microsoft Networks fro Windows 95
Required Server Components • •
Modems or ISDN interface or X.25 PAD. Modems are configured using the control panel modems applet. ATM and ISDN is installed using the control panel network applet. Networking
Supports NetBEUI, NWLink, and TCP/IP transport protocols. RAS servers can be used as gateways to link LANs together.
Supported Connection Types •
• • • • •
Analog Telephone (PSTN). Uses PPP or SLIP for support over PSTN lines. NT RAS hosts only answer when PPP is used, but the other protocols are supported for dial out. SLIP only supports TCP/IP and does not support logon encryption or dynamic Ip assignments. Digital Telephone (ISDN) X.25 - Leased line protocol. ATM Point to point tunneling protocol (PPTP) for VPN connections across the Internet. RS-232 NULL modem cable.
Clients that the RAS server can host • • • • • •
TCP/IP clients using PPP - These clients cannot use domain resources. LAN Manager DOS RAS Windows for Workgroups Windows 95/98 Windows NT 3.1 and above
Server Configuration Selections •
Allow access to RAS server only or act as a gateway to the rest of the network.
When the RAS service is running, the COM ports and modems being used by the RAS service are not available for outgoing connections such as FAX or terminal software. To use these functions, stop the RAS service, then start it again when done.
Installing and Configuring RAS RAS must have at least one of TCP/IP, NWLink, or NetBEUI installed as a transport protocol. A different transport protocol may be selected to support each modem or RAS device. 1. Set up one or more of the following service types. o Use the modem applet in the control panel to install modems and configure them to use specific COM ports. o If using ISDN, it may connect straight into a serial port, or use a NT-1 network termination device. This can be on a separate card or may be on your network card. If the NT-1 is used, the RAS server treats the ISDN connection like a network card. The control panel network applet adapters tab is used to install this as though installing a network card. The ISDN adapter must be configured to use the appropriate ISDN protocol. The main ones are: N11
AT&T 5ESS Northern Telcom DMS-100
Set ISDN SPIDs (Service profile IDs) to two for maximum speed and use two telephone numbers. The SPID is a prefix and suffix along with the normal 10 digit phone number. Set the connection to be multipoint to use each channel. o To install X.25, the RAS setup dialog box is usedX.25 PAD button 2. If RAS service is not installed, use the Network applet, services tab in the control panel to install it from your CDROM. Select "Remote Access Service". 3. Configure the RAS network protocols - The RAS server will use the PPP data link protocol rather than a protocol like ethernet. It may use PPP or SLIP to dial out. 1.Different
modems or RAS devices may be configured to use different network/transport protocols. For example one may use TCP/IP, while another uses NetBEUI. To set the protocol, use the control panel's Network applet, services tab. Any combination of TCP/IP, NWLink, or NetBEUI may be used. 2.Set up each transport protocol and select whether clients can access the entire network or not. 2. Configuration is done using the control panel network applet services tab. Select "Remote Access Service" and properties. Highlight the port to use and click on the network button. A Network Configuration dialog box will appear with the following options: o
o
Dial Out Protocols with selections of NetBEUI, TCP/IP, and IPX. The configure buttons next to the checkboxes allows each protocol to be configured including the ability to use the protocol for dialing out. Server Settings with: Allow remote clients running: NetBEUI TCP/IP - Options for IP addresses include: Use DHCP to assign remote TCP/IP client addresses Use static address pool - Used when DHCP is not available on the network and IP address are still desired Allow remote clients to request a predetermined IP address Used when DHCP is not available on the network and RAS clients have a unique IP address assigned. IP address cannot be assigned based on user account. IPX Encyption Settings with: Allow any authentication including clear text. Require encrypted authentication. Require Microsoft encrypted authentication with an additional checkbox, "Require data encryption". Enable Multilink checkbox
RAS clients are configured using the control panel Dial-up Networking applet. The phone book entry is used and it has the following tabs: •
Basic
• • • •
Server - Select the RAS server type, transport protocols to use and "Enable software compression" and "Enable PPP LCP extensions". Script - Used for dial up servers that are not RAS servers Security - Specifies type of authentication, clear text, encrypted, and Microsoft encrypted. Must match the server side unless the server allows any authentication. X.25
To use ISDN with RAS, the following must be done: 1. An ISDN BRI circuit must be installed by the provider. 2. An ISDN adapter must be installed on the RAS server.
Remote Access Administrative Utility Used to configure RAS permissions for users. The following features exist on the Remote Access Permissions dialog box: • •
Grant dialin permission to user checkbox Call back radio button section with options: o No Call Back o Set By Caller o Preset To followed by a text box.
Permissions cannot be set for groups.
Authorizing RAS Users RAS users can be authorized in two places: • •
User Manager for Domains dial-up button. Remote Access administrative tool.
RAS Security Security settings are entered by using the phonebook entry security tab. This is the same on the client and server side. •
• •
Encrypted passwords - Protocols used: o PAP - Password authentication protocol o CHAP - Challenge handshake authentication protocol uses encrypted authorization. o MS-CHAP - This uses MD-4 (Message Digest 4) security protocol over PPP. If the option to "Require data encryption" is set when using MS-CHAP, all data between the client and ther server will be encrypted. Only Microsoft clients can use this protocol. Callback (server only) - Calls the client back to establish the connection. Options are "No Callback", "Set by caller" or "Preset to...". Permissions (server only) - Can set up users who can use RAS as a client.
•
PPTP (server only) - Point to Point Tunneling Protocol used for virtual private networking (VPN) as a means of sending secure information. To use this, when enabled on the server, the client will connect to the internet, then connect to the RAS server using the PPTP client service. The control panel, network applet protocols tab is used to add PPTP.
When having trouble getting authentication to work, the option "Allow any authentication including clear text" can be useful while debugging. Be careful of allowing access to sensitive information that will not be encrypted over the serial line.
PPP Security • •
Encryption of logon requests. Supports multiple transport protocols.
Multilink In some cases, multiple lines may be used as though they are one connection to gain higher transfer speeds. The client and server must be NT computers to use multilink. The calling and receiving host must have the same number and type of multilink connections. This is supported in any combination of connections by NT. This is based on RFC 1717. Multilink is configured on the clinet and server using the Phonebook entry basic tab.
RAS Monitor Used to monitor RAS performance. It is found on the Taskbar next to the time system tray. You can select it then have it display as a window.
RAS Logging The following registry entry controls RAS logging by turning it on or off: \HKey_Local_machine\system\CurrentControlSet\Services\Rasman\PPP\Logging The log is stored in the file: \WINNTROOT\system32\Ras\PPP.log