HOW TO: Set Up Remote Access for an Intranet
/ns/wz/sys/data/20020819060038.htm
HOW TO: Set Up Remote Access for an Intranet
Author: Microsoft
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
--------------------------------------------------------------------------------
SUMMARY
This step-by-step guide describes how users can connect to an internal network from remote locations and have access to common services such as File and Print sharing, Web server access, and messaging. Unauthorized users should be denied permissions to access such services.
1. Installing the Remote Access Server
The Routing and Remote Access service is installed automatically during the installation of Windows 2000 Server, but it is disabled by default.
To Enable the Routing and Remote Access Service
Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
Click the server icon that matches the local server name in the left pane of the console. If the icon has a red circle in the bottom-left corner, the Routing and Remote Access service has not been enabled. If the icon has a green arrow pointing up in the bottom-left corner, the Routing and Remote Access service has been enabled. If the Routing and Remote Access service was previously enabled, you may want to reconfigure the server. To reconfigure the server:
Right-click the server object, and then click Disable Routing and Remote Access. Click Yes to continue when you are prompted with an informational message.
Right-click the server icon, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next to continue.
Click Remote Access server to enable remote computers to dial in to this network. Click Next to continue.
Verify that all of the protocols that are required by services that are required by remote users appear in the list of available protocols. If this is the case, click Yes, all of the required protocols are on this list. Click Next to continue.
If the server has multiple network adapters, the wizard opens the Network Selection window so that you can specify the network that should be used by remote clients. (If the server has only one network adapter, the wizard automatically moves to step 7.) Click the appropriate network, and then click Next to continue.
In the IP Address Assignment window, Automatically if a DHCP server will be used to assign addresses to remote clients, or click From a specified range of addresses if remote clients should only be given an address from a pre-defined pool. In most cases, the DHCP option is simpler to administer. However, if DHCP is not available, you must specify a range of static addresses. Click Next to continue.
If you clicked From a specified range of addresses, the wizard opens the Address Range Assignment window. Click New. Type the first IP address in the range of addresses that you want to use in the Start IP address box. Type the last IP address in the range in the End IP address box. Windows calculates the number of addresses automatically. Click OK to return to the Address Range Assignment window. Click Next to continue.
Accept the default setting of No, I don't want to set up this server to use RADIUS now, and then click Next to continue. Click Finish to enable the Routing and Remote Access service and to configure the server as a Remote Access server.
After you set up the server to receive dial-up connections, you need to set up a remote access client connection on the client workstation.
2. Setting Up a Client for Dial-Up Access
To set up a client for dial-up access, follow these steps on the client workstation:
Click Start, point to Settings, and then click Network and Dial-up Connections. Double-click Make New Connection, and then click Next to continue.
Click Dial-up to private network to create the dial-up connection. Click Next to continue.
Type the phone number for the Remote Access server. If the Remote Access server is in the same area code as the remote client, you do not need to type the area code. If the Remote Access server is in a different area code, click to select the Use dialing rules check box to make the Area code and Country/region code boxes available.
Click For all users if you want to allow any user who logs on to the workstation to have access to this dial-up connection. Click Only for myself if you want this connection to be available only to the currently logged-on user. Click Next to continue.
Leave the Enable Internet Connection Sharing for this connection check box cleared. Click Next to continue.
In the Connection Name box, type a descriptive name for this connection, and then click Finish to save the connection.
3. Granting Access to Remote Access Servers
You can use remote access policies to grant or deny authorization based on criteria such as the time of day and day of the week, the user's membership in Windows 2000-based security groups, or the type of connection that is requested. If a Remote Access server is a member of a domain, you can configure these settings by using the user's domain account.
If the server is a stand-alone server or a member of a workgroup, the user must have a local account on the Remote Access server.
To configure User Dial-in Access in Active Directory
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the user account, and then click Properties.
Click the Dial-in.
Click Allow access to grant the user permission to dial in. Click OK.
This completes the procedure, aside from testing to make sure that remote access is working as you expect.
4. Establishing a Remote Connection
To connect to the server, follow these steps:
Click Start, point to Settings, click Network and Dial-up Connections, and then double-click the new connection that you created.
In the User Name box, type your user name. If the network to which you will be connecting has multiple domains, you may need to specify a domain name. If this is the case, use the domain_name\user name format in the User Name box.
In the Password box, type your password.
Check the phone number that is listed in the Dial box to make sure that it is correct. Make sure that you have specified any additional numbers that may be required to obtain an external line, dial long-distance, and so on.
Click Dial to continue. The remote computer will connect to the Remote Access server, authenticate the user, and register the remote computer on the network.
5. Pitfalls
Not All of the User's Dial-in Configuration Settings Are Available
If the Windows 2000-based domain is using Mixed mode, not all of the configuration options are available. Administrators can only grant or deny access to the user, and specify callback options (these are the access permission settings that are available in Microsoft Windows NT 4.0). The remaining options become available after the domain has been switched to native mode.
Users Can Contact the Server, But Are Not Authenticated
Make sure that the user account has been granted permission to dial in and be authenticated with Active Directory as described in section 2. The Remote Access server must also be a member of the "RAS and IAS Servers" group.