Dial-up remote access for employees
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Dial-up remote access for employees
Employees of Electronic, Inc. use MS-CHAP or MS-CHAP v2 authentication for dial-up remote access and encryption is allowed but not required. To deploy remote access for Electronic, Inc. employees by using dial-up remote access connections, the following configuration is implemented.
Network configuration
For dial-up remote access, the Electronic, Inc. network is also configured as follows:
- To receive up to 48 simultaneous incoming calls, Electronic, Inc. uses a modem bank switch that is connected to the local telephone service provider. The modem bank switch connects to the remote access server by using a modem bank adapter. Dial-up clients can dial in to the Electronic, Inc. intranet at the phone number 555-0111.
The following illustration shows the configuration of the Electronic, Inc. remote access server for dial-up remote access connections.
The remote access server computer is configured as follows:
1. Install modem bank adapter in the remote access server
The modem bank adapter that is used to connect to the modem bank switch is installed according to the adapter manufacturer's instructions. Once the driver is installed and functioning, the device and its ports appear under Ports in Routing and Remote Access.
2. Configure the ports of the modem bank device for remote access
All of the ports of the modem bank device are enabled for remote access. For more information, see Configure ports for remote access.
Domain configuration
For each employee that is allowed dial-up remote access:
The remote access permission on the dial-in properties of the user account is set to Allow access.
The user account is added to the DialUp_Users group.
Remote access policy configuration
To define the authentication and encryption settings for remote access dial-up clients, the following remote access policy is created:
Policy name: Dial-up Remote Access Clients
Conditions:
NAS-Port-Type is set to all types except Virtual (dial-up)
Windows-Groups is set to DialUp_Users
Permission is set to Grant remote access permission
Profile settings:
Authentication tab: Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) are enabled.
Encryption tab: Select all the options.
Note
- In the access-by-user administrative model, the remote access permission on the remote access policy has no effect on granting remote access permission. However, the network administrator for Electronic, Inc. set the remote access permission on the policy to Grant remote access permission so that an eventual transition to an access-by-policy administrative model does not require changing all the remote access permission settings on all of the configured remote access policies.
Dial-up remote access client configuration
The New Connection wizard is used to create a dial-up connection with the following setting:
- Phone number: 555-0111
Note
- The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.