Beruflich Dokumente
Kultur Dokumente
Deploying Remote
Access Clients Using
Connection Manager
You can use Connection Manager, a component of the Microsoft Windows Server 2003 operating systems,
to provide customized remote access to your network through a dial-up or a virtual private network (VPN)
connection. By deploying remote access clients with the Connection Manager family of programs, which
includes the Connection Manager Administration Kit (CMAK), Connection Point Services (CPS), and the
Connection Manager client, you can configure the remote access experience for your users. This
configuration can include providing a phone book in which users can find the most convenient dial-up access
number.
In This Chapter
Overview of Remote Access Client Deployment................................................180
Providing Connection Manager Phone Book Support.........................................184
Customizing Connection Manager...................................................... ...............188
Implementing Your Connection Manager Solution.............................................199
Example: Deploying Remote Access Clients.......................................... ............203
Additional Resources........................................................................ .................218
Related Information
• For information about designing and deploying a remote access server solution, see
“Deploying Dial-Up and VPN Remote Access Servers” in this book.
• For information about designing and deploying Internet authentication, see “Deploying IAS”
in this book.
• For information about creating connections to branch offices and remote sites, see
“Connecting Remote Sites” in this book.
180 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Note
For the purposes of this chapter, “phone book” and “Connection
Manager phone book” refer to a list of Points of Presence (POPs) and
other information configured by using the Connection Manager family
of programs.
Connection Methods
Remote users connect to networks by using one of two methods: they either connect with direct dial, where
they connect directly by using dial-up lines, or they use VPNs to connect over the Internet. When using a
VPN to connect, remote users who do not have a pre-existing connection to the Internet must use a double-
dial configuration, where they first dial an ISP number to access the Internet and then establish the VPN
connection. Connection Manager can make this double dial process look like a single connection attempt to
the end user.
Additional Resources 183
Direct Dial
Users who connect to your network by using direct dial call directly into your network, using the dial-up
phone numbers that your organization provides to connect to remote access dial-up servers. You can easily
manage a small number of users calling a small number of phone numbers. However, if a large number of
users are dialing into your network, or if your network can be reached through many phone numbers,
Connection Manager and CPS are useful for managing remote access.
VPN
Organizations that offer VPN access to their remote users approach this in either one of two ways:
• Assume that the users have their own connections to the Internet.
• Provide users with an easy method to dial up the Internet and establish a subsequent VPN
connection to the corporate network.
An organization can also contract with an ISP to supply a national or worldwide collection of phone numbers
for Internet access. Connection Manager provides a method to expose these numbers from the ISP in a phone
book and automatically establish the VPN connection after the ISP connection is complete. For more
information about working with an ISP, see “Providing Connection Manager Phone Book Support” in this
chapter. For more information about double-dial connections, see “Example: Deploying Remote Access
Clients” in this chapter.
Authentication Methods
The user authentication method that you implement depends on the operating systems that your clients are
running and the level of security that you require for your network. For example, you might require
passwords, certificates, or smart cards for user authentication, depending on your organization’s security
needs. For more information about user authentication methods, see “Designing an Authentication Strategy”
in Designing and Deploying Directory and Security Services of this kit. For more information about
deploying smart cards, see “Deploying Smart Cards” in Designing and Deploying Directory and Security
Services of this kit.
184 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Important
Network Access Quarantine Control allows an administrator to prevent
computers with unsafe or undesirable configurations from connecting
to a private network, not to protect a private network from malicious
users who have obtained a valid set of credentials.
For more information about Network Access Quarantine Control, see “Deploying Dial-up and VPN Remote
Access Servers” and “Deploying IAS” in this book, and “IAS Network Access Quarantine Control” in Help
and Support Center for Windows Server 2003.
Figure 9.2 shows the process for providing phone book support.
Figure 9.2 Providing Connection Manager Phone Book Support
For more information about security considerations when using CPS, see “Security Information for
Connection Point Services” in Help and Support Center for Windows Server 2003.
186 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Note
If you are providing a VPN-only profile you do not need to create a
phone book and can skip to “Customizing Connection Manager” later in
this chapter.
Before using PBA, you must install it on a computer running either Windows Server 2003 or Microsoft
Windows XP Professional. You install PBA by running Pbainst.exe from the
VALUEADD\MSFT\MGMT\PBA folder on the Windows Server 2003 family CD-ROM or Windows XP
Professional CD-ROM.
For information about how to administer phone books from the command line, see “Administer phone
books” in Help and Support Center for Windows Server 2003.
4. In the Options dialog box, type the server address, user name, and password used to post the
phone book to the server running PBS.
5. Click Create to create the .cab files in the release directory.
6. Enter the address of the PBS server and click Post to post the new release to the PBS server.
7. Disable the account on the PBS server.
8. Stop the FTP service on the PBS server.
Use PBA to edit your phone book when adding or changing telephone numbers, and then use the same
procedure to re-publish the updated phone book.
Caution
For security reasons, do not allow anonymous FTP access to your PBS
server. Also, only run the FTP service when you are actually publishing
or updating a phone book. For more information about CPS security,
see “Security information for Connection Point Services” in Help and
Support Center for Windows Server 2003.
PBS servers can be located on your perimeter network or in the perimeter network of the ISP if you
outsource phone book support. Because the phone book updates after connecting to your network, locate the
PBS server such that the client has access to it after a successful connection to your network. For more
information about security in perimeter networks, see “Deploying ISA Server in this book.
Tip
You can install the CMAK wizard from Management and Monitoring
Tools details in the Windows Components Wizard. For more
information about installing the CMAK wizard, see “The Connection
Manager Administration Kit Wizard” in Help and Support Center for
Windows Server 2003.
Before you run the CMAK wizard, make sure you know the following information, which is required to
complete the wizard:
• The service name and a file name that you will use for the new profile and related files.
• A realm name, if your service requires it. A realm name is a prefix or suffix that Connection
Manager automatically adds to the user name.
• Any existing service profiles that you plan to merge into the new profile. For more
information about merging service profiles, see “Merging Service Profiles” later in this
chapter.
190 Chapter 9 Deploying Remote Access Clients Using Connection Manager
• VPN Support information, including: the VPN server address(s) and whether or not the
client will use the same passwords for the dial-up and VPN connection in a double-dial
situation. For an example of configuring VPN Support information, see “Example:
Deploying Remote Access Clients” later in this chapter. For information about configuring a
VPN-only profile, see “Implementing VPN support” in Help and Support center for
Windows Server 2003.
• VPN Entries network and security information. For more information about networks and
security, see “Configuring Network and Security Settings” later in this chapter.
Additional Resources 191
• Preshared key information, if needed for L2TP/IPSec VPN connections. If you are using a
preshared key, encrypt it with a PIN that follows strong password rules. Strong passwords
include a combination of uppercase and lowercase letters, numbers, and special characters so
the password is protected from a dictionary attack or a database of popular passwords.
• The location of the phone book file that was created by PBA to include in this service profile
and any text that should appear in the More access numbers box in the Phone Book dialog
box.
• Phone book file name for downloading updates and the update URL to point to on the phone
book server, if applicable.
• Dial-up Networking Entries and security information. For more information about networks
and security, see “Configuring Network and Security Settings” later in this chapter.
• Routing table update information, if you are planning to implement split-tunneling where
users can connect to both your internal network and the Internet simultaneously.
• Automatic Proxy Configuration settings, if you want Connection Manager to automatically
update proxy settings for this connection.
• Custom Actions, which are any programs you want to start automatically before, during, or
after users connect to your service. For more information about custom actions, see
“Incorporating Custom Actions” later in this chapter.
• Branding information, including custom graphics, icons, menu items for the notification area
shortcut, custom Help, and support information, if applicable. For more information about
including branding information in your service profile, see “Branding Your Connection
Manager Client” later in this chapter.
• Whether to include the latest version of Connection Manager with your service profile. This
is a small file, so if you are not sure that all clients have the latest version of CM, include the
latest version with your profile.
• A custom license agreement, if applicable. For more information about including a custom
license agreement in your service profile, see “Branding Your Connection Manager Client”
later in this chapter.
• Any additional files you want to include in this service profile.
• Any information you require for advanced customization, if applicable. For more
information about advanced customization, see “Providing Advanced Customization” later
in this chapter.
For a worksheet to assist you in completing the CMAK wizard, see “Preparation for Running the CMAK
Wizard” (DNSRAC_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see
“Preparation for Running the CMAK Wizard” on the Web at http://www.microsoft.com/reskit).
For more specifics about customizing Connection Manager using CMAK, see “Preparing to run the CMAK
Wizard” and “Connection Manager Administration Kit” in Help and Support Center for Windows
Server 2003.
192 Chapter 9 Deploying Remote Access Clients Using Connection Manager
The Microsoft® Windows® Server 2003 Resource Kit also contains custom actions you can use to customize
your profile:
Profile update
This includes the files Getcm.exe, which runs as a post-connect action that checks for and downloads an
updated service profile, and Instcm.exe, which runs as a disconnect action that checks to see if an updated
service profile has been downloaded and installs it.
Certificate deployment
This DLL (Cmgetcer.dll) allows Connection Manager to automatically obtain a certificate for L2TP/IPSec
connections.
Network Access Quarantine Control
This network policy requirements script runs as a post-connect action.
The network policy requirements script performs validation checks on the
remote access client computer to verify that it conforms to network
policies. The script can be a custom executable file or simple batch file.
When the script has run successfully and the connecting computer has satisfied all of the network policy
requirements (as verified by the script), the script executes a notifier component (an executable) with the
appropriate parameters. You can also configure your script to download the latest version of the script from a
quarantine resource. If the script does not run successfully, it directs the remote access user to a quarantine
resource such as an internal Web page, which describes how to install the components that are required for
network policy compliance.
The notifier component sends a message to the quarantine-compatible remote access server that indicates a
successful execution of the script. You can use your own notifier component or you can use Rqc.exe, which
is provided on the Windows Server 2003 Deployment Kit companion CD. With these components installed,
the remote access client computer uses the Connection Manager profile to perform its own network policy
requirements check and indicate its success to the remote access server as part of the connection setup.
Tip
Because Network Access Quarantine Control introduces a delay in
obtaining normal remote access, applications that run immediately after
the connection is complete might encounter problems. One way to
minimize the delay is to separate your script into two scripts: one that
runs as a pre-connect action and one that runs as a post-connect
action.
For more information about Network Access Quarantine Control, see “IAS Network Access Quarantine
Control” in Help and Support Center for Windows Server 2003, “Deploying Dial-up and VPN Remote
Access Server” and “Deploying IAS” in this book. For a sample notifier component, see the Windows SDK.
For more information about the Windows SDK, see the Software Development Kit (SDK) information in the
MSDN Library link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Additional Resources 195
In addition to these predefined custom actions, you can create your own custom actions to include in the
service profile.
For security reasons, custom actions cannot be run when users log on to the network using dial-up
networking unless certain registry keys have been set. For more information about custom actions, see
“Incorporating custom actions” in Help and Support Center for Windows Server 2003.
Caution
Use extreme care when deleting sections or keys from the .cms or
.cmp files by using the Advanced Customization page of the CMAK
wizard, particularly when you are editing an existing service profile.
For more information, including a comprehensive list of the service profile files and keys that you can
customize through advanced customization, see “Advanced customization” in Help and Support Center for
Windows Server 2003.
The following procedures show four ways to use advanced customization to increase security for user
connections.
Tip
If the key names you want to customize do not appear in the drop
down list, simply type them in the Key name text box.
Important
In order for any advanced customization setting to be recorded, you
must click Apply after entering each setting.
Disabling ICS
Edit the DisableICS key to disable Internet Connection Sharing (ICS) in Windows XP for this connection.
198 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Enabling ICF
Edit the EnableICF key to turn on Internet Connection Firewall (ICF) in Windows XP for this connection.
To enable ICF from the Connection Manager user interface
1. On the Advanced Customization page of the CMAK wizard, in the File name box, select
FileName.cms.
2. In the Section name box, select Connection Manager.
3. In the Key name box, type or select EnableICF.
4. In the Value box, type 1.
5. Click Apply.
Important
Test both the server and client portions of your remote access design.
Distributing Certificates
If you configured the security settings of the VPN Entries in the CMAK wizard to use L2TP/IPSec, you
might need to distribute certificates to your users. The certification authority (CA) is generally set up as a
Web server. You can either have your CA on the Internet or on your intranet.
Internet Enrollment
With Internet enrollment, users go to a public Web site to obtain their certificates. Internet enrollment is
useful if you are using a CA that is provided by another company.
Additional Resources 201
Intranet Enrollment
If certificates are optional but recommended, users can obtain their certificates after connecting to your
intranet. Configure the service profile to attempt authentication by using L2TP first. This setting allows the
client to attempt a connection using L2TP; if L2TP is not available, the client connects using PPTP. When
you configure this setting, the client will first attempt to connect using L2TP each time the client connects.
By using this setting, clients can connect the first time by using PPTP and get a certificate. After receiving
the certificate, subsequent connections will use L2TP.
You can configure the Connection Manager Certificate Deployment Tool, Cmgetcer.dll, as a custom action.
This tool enables the client to get a certificate from the certification authority.
For more information about certification authorities and certificates, see “Designing a Public Key
Infrastructure” in Designing and Deploying Directory and Security Services of this kit.
Figure 9.6 shows the worksheet that Contoso uses to create the component profile.
206 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Important
Figure 9.6 only shows the portions of the “Preparation for Running the
CMAK Wizard” worksheet that Contoso customizes to create the
component profile. To see the entire blank worksheet to help prepare to
run the CMAK wizard, see “Preparation for Running the CMAK Wizard”
(DNSRAC__1.doc) on the Windows Server 2003 Deployment Kit
companion CD (or see “Preparation for Running the CMAK Wizard” on
the Web at http://www.microsoft.com/reskit).
Figure 9.6 Preparation for Running the CMAK Wizard: Component Profile
Figure 9.7 through Figure 9.13 show the worksheet that Contoso uses to create the component profile and
complete the CMAK wizard. Additional information about files included in this profile, such as CMProxy.txt
and CMRoute.txt, is discussed in the following section.
Important
Figure 9.7 through Figure 9.13 only show the portions of the
“Preparation for Running the CMAK Wizard” worksheet that Contoso
customizes to create the top-level profile. To see the entire blank
worksheet to help you prepare to run the CMAK wizard, see
“Preparation for Running the CMAK Wizard” (DNSRAC_1.doc) on the
Windows Server 2003 Deployment Kit companion CD (or see
"Preparation for Running the CMAK Wizard” on the Web at
http://www.microsoft.com/reskit).
Figure 9.7 Preparation for Running the CMAK Wizard: Top-Level Profile (page 1)
208 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Additional Resources 209
Figure 9.8 Preparation for Running the CMAK Wizard: Top-Level Profile (page 2)
210 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Figure 9.9 Preparation for Running the CMAK Wizard: Top-Level Profile (page 3)
Additional Resources 211
Figure 9.10 Preparation for Running the CMAK Wizard: Top-Level Profile (page 4)
212 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Figure 9.11 Preparation for Running the CMAK Wizard: Top-Level Profile (page 5)
Additional Resources 213
Figure 9.12 Preparation for Running the CMAK Wizard: Top-Level Profile (page 6)
214 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Figure 9.13 Preparation for Running the CMAK Wizard: Top-Level Profile (page 7)
Based on the decisions to provide routing table updates, automatic proxy configuration, and custom graphics,
Contoso creates several files before running the CMAK wizard:
• A route update file, CMRoute.txt.
This plain text file includes information required to add or delete routes in the following
format:
Command Destination mask Netmask Gateway metric Metric if Interface
Certain parameters can contain the value of default. In those cases, the appropriate
information from the client computer is used.
The file CMRoute.txt contains the following text to make all locations in the address range
192.168.0.0/16 reachable through the VPN connection:
ADD 192.168.0.0 MASK 255.255.0.0 default METRIC default IF default
For more information about including routing table updates, see “Including Routing Table
Updates” in Help and Support Center for Windows Server 2003.
Additional Resources 215
[Manual Proxy]
ProxyEnable=1
ProxyServer=Contosoproxy:80
ProxyOverride=<local>
For more information about using automatic proxy configuration, see “Using Automatic
Proxy Configuration” in Help and Support Center for Windows Server 2003.
• Bitmap (.bmp) files for each of the custom graphics.
Contoso creates custom bitmap files for the logon bitmap (330 x 140 pixels) and the phone
book bitmap (114 x 309 pixels).
• Icon (.ico) files for each of the custom icons.
Contoso creates custom icon files for the program icon (32 x 32 pixels) and the title bar icon
(16 x 16 pixels). Contoso leaves the default notification area icon to show the connection
status in the notification area.
To install Contoso.exe
1. Double-click Contoso.exe.
2. Click Yes when prompted to install Remote access to Contoso.
3. Click My use only to make the connection available to only the intended user and not all
users of that computer. The user can also choose to add a shortcut to the connection on the
desktop, and then click OK.
4. After the installation is complete, the user selects a primary and backup phone number or
chooses to connect over their existing Internet connection.
Tip
The user can create additional settings for home, travel, or other
locations. Users create these customized settings by using the New
button on the General tab of the Remote access to Contoso
Properties dialog box and access them by using the Use settings for
list on the Remote access to Contoso dialog box.
Additional Resources
Related Information
• “Deploying Dial-Up and VPN Remote Access Servers” in this book for information about
designing and deploying a remote access server solution.
• “Deploying IAS” in this book for information about designing and deploying Internet
authentication.
• “Connecting Remote Sites” in this book for information about creating connections to
branch offices and remote sites.
• The Internetworking Guide of the Windows Server 2003 Resource Kit (or see the
Internetworking Guide on the Web at http://www.microsoft.com/reskit) for information
about the Routing and Remote Access service and remote access issues, virtual private
networks, and Connection Manager.
• “Deploying IAS” in this book for more information about Network Access Quarantine
Control.
Related Tools
• Certificate Deployment (Cmgetcer.dll)
Cmgetcer.dll allows Connection Manager to automatically obtain a certificate for
L2TP/IPSec connections. For more information about Cmgetcer.dll, in Help and Support
Center for Windows Server 2003, click Tools, and then click Windows Resource Kit Tools.
• Profile Update (Getcm.exe and Instcm.exe)
Getcm.exe runs as a post-connect action that checks for and downloads an updated service
profile; Instcm.exe runs as a disconnect action that checks to see if an updated service profile
has been downloaded and installs it. For more information about Getcm.exe and Instcm.exe,
in Help and Support Center for Windows Server 2003, click Tools, and then click Windows
Resource Kit Tools.
• Remote Access Quarantine Support Tools (RQC.exe and RQS.exe)
IAS Network Access Quarantine Control provides phased network access for remote client
computers. The Remote Access Quarantine Agent service is included when RQS.exe is
installed on a remote access server. When you create the Connection Manager profile, you
can include an administrator-provided script and RQC.exe. For more information about
RQC.exe and RQS.exe, in Help and Support Center for Windows Server 2003, click Tools,
and then click Windows Resource Kit Tools.
Additional Resources 219