Deploying Remote Access Clients Using Connection Manager

C H A P T E R 9
Deploying Remote
Access Clients Using
Connection Manager
You can use Connection Manager, a component of the Microsoft Windows Server 2003 operating systems,
to provide customized remote access to your network through a dial-up or a virtual private network (VPN)
connection. By deploying remote access clients with the Connection Manager family of programs, which
includes the Connection Manager Administration Kit (CMAK), Connection Point Services (CPS), and the
Connection Manager client, you can configure the remote access experience for your users. This
configuration can include providing a phone book in which users can find the most convenient dial-up access
number.
In This Chapter
Overview of Remote Access Client Deployment................................................180
Providing Connection Manager Phone Book Support.........................................184
Customizing Connection Manager...................................................... ...............188
Implementing Your Connection Manager Solution.............................................199
Example: Deploying Remote Access Clients.......................................... ............203
Additional Resources........................................................................ .................218
Related Information
• For information about designing and deploying a remote access server solution, see
“Deploying Dial-Up and VPN Remote Access Servers” in this book.
• For information about designing and deploying Internet authentication, see “Deploying IAS”
in this book.
• For information about creating connections to branch offices and remote sites, see
“Connecting Remote Sites” in this book.
180 Chapter 9 Deploying Remote Access Clients Using Connection Manager
Note
For the purposes of this chapter, “phone book” and “Connection
Manager phone book” refer to a list of Points of Presence (POPs) and
other information configured by using the Connection Manager family
of programs.
Overview of Remote Access

Client Deployment
If you have users who travel frequently or need to access your network from home or other locations,
Connection Manager provides a way for you to customize a self-installing service profile for your users. The
Connection Manager client allows users to either connect to your network directly or to create a VPN
connection from a remote location. Using this managed remote access solution reduces administration by
providing a single connection client for all remote access users.
Before you deploy a remote access client solution, you must design and deploy your remote access and VPN
servers and related infrastructure. You must also deploy an authentication service, such as Internet
Authentication Service (IAS), to enable authentication, authorization, and accounting. Many of the decisions
that you make when you deploy your Connection Manager service profiles are based on the decisions that
you make when you design your servers.
Deploying Connection Manager Process

The process for deploying Connection Manager includes designing phone books if you are configuring dial-
up access, and optionally deploying phone book servers to provide phone book updates; customizing the
Connection Manager service profile through the CMAKwizard; testing your remote access solution; and
distributing your Connection Manager profile to users.
Figure 9.1 shows the process for deploying Connection Manager.
Figure 9.1 Deploying Connection Manager
Additional Resources 181
Remote Access Clients Background

Information
In order for users to take advantage of an organization’s remote access solution, each client must be
configured to connect to the remote access dial-up or VPN servers. You can either use the native connection
features in Windows to configure clients or use a managed client solution, such as Connection Manager and
its components, to create and distribute a custom service profile.
Native Connection Capabilities and Limitations

It is possible for users to manually configure remote access connections using the native network connection
capabilities in Windows. To connect to the remote access server using these native capabilities, the user
configures the network settings on the client. These settings include:
Dial-up connections The telephone number for your remote access
server, user authentication method, encryption settings, and dialing
scripts.
VPN connections The host name or IP address for the VPN server, VPN
type, user authentication method, and encryption settings.
The native connection capabilities are best suited for when there are few users connecting to the network.
These connections are relatively simple to set up when there are a small number of clients; however, there are
major disadvantages to this method when you are administering a large network with many remote access
users, including:
• The procedure for manually configuring remote access clients varies between versions of
Windows; therefore, you would need a separate set of procedures for each client operating
system you support.
• Each client must be manually configured; either an administrator must configure each client
individually, or the users must configure their own settings using operating system–specific
instructions. Either approach can lead to a large resource drain in the IT department.
• If any telephone numbers change, either the administrator or the user must manually
reconfigure the connection. For example, you might contract with a telecommunications
supplier to provide multiple dial-up telephone numbers and worldwide access for users who
travel. Similarly, you might choose to use VPN connections over Internet connections
supplied by an Internet service provider (ISP), with multiple access numbers and worldwide
Internet access. If any of these telephone numbers change, you need a way to notify the
users.
Connection Manager provides a solution for these and other issues when you deploy a large number of
remote access clients.
Connection Manager Solutions

The Connection Manager family of programs is a set of optional components used to create a managed
remote access solution. Connection Manager enables a network administrator to preconfigure remote access
clients, add custom behavior and a custom appearance, and provide an updateable phone book that enables
users to find the most convenient dial-up access number. The Connection Manager family of products
includes:
• The Connection Manager client
The Connection Manager client provides a simplified way of connecting to a remote
network. Typically, the user only needs to enter a user name and password and select a phone
number if applicable. The administrator configures all other settings before distributing the
service profile.
• The Connection Manager Administration Kit (CMAK)
CMAK allows the administrator to create and configure the service profile and creates a
small, self-installing package. CMAK also allows the administrator to customize Connection
Manager features such as branding, custom actions, and custom Help files, as well as
enhanced security features.
• Connection Point Services (CPS)
CPS allows you to create and maintain phone books. It consists of two parts:
• Phone Book Administrator (PBA)
PBA is a tool used to create and maintain phone book files, and to publish new or
updated phone book files on the PBS server.
• Phone Book Service (PBS)
PBS distributes phone books to Connection Manager clients on request.
Connection Methods
Remote users connect to networks by using one of two methods: they either connect with direct dial, where
they connect directly by using dial-up lines, or they use VPNs to connect over the Internet. When using a
VPN to connect, remote users who do not have a pre-existing connection to the Internet must use a double-
dial configuration, where they first dial an ISP number to access the Internet and then establish the VPN
connection. Connection Manager can make this double dial process look like a single connection attempt to
the end user.
Direct Dial
Users who connect to your network by using direct dial call directly into your network, using the dial-up
phone numbers that your organization provides to connect to remote access dial-up servers. You can easily
manage a small number of users calling a small number of phone numbers. However, if a large number of
users are dialing into your network, or if your network can be reached through many phone numbers,
Connection Manager and CPS are useful for managing remote access.
VPN
Organizations that offer VPN access to their remote users approach this in either one of two ways:
• Assume that the users have their own connections to the Internet.
• Provide users with an easy method to dial up the Internet and establish a subsequent VPN
connection to the corporate network.
An organization can also contract with an ISP to supply a national or worldwide collection of phone numbers
for Internet access. Connection Manager provides a method to expose these numbers from the ISP in a phone
book and automatically establish the VPN connection after the ISP connection is complete. For more
information about working with an ISP, see “Providing Connection Manager Phone Book Support” in this
chapter. For more information about double-dial connections, see “Example: Deploying Remote Access
Clients” in this chapter.
Authentication Methods
The user authentication method that you implement depends on the operating systems that your clients are
running and the level of security that you require for your network. For example, you might require
passwords, certificates, or smart cards for user authentication, depending on your organization’s security
needs. For more information about user authentication methods, see “Designing an Authentication Strategy”
in Designing and Deploying Directory and Security Services of this kit. For more information about
deploying smart cards, see “Deploying Smart Cards” in Designing and Deploying Directory and Security
Services of this kit.
VPN Tunneling Protocols

For VPN connections, you can require Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling
Protocol (L2TP) connections, or you can allow users to attempt L2TP connections and use PPTP if they
cannot connect using L2TP. If you require L2TP/IPSec authentication, you can use preshared keys or
certificates. For more information about choosing a VPN strategy, see “Deploying Dial-Up and VPN Remote
Access Servers” in this book.
Network Access Quarantine Control

Network Access Quarantine Control, a new feature in the Windows Server 2003 family, delays normal
remote access to a private network until the configuration of the remote access computer has been examined
and validated by an administrator-provided script. Without Network Access Quarantine Control, only the
credentials of the user are verified, and a user with the correct credentials can connect even if their
configurations do not comply with corporate network policy. For example, a remote access user with valid
credentials can connect to a network with a computer that does not have required antivirus software installed
on it. Remote access client can use either a manually-configured connection or a Connection Manager
profile. For more information about configuring Network Access Quarantine Control by using a Connection
Manager profile, see “Incorporating Custom Actions” later in this chapter.
Important
Network Access Quarantine Control allows an administrator to prevent
computers with unsafe or undesirable configurations from connecting
to a private network, not to protect a private network from malicious
users who have obtained a valid set of credentials.
For more information about Network Access Quarantine Control, see “Deploying Dial-up and VPN Remote
Access Servers” and “Deploying IAS” in this book, and “IAS Network Access Quarantine Control” in Help
and Support Center for Windows Server 2003.
Providing Connection Manager

Phone Book Support
Use CPS to create, publish, and update Connection Manager phone books, which include all information
relating to a POP, such as area code, phone number, and user authentication methods supported. The
Connection Manager phone book also includes various network settings that you configure when you run the
CMAK wizard.
Figure 9.2 shows the process for providing phone book support.
Figure 9.2 Providing Connection Manager Phone Book Support
For more information about security considerations when using CPS, see “Security Information for
Connection Point Services” in Help and Support Center for Windows Server 2003.
Using PBA to Create and Maintain Phone

Books
PBA in CPS allows you to create and maintain phone books for use with Connection Manager. By using
CPS, you can ensure your remote access users have the most recent phone numbers to connect to your
network.
Note
If you are providing a VPN-only profile you do not need to create a
phone book and can skip to “Customizing Connection Manager” later in
this chapter.
Before using PBA, you must install it on a computer running either Windows Server 2003 or Microsoft
Windows XP Professional. You install PBA by running Pbainst.exe from the
VALUEADD\MSFT\MGMT\PBA folder on the Windows Server 2003 family CD-ROM or Windows XP
Professional CD-ROM.
For information about how to administer phone books from the command line, see “Administer phone
books” in Help and Support Center for Windows Server 2003.
Creating, Publishing, and Maintaining Phone Books

A phone book contains one or more Points of Presence (POPs), each of which includes a telephone number
to access the network or the Internet. Connection Manager phone books allow the user to have a complete
POP list, so they have more than one phone number to choose from when traveling or if there is a problem
connecting to a specific number.
Before you begin adding POPs to the phone book, you can create a list of regions to organize the POPs.
Regions allow the user to see a filtered list within their country or dependency. This reduces the number of
POPs the Connection Manager client displays at one time, so the user chooses from a list of POPs targeted to
their region. Use the Region Editor in PBA to create a new list of regions, or import regions from an existing
.pbr file.
After you have gathered all the POPs contained in the phone book, use PBA to create your new phone book.
When you create a new phone book, PBA creates a phone book file (.pbk) and a region file (.pbr). When you
finish creating the phone book, you need to publish it so that it is available on the PBS server.
To publish the phone book
1. Start the FTP service on the PBS server.
2. Enable the account that was created on the PBS server for phone book posting.
3. Start PBA, click the Tools menu, and then click Publish Phone Book.
4. In the Options dialog box, type the server address, user name, and password used to post the
phone book to the server running PBS.
5. Click Create to create the .cab files in the release directory.
6. Enter the address of the PBS server and click Post to post the new release to the PBS server.
7. Disable the account on the PBS server.
8. Stop the FTP service on the PBS server.
Use PBA to edit your phone book when adding or changing telephone numbers, and then use the same
procedure to re-publish the updated phone book.
Updating Phone Books

To ensure the client always has the most recent version of the phone book, leave the Automatically
download phone book updates check box selected on the Phone Book page of the CMAK wizard.
If you have configured automatic phone book updates, after the client connects to the network, the client
sends a request to PBS that includes the name of the phone book file and the version currently installed on
the client. The server then replies with either a full or an incremental update, if one is required.
Using an Outsourced Phone Book

To provide a wider range of phone numbers, your organization might outsource your phone book to a
telecommunications company or an ISP. If your telecommunications company or ISP uses CPS, you can
import that company’s phone book.
When negotiating with the ISP or telecommunications company, you should ask that company to provide a
service profile that contains all its phone book information, including an update URL, and then use CMAK to
merge this profile into your service profile.
If the company does not provide you with a service profile, request the phone book .(pbk) and region .(pbr)
files for the phone book, as well as the update URL. Use these files to create a service profile, and merge it
into the service profile you will send to your users.
If your telecommunications company or ISP does not use CPS, obtain the phone numbers in another format,
such as a text file, and import this file into your phone book. For more information about importing phone
book files using PBS, see “Add, edit, or delete POPs by command line” in Help and Support Center for
Windows Server 2003.
For more information about merging service profiles, see “Merging Service Profiles” later in this chapter.
Hosting Phone Books on a PBS Server

You do not need to run PBS on a high-end computer because any computer capable of running Windows
Server 2003 and Internet Information Services (IIS) can run PBS.
Just before publishing, ensure that the PBS server is using IIS to run FTP and the Web server service. This is
necessary for PBS servers to receive posts from PBA and to provide updated files to clients. For more
information about IIS, “Internet Information Services (IIS) 6.0 overview” in Help and Support Center for
Caution
For security reasons, do not allow anonymous FTP access to your PBS
server. Also, only run the FTP service when you are actually publishing
or updating a phone book. For more information about CPS security,
see “Security information for Connection Point Services” in Help and
Support Center for Windows Server 2003.
PBS servers can be located on your perimeter network or in the perimeter network of the ISP if you
outsource phone book support. Because the phone book updates after connecting to your network, locate the
PBS server such that the client has access to it after a successful connection to your network. For more
information about security in perimeter networks, see “Deploying ISA Server in this book.
Customizing Connection Manager

Use the CMAK wizard to create a custom service profile. You then distribute this .exe file to your users.
When they double-click the file, it installs a service profile customized with the information you entered in
the CMAK wizard. The Connection Manager client then allows users to dial in to your organization directly
or to complete a VPN connection, based on the information provided in the CMAK wizard.
Figure 9.3 shows steps in the process for customizing your service profile.
Tip
You can install the CMAK wizard from Management and Monitoring
Tools details in the Windows Components Wizard. For more
information about installing the CMAK wizard, see “The Connection
Manager Administration Kit Wizard” in Help and Support Center for
Figure 9.3 Customizing Connection Manager
Before you run the CMAK wizard, make sure you know the following information, which is required to
complete the wizard:
• The service name and a file name that you will use for the new profile and related files.
• A realm name, if your service requires it. A realm name is a prefix or suffix that Connection
Manager automatically adds to the user name.
• Any existing service profiles that you plan to merge into the new profile. For more
information about merging service profiles, see “Merging Service Profiles” later in this
chapter.
• VPN Support information, including: the VPN server address(s) and whether or not the
client will use the same passwords for the dial-up and VPN connection in a double-dial
situation. For an example of configuring VPN Support information, see “Example:
Deploying Remote Access Clients” later in this chapter. For information about configuring a
VPN-only profile, see “Implementing VPN support” in Help and Support center for
• VPN Entries network and security information. For more information about networks and
security, see “Configuring Network and Security Settings” later in this chapter.
• Preshared key information, if needed for L2TP/IPSec VPN connections. If you are using a
preshared key, encrypt it with a PIN that follows strong password rules. Strong passwords
include a combination of uppercase and lowercase letters, numbers, and special characters so
the password is protected from a dictionary attack or a database of popular passwords.
• The location of the phone book file that was created by PBA to include in this service profile
and any text that should appear in the More access numbers box in the Phone Book dialog
box.
• Phone book file name for downloading updates and the update URL to point to on the phone
book server, if applicable.
• Dial-up Networking Entries and security information. For more information about networks
and security, see “Configuring Network and Security Settings” later in this chapter.
• Routing table update information, if you are planning to implement split-tunneling where
users can connect to both your internal network and the Internet simultaneously.
• Automatic Proxy Configuration settings, if you want Connection Manager to automatically
update proxy settings for this connection.
• Custom Actions, which are any programs you want to start automatically before, during, or
after users connect to your service. For more information about custom actions, see
“Incorporating Custom Actions” later in this chapter.
• Branding information, including custom graphics, icons, menu items for the notification area
shortcut, custom Help, and support information, if applicable. For more information about
including branding information in your service profile, see “Branding Your Connection
Manager Client” later in this chapter.
• Whether to include the latest version of Connection Manager with your service profile. This
is a small file, so if you are not sure that all clients have the latest version of CM, include the
latest version with your profile.
• A custom license agreement, if applicable. For more information about including a custom
license agreement in your service profile, see “Branding Your Connection Manager Client”
later in this chapter.
• Any additional files you want to include in this service profile.
• Any information you require for advanced customization, if applicable. For more
information about advanced customization, see “Providing Advanced Customization” later
in this chapter.
For a worksheet to assist you in completing the CMAK wizard, see “Preparation for Running the CMAK
Wizard” (DNSRAC_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see
“Preparation for Running the CMAK Wizard” on the Web at http://www.microsoft.com/reskit).
For more specifics about customizing Connection Manager using CMAK, see “Preparing to run the CMAK
Wizard” and “Connection Manager Administration Kit” in Help and Support Center for Windows
Server 2003.
Merging Service Profiles

Merging service profiles is especially useful for incorporating information from multiple phone books,
including service types, POP names, and access numbers. You can also use it to consolidate different dial-up
access numbers that are covered by more than one of your phone books. By merging existing service profiles
into a single top-level service profile, you can present several dissimilar networks as a single, cohesive
service.
You can merge multiple profiles so that the top-level profile, which is the service profile you distribute to
users, behaves as if it has a single phone book, which contains all the POPs defined in each of the component
profiles. For example, if you outsource your phone book through multiple ISPs, and each ISP provides you
with a service profile containing its phone book(s), you can merge the profiles together within a top-level
service profile that contains dial-up numbers for all the POPs from all the providers.
For an example of merging service profiles, see “Example: Deploying Remote Access Clients” later in this
chapter.
Configuring Network and Security Settings

Configure network and security settings by editing the appropriate networking entry from the VPN Entries
page and/or the Dial-Up Networking Entries page of the CMAK wizard. From the Edit VPN Entry and the
Edit Dial-Up Networking Entry dialog boxes, you can customize general network properties, TCP/IP
settings, and security settings.
Configuring General Network Properties
Use the general network properties to disable file and print sharing and enable clients to log on to a network.
For a dial-up connection, you can also enter a dial-up networking script.
Configuring TCP/IP Settings
Use the TCP/IP settings to change the Domain Name System (DNS) and Windows Internet Name Service
(WINS) client configuration by either allowing the server to assign these addresses or manually configuring
the DNS and WINS addresses for this profile. You can also choose to make this connection the default
gateway for the client and to use IP header compression.
Configuring Security Settings
Use the security settings to select the authentication method for VPN or dial-up users and the VPN strategy
for VPN clients. You can choose to use basic or advanced security settings for all computers or use a
combination. If you choose a combination of both basic and advanced security settings, Connection Manager
uses the advanced security settings for clients running on the operating systems that support them and basic
security settings for clients running on operating systems that do not support advanced security settings.
Incorporating Custom Actions

Connection Manager has the ability to run custom actions at various points when establishing a connection.
By providing custom actions, you can enhance the connection experience for your users. Use the CMAK
wizard to include custom actions in your service profile to automatically start programs when users connect
to your service. A custom action can be any batch file, executable file, or dynamic-link library (DLL). These
custom actions can use programs that users have installed, or you can distribute the programs with your
service profile.
Using the CMAK wizard, you can specify custom actions for each of the following points during the
connection process.
• Pre-initialization actions. These actions occur immediately when the user starts the
Connection Manager client.
• Pre-connect actions. These actions occur before the connection attempt.
• Pre-dial actions. These actions occur before every dialing attempt, including redials. (For
dial-up connections only.)
• Pre-tunnel actions. These actions occur before tunneling. (For VPN connections only.)
• Post-connect actions. These actions occur immediately after the connection is established.
• Disconnect actions. These actions occur immediately after the user or server disconnects.
• On cancel actions. These actions occur whenever the user abandons a connection attempt.
• On error actions. These actions occur whenever the connections attempt fails due to an
error.
You might want to use pre-connect actions to start an application before you connect, such as an e-mail
program, or use a post-connect action to upload logs of connection activity or to download the latest virus
signatures. An on error action could also be used to point the user to custom Help files for self-help
information, potentially reducing help desk calls.
Several common custom actions are built into CMAK, such as:
• A post-connect action checks for phone book updates. This action is automatically included
in your profile if you leave the Automatically download phone book updates check box
selected on the Phone Book page of the CMAK wizard.
• A post-connect action obtains and installs routing tables for the target network. This action is
automatically included in your profile if you enable the Routing Table Update feature.
• A post-connect action updates proxy settings of the client during the connection. This action
is automatically included in your profile if you enable the Automatic Proxy Configuration
feature.
The Microsoft® Windows® Server 2003 Resource Kit also contains custom actions you can use to customize
your profile:
Profile update
This includes the files Getcm.exe, which runs as a post-connect action that checks for and downloads an
updated service profile, and Instcm.exe, which runs as a disconnect action that checks to see if an updated
service profile has been downloaded and installs it.
Certificate deployment
This DLL (Cmgetcer.dll) allows Connection Manager to automatically obtain a certificate for L2TP/IPSec
connections.
Network Access Quarantine Control
This network policy requirements script runs as a post-connect action.
The network policy requirements script performs validation checks on the
remote access client computer to verify that it conforms to network
policies. The script can be a custom executable file or simple batch file.
When the script has run successfully and the connecting computer has satisfied all of the network policy
requirements (as verified by the script), the script executes a notifier component (an executable) with the
appropriate parameters. You can also configure your script to download the latest version of the script from a
quarantine resource. If the script does not run successfully, it directs the remote access user to a quarantine
resource such as an internal Web page, which describes how to install the components that are required for
network policy compliance.
The notifier component sends a message to the quarantine-compatible remote access server that indicates a
successful execution of the script. You can use your own notifier component or you can use Rqc.exe, which
is provided on the Windows Server 2003 Deployment Kit companion CD. With these components installed,
the remote access client computer uses the Connection Manager profile to perform its own network policy
requirements check and indicate its success to the remote access server as part of the connection setup.
Tip
Because Network Access Quarantine Control introduces a delay in
obtaining normal remote access, applications that run immediately after
the connection is complete might encounter problems. One way to
minimize the delay is to separate your script into two scripts: one that
runs as a pre-connect action and one that runs as a post-connect
action.
For more information about Network Access Quarantine Control, see “IAS Network Access Quarantine
Control” in Help and Support Center for Windows Server 2003, “Deploying Dial-up and VPN Remote
Access Server” and “Deploying IAS” in this book. For a sample notifier component, see the Windows SDK.
For more information about the Windows SDK, see the Software Development Kit (SDK) information in the
MSDN Library link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
In addition to these predefined custom actions, you can create your own custom actions to include in the
service profile.
For security reasons, custom actions cannot be run when users log on to the network using dial-up
networking unless certain registry keys have been set. For more information about custom actions, see
“Incorporating custom actions” in Help and Support Center for Windows Server 2003.
Branding Your Connection Manager Client

Another important feature of CMAK is the ability to apply your own branding to the client by using your
organization’s graphics, icons, menu items for the notification area shortcut, Help, and license agreement. If
you do not want to customize the appearance of the client, accept the defaults provided in CMAK.
Using Custom Graphics and Icons

You must specify whether to use the default bitmaps or your own graphics. Customize the user interface by
including your company logo or another image that identifies your organization. You can replace the graphics
in both the Logon dialog box and the Phone Book dialog box. The replacement graphic must be a bitmap
(.bmp) file.
Provide custom icons for your service profile in the form of either one file containing icons in multiple sizes
or one file for each icon in each size. Use the CMAK wizard to specify the icons.
Customizing Connection Manager Help and License Agreement

To offer your users customized Help and license agreement files, enter the appropriate file information in the
CMAK wizard.
The default Help file is Cmmgr32.hlp. If you do not want to use the default Help, create your own .hlp file,
and then use the CMAK wizard to replace the default Help with your .hlp file in the service profile. To
include a license agreement, create a .txt file containing the agreement and enter the file name into the
CMAK wizard when prompted. For more information about providing your users with custom Help, see
“Providing custom Windows Help” in Help and Support Center for Windows Server 2003.
Providing Advanced Customization

The CMAK wizard guides you through most of the customization features that you need to build a service
profile. However, you can provide additional customization by selecting the Advanced Customization
check box in the Ready to Build the Service Profile page of the CMAK wizard.
You can also delete any section or key from the .cms or .cmp files by using the Advanced Customization
page of the CMAK wizard.
To delete a section
1. On the Advanced Customization page of the CMAK wizard, in the File name box, select
the appropriate file.
2. In the Section name box, select the section you want to delete.
3. Clear the Key name and Value boxes.
4. Click Apply.
5. Click Yes to confirm that you want to delete the entire section.
To delete a key
the appropriate file.
2. In the Section name box, select the appropriate section.
3. In the Key name box, select the key you want to delete.
4. Clear the Value box.
5. Click Apply.
6. Click Yes to confirm that you want to delete the key.
Caution
Use extreme care when deleting sections or keys from the .cms or
.cmp files by using the Advanced Customization page of the CMAK
wizard, particularly when you are editing an existing service profile.
For more information, including a comprehensive list of the service profile files and keys that you can
customize through advanced customization, see “Advanced customization” in Help and Support Center for
The following procedures show four ways to use advanced customization to increase security for user
connections.
Tip
If the key names you want to customize do not appear in the drop
down list, simply type them in the Key name text box.
Removing the Save Password Option

Edit the HideRememberPassword key to remove the Save Password check box from the Connection
Manager user interface.
To remove the Save Password check box from the Connection Manager user
interface
FileName.cms.
2. In the Section name box, select Connection Manager.
3. In the Key name box, type or select HideRememberPassword.
4. In the Value box, type 1.
5. Click Apply.
Important
In order for any advanced customization setting to be recorded, you
must click Apply after entering each setting.
Disabling ICS
Edit the DisableICS key to disable Internet Connection Sharing (ICS) in Windows XP for this connection.
To disable Internet Connection Sharing (ICS) from the Connection Manager

user interface
FileName.cms.
3. In the Key name box, type or select DisableICS.
5. Click Apply.
Enabling ICF
Edit the EnableICF key to turn on Internet Connection Firewall (ICF) in Windows XP for this connection.
To enable ICF from the Connection Manager user interface
FileName.cms.
3. In the Key name box, type or select EnableICF.
5. Click Apply.
Hiding the Advanced Tab

Edit the HideAdvancedTab key to hide the Advanced tab from the Connection Manager user interface in
Windows XP for this connection. The Advanced tab is where users control ICF and ICS for the connection.
You should only enable this key if you are using the DisableICS and EnableICF keys.
To hide the Advanced tab from the Connection Manager user interface
1. From the Advanced Customization page of the CMAK wizard, in the File name box, select
FileName.cms.
3. In the Key name box, type or select HideAdvancedTab.
5. Click Apply.
Implementing Your Connection

Manager Solution
After you create your service profile(s), test your remote access solution in its entirety before distributing
your service profile to the users.
Figure 9.4 shows the process for implementing your managed remote access client solution using Connection
Manager.
Figure 9.4 Implementing Your Connection Manager Solution
Testing Your Remote Access Solution

When testing your solution in a lab, recreate the actual user experience as closely as possible. It is likely that
the client will be deployed on computers not directly under the control of your organization, such as a user’s
home computer. For this reason, it is necessary to test your service profile(s) using a standard set of
applications and test on the same types of hardware that you will deploy to.
Important
Test both the server and client portions of your remote access design.
Use the following guidelines to test your deployment:

• Load and run the client on each operating system you are supporting for remote access. If
you are supporting both dial-up and VPN connections, test both of these types of
connections on your test clients.
• Test custom actions in detail, using a standard set of application that users might have on
their computers. Be sure your test is representative of the end-user experience.
• Make sure your phone books are updating. If phone books are not updating, check the URL
that is pointing to the phone book server, check for firewall conflicts, and ensure that IIS is
correctly configured on PBS server.
• Test your distribution method before announcing and rolling it out. For information about
establishing a distribution method, see “Distributing Your Connection Manager Service
Profiles” later in this chapter.
Distributing Certificates
If you configured the security settings of the VPN Entries in the CMAK wizard to use L2TP/IPSec, you
might need to distribute certificates to your users. The certification authority (CA) is generally set up as a
Web server. You can either have your CA on the Internet or on your intranet.
Internet Enrollment
With Internet enrollment, users go to a public Web site to obtain their certificates. Internet enrollment is
useful if you are using a CA that is provided by another company.
Intranet Enrollment
If certificates are optional but recommended, users can obtain their certificates after connecting to your
intranet. Configure the service profile to attempt authentication by using L2TP first. This setting allows the
client to attempt a connection using L2TP; if L2TP is not available, the client connects using PPTP. When
you configure this setting, the client will first attempt to connect using L2TP each time the client connects.
By using this setting, clients can connect the first time by using PPTP and get a certificate. After receiving
the certificate, subsequent connections will use L2TP.
You can configure the Connection Manager Certificate Deployment Tool, Cmgetcer.dll, as a custom action.
This tool enables the client to get a certificate from the certification authority.
For more information about certification authorities and certificates, see “Designing a Public Key
Infrastructure” in Designing and Deploying Directory and Security Services of this kit.
Educating Users About Security

When distributing your service profiles, you should also inform users of their responsibilities in protecting
the organization’s resources. Educate your users about potential threats and how to avoid them, including:
• Enable a personal firewall (such as ICF in Windows XP).
• Use strong passwords on their remote computers.
• Never save passwords for any connection.
To prevent users from saving their password for this connection, disable the Save Password
check box on the Connection Manager client. For more information, see “Providing
Advanced Customization” earlier in this chapter.
• Lock their computers when they are not actively using them. They do this by password-
protecting the screen saver or through the Ctrl-Alt-Delete dialog box.
• Do not share VPN connections or run a VPN connection from an ICS host. Sharing the VPN
connection allows all computers on the ICS network — using the VPN connection — to
access your organization’s network and resources using the VPN connection’s credentials.
Distributing Your Connection Manager

Service Profiles
There are several ways to distribute your service profile, each with costs and benefits. Choose one of the
following methods, or provide more than one method to give your users a choice.
Distributing Service Profiles on CD or Floppy Disk
You can distribute CDs or floppy disks containing your self-installing Connection Manager package.
Connection Manager and the service profile fit on a floppy disk. However if you want to include other
programs, such as anti-virus software, you might need more space than a floppy provides so a CD is a better
choice.
The benefit of distributing this way is that you can physically give a copy to all users or send them easily
through the mail. However, this solution might be costly and has little inherent security.
Distributing Service Profiles by E-mail
You can send a service profile through e-mail to your users. If you choose to send the service profile through
e-mail, ensure that users are able to receive .exe files, because not all e-mail systems allow executable files as
attachments.
Distributing Service Profiles by Download
You can set up a Web site where users can download the service profile. Desktop users can download to a
floppy disk, and portable-computer users can download directly to their computers from a Web site inside
your network.
It is also possible to make the service profile available by download from a Web site over the Internet.
However, identify any security risks to your organization before posting your service profile on an Internet
site.
Pre-installing Service Profiles
You can install the service profile on each client individually. The benefit of this method is that users are not
required to install anything themselves, which can reduce user frustration and calls to your help desk.
However, this method requires administrator or help desk resources during the initial installation, which
might be a large resource hit during the roll out phase of your deployment. This method is useful when there
are a small number of client computers or when all of the client computers and devices are controlled by your
organization.
Combining Distribution Methods
You can also use a combination of distribution methods. For example, a company could distribute the
Connection Manager service profiles on CD to users who work from their own computers from remote
locations, provide downloads for local employees who have portable computers, and pre-install the service
profile on any new portable computers before distribution.
Example: Deploying Remote

Access Clients
A large company, Contoso Ltd., is redesigning remote access infrastructure. Contoso decides to use the
Connection Manager family of products to provide managed remote access to their company network
through both dial-up connections and VPN connections. The new VPN server allows both PPTP and
L2TP/IPSec VPN connections.
Contoso contracts with an ISP, A. Datum Corporation, to provide bulk dial-up Internet access. Under the
arrangement, A. Datum will provide single sign-on for users using their Contoso credentials. This is
accomplished by using a Remote Authentication Dial-In User Service (RADIUS) proxy to forward
connection requests to a Contoso RADIUS server using a realm name agreed to by both A. Datum and
Contoso. For more information about deploying a RADIUS proxy and RADIUS server, see “Deploying IAS”
in this book.
Contoso has the following primary objectives for providing a remote access solution to its users:
• Allow local users to connect to the corporate intranet with direct dial using a local phone
number, which dials directly into Contoso’s remote access servers.
• Reduce costs by eliminating the need for toll free (1-800) dial-up access numbers for users
traveling within the United States. The company has a contract with A. Datum to provide
dial-up access numbers to the Internet, which will be used to carry VPN connections to the
company.
• Provide all users with automatic phone book updates when dial-up access numbers change.
Allow users to connect by making a VPN connection to the corporate Intranet over their
existing connections to the Internet, such as digital subscriber line (DSL) and cable modem
connections.
The company would also like to improve the connection experience for their users in the following ways:
• Provide a simplified method of setting up all types of connections on a variety of Windows
operating systems.
• Provide a unified phone book for all access numbers.
• Provide a customized user interface for the connection client, including custom icons and
graphics.
• Provide a single sign-on experience for double-dial VPN users by using a realm name and a
RADIUS proxy.
The Connection Manager family of products provides Contoso with solutions to meet all of these goals.
Contoso Prepares Phone Books

Before Contoso creates the Connection Manager service profile, they create the local phone book file
(Contoso.pbk) and the region file (Contoso.pbr). These files contain the local phone numbers that allow users
to dial directly into Contoso’s corporate intranet.
The company also receives a phone book file (Adatum.pbk), a region file (Adatum.pbr), and an update URL
(http://pbupdate.adatum.com) from A. Datum, the ISP. To incorporate the phone numbers from the ISP,
Contoso creates a component service profile that it will merge into a top-level profile.
The company creates a phone book that includes all the direct-dial numbers for users to the company.
Contoso performs the following steps to create the phone book:
1. Installs CPS and PBA. For more information about installing and running PBA, see
“Providing Connection Manager Phone Book Support” earlier in this chapter.
2. Runs PBA.
3. Creates a new phone book named Contoso.
4. Uses the Region Editor to enter the regions for these numbers.
5. Adds POP entries and enters the information for each phone number.
6. Publishes the phone book.
To provide phone book updates, Contoso installs PBS on a computer running a member of the Windows
Server 2003 family. The phone books from the ISP are already in the form of a phone book file
(Adatum.pbk) and a region file (Adatum.pbr), so Contoso does not have to create any additional phone book
files.
Contoso Creates Service Profiles

Contoso uses the “Preparation for Running the CMAK Wizard” worksheet to collect all the information
necessary to run the CMAK wizard. This information is used to create a component profile, which includes
the phone numbers and the update URL provided by the ISP, and the top-level profile, which is the service
profile the company will distribute to its users.
Preparing to Create the Component Profile

A. Datum supplies Contoso with a phone book file (Adatum.pbk) and a region file (Adatum.pbr), as well as a
phone book update URL. Contoso uses this information to create a component profile. Contoso also includes
the realm name, @contoso.com, agreed to by both Contoso and A. Datum. The realm name identifies the
Contoso user and allows A. Datum to forward the RADIUS messages to the RADIUS server for Contoso, as
shown in Figure 9.5.
Figure 9.5 Double-Dial Using RADIUS Proxy
Figure 9.6 shows the worksheet that Contoso uses to create the component profile.
Important
Figure 9.6 only shows the portions of the “Preparation for Running the
CMAK Wizard” worksheet that Contoso customizes to create the
component profile. To see the entire blank worksheet to help prepare to
run the CMAK wizard, see “Preparation for Running the CMAK Wizard”
(DNSRAC__1.doc) on the Windows Server 2003 Deployment Kit
companion CD (or see “Preparation for Running the CMAK Wizard” on
the Web at http://www.microsoft.com/reskit).
Figure 9.6 Preparation for Running the CMAK Wizard: Component Profile
Preparing to Create the Top-Level Profile

Contoso then creates its top-level profile, merging the component profile into the top-level profile, which is
the service profile that Contoso will distribute to its users. Additional information about files included in this
profile, such as CMProxy.txt and CMRoute.txt, is discussed in the following section.
Figure 9.7 through Figure 9.13 show the worksheet that Contoso uses to create the component profile and
complete the CMAK wizard. Additional information about files included in this profile, such as CMProxy.txt
and CMRoute.txt, is discussed in the following section.
Important
Figure 9.7 through Figure 9.13 only show the portions of the
“Preparation for Running the CMAK Wizard” worksheet that Contoso
customizes to create the top-level profile. To see the entire blank
worksheet to help you prepare to run the CMAK wizard, see
“Preparation for Running the CMAK Wizard” (DNSRAC_1.doc) on the
Windows Server 2003 Deployment Kit companion CD (or see
"Preparation for Running the CMAK Wizard” on the Web at
http://www.microsoft.com/reskit).
Figure 9.7 Preparation for Running the CMAK Wizard: Top-Level Profile (page 1)
Based on the decisions to provide routing table updates, automatic proxy configuration, and custom graphics,
Contoso creates several files before running the CMAK wizard:
• A route update file, CMRoute.txt.
This plain text file includes information required to add or delete routes in the following
format:
Command Destination mask Netmask Gateway metric Metric if Interface
Certain parameters can contain the value of default. In those cases, the appropriate
information from the client computer is used.
The file CMRoute.txt contains the following text to make all locations in the address range
192.168.0.0/16 reachable through the VPN connection:
ADD 192.168.0.0 MASK 255.255.0.0 default METRIC default IF default
For more information about including routing table updates, see “Including Routing Table
Updates” in Help and Support Center for Windows Server 2003.
• A proxy setting file, CMProxy.txt.

This plain text file includes information to ensure that the user has appropriate access to
internal and external resources.
The proxy setting file for Contoso, CMProxy.txt, includes the following information:
[Automatic Proxy]
AutoProxyEnable=1
[Manual Proxy]
ProxyEnable=1
ProxyServer=Contosoproxy:80
ProxyOverride=<local>
For more information about using automatic proxy configuration, see “Using Automatic
Proxy Configuration” in Help and Support Center for Windows Server 2003.
• Bitmap (.bmp) files for each of the custom graphics.
Contoso creates custom bitmap files for the logon bitmap (330 x 140 pixels) and the phone
book bitmap (114 x 309 pixels).
• Icon (.ico) files for each of the custom icons.
Contoso creates custom icon files for the program icon (32 x 32 pixels) and the title bar icon
(16 x 16 pixels). Contoso leaves the default notification area icon to show the connection
status in the notification area.
Contoso Uses CMAK to Create the Service Profiles

After completing these worksheets, the company completes the CMAK wizard using this information.
The company completes the following steps to run the CMAK wizard:
1. Install CMAK from the Windows Component Wizard.
2. Create the component profile based on the information gathered in the component profile
worksheet (Figure 9.6).
3. Create the top-level profile, merging the component profile to include the phone book
provided by the ISP. The top-level profile is completed by using the information gathered in
the top-level profile worksheet (Figure 9.7 to Figure 9.13).
Contoso Tests Its Remote Access Solution

After creating the top-level service profile, Contoso tests its entire remote access solution before rolling it
out. To test both the client and server aspects of the remote access solution, Contoso installs the Connection
Manager profile onto a computer running each operating system the company supports and runs each
possible user scenario. The company tests for the following from the Connection Manager client of each
operating system:
• A VPN connection to the company’s VPN remote access server.
• A direct-dial connection to the company’s dial-up remote access server. By reviewing the
Connection Manager log file, Contoso also confirms that the phone books are updating from
the update URL provided by the company.
• A double-dial connection to several phone numbers provided by the ISP to ensure that the
RADIUS proxy is forwarding the RADIUS messages to the Contoso RADIUS server. By
reviewing the Connection Manager log file, Contoso also confirms that the phone books are
updating from the update URL provided by A. Datum.
Distributing the Connection Manager Profile

After thoroughly testing the entire remote access solution, Contoso distributes the Connection Manager
service profile Contoso.exe to users at the company. Contoso uses a combination of distribution methods: the
service profile is made available for download from the company’s corporate network, and the service profile
is preinstalled onto all new portable computers before distributing them.
The service profile can be downloaded from inside the corporate network and either installed on portable
computers or saved to floppy disk and installed later on the user’s home computer.
After the user has Contoso.exe on their computer, the user installs and sets up Connection Manager by using
the following procedure.
To install Contoso.exe
1. Double-click Contoso.exe.
2. Click Yes when prompted to install Remote access to Contoso.
3. Click My use only to make the connection available to only the intended user and not all
users of that computer. The user can also choose to add a shortcut to the connection on the
desktop, and then click OK.
4. After the installation is complete, the user selects a primary and backup phone number or
chooses to connect over their existing Internet connection.
Tip
The user can create additional settings for home, travel, or other
locations. Users create these customized settings by using the New
button on the General tab of the Remote access to Contoso
Properties dialog box and access them by using the Use settings for
list on the Remote access to Contoso dialog box.
To select a phone number

1. Click Properties in the Remote access to Contoso dialog box.
2. On the General tab of the Remote access to Contoso Properties dialog box, click Dial a
phone number to connect.
3. Click Phone Book to specify a phone number and a backup number.
To use an existing connection to the Internet
1. Click Properties in the Remote access to Contoso dialog box.
2. On the General tab of the Remote access to Contoso Properties dialog box, click I am
already connected to the Internet.
3. The user clicks OK to return to the Remote access to Contoso dialog box.
4. Finally, the user enters their credentials and connects to the Contoso intranet.
Additional Resources
Related Information
• “Deploying Dial-Up and VPN Remote Access Servers” in this book for information about
designing and deploying a remote access server solution.
• “Deploying IAS” in this book for information about designing and deploying Internet
authentication.
• “Connecting Remote Sites” in this book for information about creating connections to
branch offices and remote sites.
• The Internetworking Guide of the Windows Server 2003 Resource Kit (or see the
Internetworking Guide on the Web at http://www.microsoft.com/reskit) for information
about the Routing and Remote Access service and remote access issues, virtual private
networks, and Connection Manager.
• “Deploying IAS” in this book for more information about Network Access Quarantine
Control.
Related Tools
• Certificate Deployment (Cmgetcer.dll)
Cmgetcer.dll allows Connection Manager to automatically obtain a certificate for
L2TP/IPSec connections. For more information about Cmgetcer.dll, in Help and Support
Center for Windows Server 2003, click Tools, and then click Windows Resource Kit Tools.
• Profile Update (Getcm.exe and Instcm.exe)
Getcm.exe runs as a post-connect action that checks for and downloads an updated service
profile; Instcm.exe runs as a disconnect action that checks to see if an updated service profile
has been downloaded and installs it. For more information about Getcm.exe and Instcm.exe,
in Help and Support Center for Windows Server 2003, click Tools, and then click Windows
Resource Kit Tools.
• Remote Access Quarantine Support Tools (RQC.exe and RQS.exe)
IAS Network Access Quarantine Control provides phased network access for remote client
computers. The Remote Access Quarantine Agent service is included when RQS.exe is
installed on a remote access server. When you create the Connection Manager profile, you
can include an administrator-provided script and RQC.exe. For more information about
RQC.exe and RQS.exe, in Help and Support Center for Windows Server 2003, click Tools,
and then click Windows Resource Kit Tools.
Related Help Topics

For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click
Set search options. Under Help Topics, select the Search in title only checkbox.
• “Administer phone books” in Help and Support Center for Windows Server 2003 for more
information about how to administer phone books from the command line.
• “Add, edit, or delete POPs by command line” in Help and Support Center for Windows
Server 2003 for more information about importing phone book files by using PBS.
• “Preparing to run the CMAK wizard” and “The Connection Manager Administration Kit
Wizard” in Help and Support Center for Windows Server 2003 for more specifics about
customizing Connection Manager by using CMAK.
• “Incorporating custom actions” in Help and Support Center for Windows Server 2003 for
more information about custom actions.
• “Advanced customization” in Help and Support Center for Windows Server 2003 for more
information about advanced customization, including a comprehensive list of the service
profile files and keys that you can customize.
• “IAS Network Access Quarantine Control” in Help and Support Center for Windows
Server 2003 for more information about Network Access Quarantine Control.
• “Security Information for Connection Point Services” in Help and Support Center for
Windows Server 2003 for more information about phone book security.
• “Set up FTP accounts for known users” in Help and Support Center for Windows
Server 2003 for more information about setting up FTP accounts for CPS.

Deploying Remote Access Clients Using Connection Manager

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Deploying Remote Access Clients Using Connection Manager

Hochgeladen von

Copyright:

Verfügbare Formate

C H A P T E R 9

Overview of Remote Access

Deploying Connection Manager Process

Remote Access Clients Background

Native Connection Capabilities and Limitations

Connection Manager Solutions

VPN Tunneling Protocols

Network Access Quarantine Control

Providing Connection Manager

Using PBA to Create and Maintain Phone

Creating, Publishing, and Maintaining Phone Books

Updating Phone Books

Using an Outsourced Phone Book

Hosting Phone Books on a PBS Server

Customizing Connection Manager

Figure 9.3 Customizing Connection Manager

Merging Service Profiles

Configuring Network and Security Settings

Incorporating Custom Actions

Branding Your Connection Manager Client

Using Custom Graphics and Icons

Customizing Connection Manager Help and License Agreement

Providing Advanced Customization

Removing the Save Password Option

To disable Internet Connection Sharing (ICS) from the Connection Manager

Hiding the Advanced Tab

Implementing Your Connection

Testing Your Remote Access Solution

Use the following guidelines to test your deployment:

Educating Users About Security

Distributing Your Connection Manager

Example: Deploying Remote

Contoso Prepares Phone Books

Contoso Creates Service Profiles

Preparing to Create the Component Profile

Preparing to Create the Top-Level Profile

• A proxy setting file, CMProxy.txt.

Contoso Uses CMAK to Create the Service Profiles

Contoso Tests Its Remote Access Solution

Distributing the Connection Manager Profile

To select a phone number

Related Help Topics

Das könnte Ihnen auch gefallen