RAP Traps

Sandys ready, ready for a crucial telephone call from the sale, the land may be one of a host of new accounts. On her Road, attempt to log onto the company network to recover some documents, she had "denied access" error message. She logged on to the VPN every day for a year, but never happened before. She desperately called for, is trying to clarify how the case.

Your cell phone sounded. It sand on the other routes. You can almost feel the spirit of her collapse. How do you do? if you know how to resolve remote access to your internal network, you help avoid hospital sandy trip, and help your company for the new account. Remote Access in the Windows 2000 Server and Windows Server 2003 is a complex undertaking, any number of seemingly small things can go wrong, so that your users majors into a brick wall when trying to establish a connection.

The biggest obstacle at present, usually wrong Remote Access Policy (rap), which is the most critical long-range visit to the United Kingdom. Learning not to find out how to configure criticism, and how they work, in practice, can help you to ensure that your users safe, efficient remote access win2k or Windows 2003 remote access server. Rap components criticized provide a granular, centralized means to ensure that you provide safe access to a remote access server. They consisted of three parts, all of which must be met before the user can access: conditions. Conditions include attributes such as time of day and day of week, user or group of members, and the caller ID number.

brief. Overview, including settings such as authentication and encryption protocol, the maximum meeting time, and to allow access only through specific media such as wireless, Ethernet, DSL or VPNs.

authority. "Allow" or "refused" permissions can be assigned an individual basis. Right-click on a user account in the Active Directory Users and Computers, select Properties, then select dial-up labels, as shown in Figure 1.

Figure 1. Tag is used to configure remote dial-up access.

This can be difficult in a large organization. To save time, you can be configured in the dial-up remote access permissions to all attempts at one stroke with rap. This is a two-step process: First, dial-up configuration, allowing a user account to "control access through Remote Access Strategy", as shown in Figure 1. (Note the "control access" option can only be used when a domain win2k domain controller [Parliament] is running in native mode, or domain names using Windows 2003 DCs are running Windows 2000 or higher-level functions of the local community ).

Completion of the second step, either allow remote access to or refuse permission from right-click on a rap in the Routing and Remote Access Control Panel, then select Properties, as shown in Figure 2.

Figure 2. This server will provide remote access permission, any person who is eligible, displayed in the window.

At this point, all users with basic requirements, will also be allowed to rely on remote access, or refuse to rap "pot of gold" or "denied" setting in Figure 2. But there is a built-in protection: remote access user accounts permission override rap permission settings. Todd users from Figure 1, will be denied entry into the network, even if he is to meet its basic requirements, because his dial-up, in the permit attributes "denied access" button to choose. This allows you to set permissions by creating an exception to the rap remote access, for the majority of users, but they deny dial-in access, for a specific user account. You can also create exceptions through the use of multiple remote access strategy (discussed later).

proper protocol A common reasons not connected to, is a mismatch between the incoming and rap set up remote access connection. For example, if a rapper configuration files for use only estrogen TLS, because of its authentication protocol, as well as the incoming remote connection attempts, its configuration can only use MS - chapv2, remote connection attempts will be rejected. In such circumstances there will read the wrong message ", the accounts do not have access to dial-up Internet,." This can be frustrating, because the Administration may have dial-up double-check the authority to confirm users remote access license.

Fun does not stop there. The conflict also can occur between the authentication protocol rap and remote access server console rap. If the President - chapv2, for example, is the only authentication protocol configuration profiles for a story-telling and remote access server, not only President - chapv1 opening Remote Access client will be denied access. Contradictions in the authentication protocol used to set up a rap section, and remote access server configuration file set priorities. Thus, you must ensure that remote access clients, servers, and the share of the region have at least one authentication protocol. Remote processing access policy In order to effectively configure or troubleshoot, you must understand how to evaluate the formation of a rap on the incoming remote access connection attempt. The flow in the following order, and to provide a connection point for each step must be completed before the next one: 1. The first stop is the remote access strategy in the remote access server. If there is no such policy, all incoming connection attempts will be rejected, so you must ensure that the remote access server, at least one rapper. (It does have a default, but it can be deleted).

2. Compared to rap conditions, the incoming connection attempts. For example, remote users, in the marketing group, and is being made to link Monday through Friday 8:00 to 19:00? If not contained in a rap group, that is perfectly matched incoming remote connectivity attempts to deny access.

3. If the user remote access to refuse permission to visit, then what will happen. If not, is Weigushuibuchu other settings.

If allowed to set to allow prospective all, policy briefs apply.

If allowed to be set to control access through remote access, rap permission settings on the evaluation.

If rap license (not user access) is set to deny access, users can not be obtained. If the rapper permission to set access, policy briefs apply.

4. Rap configuration settings applied to the incoming connection. If there are no contradictions, key settings profiles, remote access server and remote access client, the connection attempt will be allowed.

Figure 3. Remote access server with a number of Remote Access Policy settings. Policy Evaluation, to start, one. (Click image with a view to expanding version).

deal with a variety of criticisms Our focus is on a single criticism to date, but you can also apply to different conditions, in a variety of remote access users By adopting more criticism. That is to say, for example, you need to control, a sales team will enable remote access connection. You create a rap with the condition that only allows members of a sales team to connect and file settings, so that they can access only on Monday through Friday, from 7:00 to 18:00, you can create another GM rap allow remote access connection at any time other users. This creates a potential problem: how to distinguish between the remote access server sales users from other users, because users domain selling group members? Answer is arranged orderly criticism list. Each remote access connection to the first rap-initially in order to list. If these conditions are not the first rappers match, the incoming connection attempts passes to the future policy on the list.

Therefore, in the previous example, If the salesperson is the first time in ordering inventory, as well as non-sales remote connectivity to user accounts, there will not be 100 percent with the conditions of the first policy address - the user isn T-members of the selling group. Therefore, in the future the policy listed in the evaluation. In this example, this would be the common rap, and the user will have remote access because the conditions applicable to all users.

If these policies in order to be reversed, members of a sales team, will be inadvertently granted remote access. GM is at the top of the rap list of the commands, so conditions will be coordinated with the sales team members, because they are still domain user.

This is the trouble you can get real-time fast. Its easy to spend a lot of time and created a rap, double-check its settings to take care of those remote access server and remote access client, or refuse to allow only remote access on the basis of the position of the RAP list of the commands. As a general rule of thumb, the best rapper with the most specific conditions, in the top of the list. Acting on a global scale, stored in the local other bear in mind is that criticism is stored locally on the remote access server, rather than in Active Directory. Therefore, even if the words "policy" is used in remote access strategy, it is not a group policy objects can be ad hoc. This means that if your organization uses multiple remote access server, you must create and manage, they also criticized everyone. This can be a challenge, if you have a lot of servers, because it is very easy to make a configuration errors that can lead users are granted or denied access to error.

However, you can concentrate on the management of regional action programmes, the use of a server configuration and Internet Authentication Service (IAS), which is a sub-network services, win2k or Windows 2003 Server. IAS server will be certified as a remote dial-up User Service (RADIUS) server, effective radius of the remote access server customers. In this configuration, an incoming remote access connection attempts will be passed from the client to the RADIUS RADIUS server either allow or deny the use of remote access connection criticism stored in the RADIUS server.

Now, you already know how to criticism operation, you can swap the Eradication of remote access connections to solve the problem in the bud. Sandy will thank you.