Configuring Windows 2000 Networks for Mobile Users
If you've ever installed the Remote Access Service in Windows NT, you know just how simple the process is. Setting up a Windows NT Server for remote access involves little more than enabling the Grant Dial In Permissions option for each user. If you wanted more security, you could also enforce a call-back option on a per-user basis.
Because of the simplicity of Windows NT's Remote Access Service, you may have given little thought to Windows 2000's remote access capabilities. However, in Windows 2000, the remote-access features are very different from those in Windows NT.
Rather than using a simple radio button in User Manager to enable or disable remote access, Windows 2000 uses an entire set of policies. You can configure these policies to achieve whatever level of security your organization requires. Three types of policies control remote access security: the Local Internet Authentication Services policy, Central Internet Authentication Service policy, and Standard Group policy.
The Local Internet Authentication Services policy exists at the local level. The policies are delivered from a service called Remote Authentication Dial In User Service (RADIUS), and can be used to regulate client-access permissions based on a number of criteria.
If you're unfamiliar with RADIUS, you're not alone. Although RADIUS has been around for a while, it was previously used primarily for ISPs. Most Windows users have never touched RADIUS unless they're running a very large dial-in service. RADIUS is the system most ISPs use to regulate logins and to keep track of who is on when and for how long. You've probably noticed that when you dial up to an ISP, you're prompted for a login name and password. The authentication information that you provide is almost always passed to a RADIUS server rather than a Windows-based server. Once RADIUS has authenticated the user, the user is allowed to use the ISP servers or routers that connect them to the Internet.
Because Windows 2000 supports RADIUS, you can use Windows 2000 to control remote access to your network or to the Internet through your network. If you need a bit more security or if you already have a RADIUS server, you can use a third-party RADIUS server in conjunction with Windows 2000.
Local Internet Authentication Services Policy
Central Internet Authentication Service Policy
This second type of policy used for remote access security is also based on RADIUS. The Central Internet Authentication Service policies are stored centrally. Therefore, multiple routing and remote access servers can use one centrally stored copy of the policy without the need to replicate the policy to each of these servers.
Finally, you can use standard group policies to control remote access security. The group policy method is more in line with what you're used to if you've previously worked with Windows NT's Remote Access Service. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.