|
Microsoft
RAS is a feature in the Windows Server family, and is included in
all versions of Windows Server.
A Limited version of RAS is also included in
Desktop (client) editions of Windows, including Windows 10/8/7/Vista/XP Vista. RAS allows remote dial-up clients
to connect to a Local Area Network using analog phone
lines or ISDN lines. A typical use would be by an ISP
(Internet Service Provider) to allow users to dial in
to their LAN, or by a corporate network administrator
to allow their users to connect to the corporate LAN
from remote sites. The remote clients connect to RAS
using the TCP/IP protocol encapsulated in the Point-to-Point
(PPP) protocol, which allows the remote client to access
the LAN as if they were plugged directly into it.
A RAS Server will typically have either multiple analog
phone lines, or it will have one or more ISDN T1, E1, or
BRI lines for the incoming calls. When a large
number of telephone lines are required, they are usually
provided by the phone company in bundles of lines known
as 'T1 ISDN-PRI' or 'E1 ISDN-PRI' lines. A T1 contains
23 phone lines, and an E1 contains 30 phone lines. An
ISDN-BRI only contains two phone lines. These lines
will either connect to digital modems, which can support
both analog and digital calls, or they will connect
to analog modems. Digital modems require a digital connection
from the telephone company (T1, E1, or single ISDN-BRI
lines). If you use analog modems on your RAS server,
the maximum speed is 33.6k rather then 56k, because
56k speeds require one end of the connection to be a
digital modem.
Building
a Microsoft Remote Access Service (RAS) can be very simple,
but there are some security precautions that need to
be addressed before you begin. The RAS server is responsible
for authenticating that the user is really who they
claim to be, and granting them access.
If
your users always dial in from a specific phone number,
then one of the best methods of securing your RAS is
a function known as 'call back'. The way this works
is when a particular user dials in, they log in with
their username and password, and then the server disconnects
them and immediately calls them back on their pre-defined
phone number. This makes it virtually hack proof, even
if the users password was ever breached.
Once
a users dials in, they are assigned an IP address on
the network, which can be done by the RAS server, or
by a seperate DHCP server on the network.
You
will need to choose to use either 'workgroup'
security, or the more advanced 'domain'
type of security. Workgroup security is very basic and
harder to administer,
and the Domain method is more secure. A domain controller
maintains a list of users, and you can configure which
ones are allowed Dial-In access, what days and times
they are allowed in, and set an optional call-back number.
On a larger network you might want to consider using
AIS>, which is a RADIUS based security system
included with Windows Server. RADIUS stands
for Remote Authentication Dial-In User Service. The
AIS in the standard edition of Windows Server 2003 supports
a maximum of 50 RADIUS clients, so if you need support
for more clients you will need Windows Server 2003 Enterprise
Edition, or DataCenter Edition, or you can use a third-party
RADIUS solution. There is an excellent open source FreeRADIUS
Server designed for Linux which can also be run under
Windows using CygWin,
MinGW32,
or the Microsoft Windows
Linux Subsystem.
If you wish to allow your network users to be able to
dialout on the same pool of modems which RAS uses for
inbound conections, you can install a third party modem
pooling server such as NetModem
which is designed to co-exist with RAS.
Detailed
information on how to configure Microsoft RAS policies
and security features can be found on the Microsoft
Windows Server Deployment guide, under
the sections titled:
Configure Remote Access Server
and:
Deploy Remote Access in an Enterprise
|
